Excerpt from Bleepingcomputer Article, Published on Apr 19, 2024
In a significant cybersecurity breach, The MITRE Corporation disclosed that its systems were compromised by a state-sponsored hacking group in January 2024, leveraging two zero-day vulnerabilities in Ivanti VPN. The breach was detected following suspicious activity on MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network utilized for research and development endeavors.
Promptly upon discovery, MITRE initiated notifications to affected parties, engaged relevant authorities, and commenced efforts to restore operational continuity through alternative means. Fortunately, evidence suggests that the breach did not extend to the organization’s core enterprise network or affiliated systems. Jason Providakes, CEO of MITRE, emphasized the pervasive nature of cyber threats, remarking, “No organization is immune from this type of cyber attack,” underscoring the necessity for proactive cybersecurity measures and robust defense postures.
Technical insights provided by MITRE’s CTO, Charles Clancy, and cybersecurity engineer, Lex Crumpton, elucidate the modus operandi of the attackers. Exploiting Ivanti Connect Secure zero-days, the hackers infiltrated MITRE’s VPN infrastructure and circumvented multi-factor authentication defenses via session hijacking, enabling lateral movement within the network, facilitated by a compromised administrator account and VMware infrastructure.
Throughout the breach, the threat actors employed sophisticated webshells and backdoors to maintain access and harvest credentials. The vulnerabilities, including an authentication bypass (CVE-2023-46805) and a command injection flaw (CVE-2024-21887), have been exploited since early December to deploy multiple malware strains for espionage purposes. Cybersecurity firms Mandiant and Volexity have attributed these attacks to an advanced persistent threat (APT) group tracked as UNC5221, with indications suggesting the involvement of Chinese state-sponsored actors. Volexity reported widespread exploitation, with over 2,100 Ivanti appliances compromised, affecting entities ranging from small businesses to Fortune 500 companies across various industries.
In response to the severity of the threat, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on January 19, instructing federal agencies to expedite mitigation efforts against the Ivanti zero-day vulnerabilities, highlighting the imperative of swift action to safeguard against cyber intrusions.
To delve deeper into this topic, please read the full article on Bleepingcomputer.