MITRE hacked via Ivanti zero-day vulnerabilities

In January, nation-state hackers breached The MITRE Corporation, a non-profit responsible for overseeing federally funded research. Exploiting two zero-day vulnerabilities in products from IT vendor Ivanti, they infiltrated the corporation’s networks. The attackers, whose identity remains unknown, conducted reconnaissance by exploiting one of MITRE’s VPNs through the vulnerabilities in Ivanti Connect Secure. Ivanti later disclosed that these vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, had been utilized in attacks on a minimum of 10 of its customers.

MITRE’s Chief Technology Officer, Charles Clancy, stated recently that the organization became aware last week of a compromise to its unclassified collaborative research and development network. This network, which hosts prototyping and various other activities, was infiltrated by a foreign nation-state threat actor. MITRE’s extensive work serves multiple government agencies.

The compromised network encompasses storage, computing, and networking resources. However, MITRE reassured that there’s no evidence suggesting any impact on its core enterprise network or the systems of its partners.

According to the blog post, MITRE outlined that the hackers exploited the Ivanti vulnerabilities to progress laterally, seizing control of a compromised administrator account. They employed a blend of sophisticated backdoors and webshells to sustain persistence and gather credentials. MITRE stated that it adhered to guidance from both government authorities and Ivanti, focusing on upgrading, replacing, and fortifying its Ivanti system. However, the organization failed to detect the lateral movement into its VMware infrastructure.