MITRE Corporation Breached by Nation-State Hackers Exploiting Ivanti Flaws
23.4.24 Exploit The Hacker News
The MITRE Corporation revealed that it was the target of a nation-state cyber attack that exploited two zero-day flaws in Ivanti Connect Secure appliances starting in January 2024.
The intrusion led to the compromise of its Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified research and prototyping network.
The unknown adversary "performed reconnaissance of our networks, exploited one of our Virtual Private Networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities, and skirted past our multi-factor authentication using session hijacking," Lex Crumpton, a defensive cyber operations researcher at the non-profit, said last week.
The attack entailed the exploitation of CVE-2023-46805 (CVSS score: 8.2) and CVE-2024-21887 (CVSS score: 9.1), which could be weaponized by threat actors to bypass authentication and run arbitrary commands on the infected system.
Upon gaining initial access, the threat actors moved laterally and breached its VMware infrastructure using a compromised administrator account, ultimately paving the way for the deployment of backdoors and web shells for persistence and credential harvesting.
"NERVE is an unclassified collaborative network that provides storage, computing, and networking resources," MITRE said. "Based on our investigation to date, there is no indication that MITRE's core enterprise network or partners' systems were affected by this incident."
The organization said that it has since taken steps to contain the incident, and that it undertook response and recovery efforts as well as forensic analysis to identify the extent of the compromise.
The initial exploitation of the twin flaws has been attributed to a cluster tracked by cybersecurity company Volexity under the name UTA0178, a nation-state actor likely linked to China. Since then, several other China-nexus hacking groups have joined the exploitation bandwagon, according to Mandiant.
"No organization is immune from this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible," Jason Providakes, president and CEO of MITRE, said.
"We are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well as necessary measures to improve the industry's current cyber defense posture."