The MITRE Corporation, a renowned cybersecurity organization, has recently reported a breach in its systems. The breach, which occurred in January 2024, was orchestrated by a state-backed hacking group that exploited two Ivanti VPN zero-days.
The breach was discovered following the detection of suspicious activity on MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network used for research and development. The organization has since notified the affected parties and relevant authorities and is currently working on restoring operational alternatives.
Despite the severity of the breach, the organization's core enterprise network and its partners' systems were not affected. "No organization is immune from this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible," said MITRE CEO Jason Providakes.
The threat actors compromised one of MITRE's Virtual Private Networks (VPNs) by chaining two Ivanti Connect Secure zero-days. They were also able to bypass multi-factor authentication (MFA) defenses using session hijacking, which allowed them to move laterally through the breached network's VMware infrastructure using a hijacked administrator account.
The hackers used a combination of sophisticated webshells and backdoors to maintain access to the compromised systems and harvest credentials. The two security vulnerabilities exploited have been linked to the deployment of multiple malware families for espionage purposes.
Mandiant, a cybersecurity firm, has linked these attacks to an advanced persistent threat (APT) it tracks as UNC5221. Volexity, another cybersecurity firm, reported signs that Chinese state-sponsored threat actors were exploiting the two zero-days, backdooring over 2,100 Ivanti appliances and stealing account and session data from breached networks.
Due to the mass exploitation and the vast attack surface, the Cybersecurity and Infrastructure Security Agency (CISA) issued this year's first emergency directive on January 19, ordering federal agencies to mitigate the Ivanti zero-days immediately.
