MITRE Corporation’s Network Breached by State-Backed Hackers Using Ivanti Zero-Days

April 19, 2024

The MITRE Corporation disclosed a security breach that occurred in January 2024, instigated by a state-sponsored hacking group exploiting two Ivanti VPN zero-days. The attack was detected following unusual activity on the Networked Experimentation, Research, and Virtualization Environment (NERVE), a network used for research and development that is not classified.

MITRE has since reached out to those affected by the breach and has engaged the appropriate authorities. The corporation is in the process of reestablishing 'operational alternatives.' Investigations into the incident have so far indicated that the breach did not extend to the organization's main enterprise network or the systems of its partners.

MITRE CEO Jason Providakes stated, 'No organization is immune from this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible. We are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well necessary measures to improve the industry's current cyber defense posture.'

In a separate advisory published on Friday, MITRE revealed that the threat actors had compromised one of its Virtual Private Networks (VPNs) by exploiting two Ivanti Connect Secure zero-days. The actors were also able to circumvent multi-factor authentication (MFA) defenses through session hijacking, which enabled them to traverse the breached network's VMware infrastructure using a hijacked administrator account.

Throughout the incident, the threat group used a mix of advanced webshells and backdoors to maintain access to the compromised systems and collect credentials. Since early December, the two security vulnerabilities, an auth bypass (CVE-2023-46805) and a command injection (CVE-2024-21887), have been exploited to deploy various malware families for espionage objectives.

Mandiant identified these attacks as being linked to an advanced persistent threat (APT) known as UNC5221. Volexity reported indications that Chinese state-sponsored threat actors were exploiting the two zero-days. Volexity further stated that the Chinese hackers had backdoored over 2,100 Ivanti appliances, extracting and stealing account and session data from the compromised networks. The victims of these attacks ranged from small businesses to some of the world's largest organizations, including Fortune 500 companies from diverse industry sectors.

In light of the widespread exploitation and the extensive attack surface, CISA issued the year's first emergency directive on January 19, instructing federal agencies to immediately mitigate the Ivanti zero-days.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.