MITRE breached by nation-state threat actor via Ivanti zero-days

MITRE has been breached by attackers via two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Ivanti’s Connect Secure VPN devices.

The attackers have also managed to move laterally and compromise the company network’s VMware infrastructure, MITRE confirmed late last week.

What is known about the breach?

The MITRE Corporation is an American not-for-profit organization that manages federally funded research and development centers supporting various US government agencies.

“After detecting suspicious activity on [MITRE’s] Networked Experimentation, Research, and Virtualization Environment (NERVE), a collaborative network used for research, development, and prototyping, compromise by a foreign nation-state threat actor was confirmed,” the corporation stated on Friday.

In an accompanying post, MITRE CTO Charles Clancy and principal cybersecurity engineer Lex Crumpton shared that, starting in January 2024, the threat actor:

  • Performed reconnaissance of the organization’s networks
  • Exploited one of the organization’s Virtual Private Networks (VPNs) through the Ivanti zero-days
  • Hijacked VPN sessions to move laterally into the VMware environment
  • Leveraged compromised accounts (including an administrator account)
  • Used webshells and backdoors to maintain persistence
  • Exfiltrated data using their C2 infrastructure
  • Created staging and persistent virtual machines withing the VMware environment

“MITRE followed best practices, vendor instructions, and the government’s [January] advice to upgrade, replace, and harden our Ivanti system, but we did not detect the lateral movement into our VMware infrastructure. At the time we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient,” Clancy and Crumpton said.

Unfortunately, the blog post does not contain an explicit timeline of the various stages of the attack or the discovery process, so it’s not clear when they detected the compromise of the VMware infrastructure. (We reached out to MITRE to get more insight, and we’ll update this piece if/when they answer our questions.)

The corporation says they have been breached by a “nation-state threat actor”. Volexity and Mandiant previously tied the exploitation of the same Ivanti Connect Secure VPN zero-days to a Chinese attack group.

Earlier this month, Mandiant’s incident responders shared case studies about lateral movement actions taken by attackers leveraging Ivanti Connect Secure flaws – among them the compromise of a VMware vCenter server and the creation of virtual machines.

MITRE’s actions following the breach

MITRE says that after discovering the compromise, they took down the NERVE environment, started an investigation into the incident (with in-house and third-party experts), and notified the authorities and affected parties.

They also said that, so far, there is no indication that the corporation’s core enterprise network or partners’ systems were affected by the incident.

The investigation is still ongoing, but MITRE decided to share preliminary findings to help others, as well as specific advice for defenders:

  • Monitor VPN traffic for unusual patterns
  • Look for deviations in user behavior
  • Segment networks to limit lateral movement
  • Use threat intelligence feeds to known malicious IP addresses, domains, or file hashes
  • Use deception environments and honey tokens to detect attacker’s action faster
  • Harden networks with robust access control, regular patch management, vulnerability assessments, etc.
OPIS OPIS

OPIS

Don't miss