MITRE says state hackers breached its network via Ivanti zero-days


The MITRE Corporation says that a state-backed hacking group breached its systems in January 2024 by chaining two Ivanti VPN zero-days.

The incident was discovered after suspicious activity was detected on MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network used for research and development.

MITRE has since notified affected parties of the breach, contacted relevant authorities, and is now working on restoring "operational alternatives."

Evidence collected during the investigation so far shows that this breach did not affect the organization's core enterprise network or its partners' systems.

"No organization is immune from this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible," said MITRE CEO Jason Providakes on Friday.

"We are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well necessary measures to improve the industry's current cyber defense posture."

MITRE CTO Charles Clancy and Cybersecurity Engineer Lex Crumpton also explained in a separate advisory that the threat actors compromised one of MITRE's Virtual Private Networks (VPNs) by chaining two Ivanti Connect Secure zero-days.

[embedded content]

They could also bypass multi-factor authentication (MFA) defenses by using session hijacking, which allowed them to move laterally through the breached network's VMware infrastructure using a hijacked administrator account.

Throughout the incident, the hackers used a combination of sophisticated webshells and backdoors to maintain access to hacked systems and harvest credentials.

Since early December, the two security vulnerabilities, an auth bypass (CVE-2023-46805) and a command injection (CVE-2024-21887), have been exploited to deploy multiple malware families for espionage purposes.

Mandiant has linked these attacks to an advanced persistent threat (APT) it tracks as UNC5221, while Volexity reported seeing signs that Chinese state-sponsored threat actors were exploiting the two zero-days.

Volexity said the Chinese hackers backdoored over 2,100 Ivanti appliances, harvesting and stealing account and session data from breached networks. The victims ranged in size from small businesses to some of the largest organizations worldwide, including Fortune 500 companies from various industry verticals.

Due to their mass exploitation and the vast attack surface, CISA issued this year's first emergency directive on January 19, ordering federal agencies to mitigate the Ivanti zero-days immediately.