MITRE Says State Hackers Breached Its Network Via Ivanti Zero-Days

Last Friday, MITRE disclosed that it experienced a breach after detecting suspicious activity on its Networked Experimentation, Research, and Virtualization Environment (NERVE), a collaborative network used for research, development, and prototyping. Starting in January 2024, MITRE states that an unnamed actor performed reconnaissance of its network and was able to chain together two Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection)) to gain initial access. Once initial foothold was obtained the actor deployed backdoors and webshells to maintain persistence and harvest credentials. Notably, the actor was seen using a compromised administrator account to move laterally and breach the MITRE’s VMware infrastructure.

MITRE says it took prompt action to contain the incident, including taking the NERVE environment offline. An investigation seems to be still ongoing. Based on the details gathered so far, MITRE notes there is no indication that its core enterprise network or partners’ systems were affected by this incident.

Security Officer Comments:
MITRE did not specify which actor was behind the latest incident but is attributing the attack to a state-sponsored actor. The development comes after cybersecurity firm Volexity disclosed in January that UTA0178, a nation-state actor likely linked to China, backdoored over 2,000 Ivanti appliances to harvest and steal account and session data from breached networks. While its unclear if the incident impacting MITRE is apart of the same campaign disclosed by Volexity, both incidents involved the exploitation of the Ivanti zero-days (CVE-2023-46805 and CVE-2024-21887) for initial access.

Suggested Corrections:
Threat actors are actively researching and identifying vulnerabilities in edge devices to breach organizations across the globe. Most notably, Ivanti appliances have been heavily exploited this year, highlighting the need for organizations to implement robust security access controls including strong multi-factor authentication and the concept of least privilege, keep system systems and software update to date to mitigate known vulnerabilities, and employ network segmentation to limit the potential impact of cyberattacks.