MITRE Corporation’s Network Breached by State-Backed Hackers Using Ivanti Zero-Days

April 19, 2024

The MITRE Corporation disclosed a security breach that occurred in January 2024, instigated by a state-sponsored hacking group exploiting two Ivanti VPN zero-days. The attack was detected following unusual activity on the Networked Experimentation, Research, and Virtualization Environment (NERVE), a network used for research and development that is not classified.

MITRE has since reached out to those affected by the breach and has engaged the appropriate authorities. The corporation is in the process of reestablishing 'operational alternatives.' Investigations into the incident have so far indicated that the breach did not extend to the organization's main enterprise network or the systems of its partners.

MITRE CEO Jason Providakes stated, 'No organization is immune from this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible. We are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well necessary measures to improve the industry's current cyber defense posture.'

In a separate advisory published on Friday, MITRE revealed that the threat actors had compromised one of its Virtual Private Networks (VPNs) by exploiting two Ivanti Connect Secure zero-days. The actors were also able to circumvent multi-factor authentication (MFA) defenses through session hijacking, which enabled them to traverse the breached network's VMware infrastructure using a hijacked administrator account.

Throughout the incident, the threat group used a mix of advanced webshells and backdoors to maintain access to the compromised systems and collect credentials. Since early December, the two security vulnerabilities, an auth bypass (CVE-2023-46805) and a command injection (CVE-2024-21887), have been exploited to deploy various malware families for espionage objectives.

Mandiant identified these attacks as being linked to an advanced persistent threat (APT) known as UNC5221. Volexity reported indications that Chinese state-sponsored threat actors were exploiting the two zero-days. Volexity further stated that the Chinese hackers had backdoored over 2,100 Ivanti appliances, extracting and stealing account and session data from the compromised networks. The victims of these attacks ranged from small businesses to some of the world's largest organizations, including Fortune 500 companies from diverse industry sectors.

In light of the widespread exploitation and the extensive attack surface, CISA issued the year's first emergency directive on January 19, instructing federal agencies to immediately mitigate the Ivanti zero-days.

Related News

• Ivanti Patches High-Risk Vulnerabilities in VPN Gateways
• CISA Systems Compromised Through Ivanti Vulnerabilities, Prompting System Shutdown
• Magnet Goblin Exploits 1-Day Vulnerabilities with New Linux Variant of NerbianRAT Malware
• US CISA Systems Breached: Cybersecurity Measures Under Review
• Five Eyes Intelligence Alliance Issues Warning on Ivanti Gateway Vulnerabilities

Latest News

• Active Exploitation of OpenMetadata Vulnerabilities in Kubernetes Clusters
• Cisco Reveals High-Severity IMC Vulnerability with Available Public Exploit Code
• Multiple Botnets Targeting TP-Link Routers Exploiting Year-Old Security Flaw
• Critical Atlassian Vulnerability Exploited to Deploy Cerber Ransomware
• Ivanti Patches Two Critical Vulnerabilities in Avalanche MDM Solution