Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

MITRE Hacked by State-Sponsored Group via Ivanti Zero-Days

MITRE R&D network hacked in early January by a state-sponsored threat group that exploited an Ivanti zero-day vulnerability.

MITRE hacked

MITRE revealed on Friday that one of its R&D networks was hacked a few months ago by a foreign state-sponsored threat actor leveraging zero-day vulnerabilities in an Ivanti product.

The attack occurred in early January, but it was only discovered this month. It targeted MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network that is used for research, development, and prototyping.

Following the discovery of the breach, MITRE took the NERVE environment offline and launched an investigation. The organization determined that the attack involved exploitation of two Ivanti Connect Secure VPN device vulnerabilities for initial access.

The vulnerabilities, tracked as CVE-2023-46805 and CVE-2024-21887, were zero-days at the time of the attack. They came to light on January 10, when cybersecurity firm Volexity warned that they had been exploited by hackers backed by the Chinese government to compromise Ivanti VPN devices.

Ivanti immediately provided mitigations, but it took the company nearly three weeks to start releasing proper patches

Widespread exploitation of the Ivanti flaws started roughly a week after they came to light. Considering that MITRE was targeted before the zero-days were disclosed, the organization may have been targeted by the Chinese threat actors, but it has not shared any attribution details beyond saying that it was a foreign nation-state threat actor.

Google Cloud’s Mandiant is aware of several China-linked threat actors that have exploited the Ivanti VPN vulnerabilities in their attacks. 

MITRE said the attackers performed reconnaissance, exploited the Ivanti zero-days, and bypassed its multi-factor authentication system using session hijacking. 

Advertisement. Scroll to continue reading.

“From there, they moved laterally and dug deep into our network’s VMware infrastructure using a compromised administrator account,” MITRE explained. “They employed a combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials.”

MITRE’s investigation is ongoing, but at this point there is no evidence that its core enterprise network or partners’ systems are impacted by the incident. 

MITRE is a not-for-profit company operating federally funded R&D centers on behalf of US government sponsors. The company is widely known in the cybersecurity industry for its ATT&CK knowledge base of adversary tactics and techniques based on real-world cyberattack observations.

MITRE has shared information on the observed ATT&CK techniques, as well as best practice tips for detecting such attacks, and recommendations for hardening networks. 

CVE-2023-46805 and CVE-2024-21887 have also been used to hack into systems belonging to the cybersecurity agency CISA, which revealed earlier this month that the incident could affect 100,000 individuals

Late last month MITRE opened a new AI Assurance and Discovery Lab for discovering and managing risks in AI-enabled systems.

Related: Ivanti CEO Vows Cybersecurity Makeover After Zero-Day Blitz

Related: Ivanti Vulnerability Exploited to Deliver New ‘DSLog’ Backdoor

Related: Ivanti EPMM Vulnerability Targeted in Attacks as Exploitation of VPN Flaws Increases

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Check Point Software has appointed Nadav Zafrir as Chief Executive Officer

BlackFog has named Brenda Robb as President, John Sarantakes as CRO, and Mark Griffith as VP of Strategic Sales

Former NSA cybersecurity chief Rob Joyce has joined Sandfly Security's Advisory Board.

More People On The Move

Expert Insights