Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Transparancy. Show all posts

MITRE Breach: State Hackers Exploit Ivanti Zero-Days


A state-backed hacking group successfully breached MITRE Corporation’s systems in January 2024 by exploiting two Ivanti VPN zero-day vulnerabilities. 

The incident was detected after suspicious activity was observed on MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network used for research and development. Fortunately, the breach did not impact MITRE’s core enterprise network or its partners’ systems.

The MITRE Corporation

The MITRE Corporation claims that in January 2024, a state-sponsored hacking organization infiltrated its systems by chaining two Ivanti VPN zero-days.

The issue was discovered when suspicious activity was noticed on MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaboration network for research and development.

So far, evidence gathered throughout the inquiry indicates that the breach had no impact on the organization's core enterprise network or the systems of its partners.

The Breach

MITRE has since alerted affected parties of the incident, contacted appropriate authorities, and is currently attempting to restore "operational alternatives."

"No organization is immune to this type of cyber attack, not even one that strives for the highest level of cybersecurity," MITRE CEO Jason Providakes stated on Friday.

MITRE CTO Charles Clancy and Cybersecurity Engineer Lex Crumpton noted in a separate advisory that the threat actors broke into one of MITRE's Virtual Private Networks (VPNs) by chaining two Ivanti Connect Secure zero-days.

They were also able to circumvent multi-factor authentication (MFA) barriers by exploiting session hijacking, which allowed them to travel laterally around the penetrated network's VMware architecture using a compromised administrator account.

Throughout the event, the hackers exploited a combination of sophisticated webshells and backdoors to gain access to compromised systems and harvest credentials.

Since early December, two security vulnerabilities, an authentication bypass (CVE-2023-46805) and a command injection (CVE-2024-21887), have been used to distribute several malware families for espionage objectives.

Global Impact

Mandiant tied these assaults to an advanced persistent threat (APT) known as UNC5221, while Volexity discovered evidence that Chinese state-sponsored hackers were using the two zero-days.

Volexity stated that Chinese hackers backdoored over 2,100 Ivanti appliances, gathering and stealing account and session data from compromised networks. The victims ranged in size from small firms to some of the world's largest organizations, including Fortune 500 companies in a variety of industries.

Because of their widespread exploitation and large attack surface, CISA issued this year's first emergency directive on January 19, instructing government agencies to mitigate the Ivanti zero-days immediately.