In January 2024, The MITRE Corporation experienced a significant cybersecurity breach executed by a state-backed hacking group that exploited two zero-day vulnerabilities in Ivanti VPN solutions. This attack was detected following unusual activity in MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified platform utilized for research and development. The breach was sophisticated, involving the chaining of two specific Ivanti VPN zero-days and allowed the attackers to bypass multi-factor authentication using session hijacking techniques. This enabled them to navigate laterally across the network, specifically targeting MITRE’s VMware infrastructure.
MITRE’s response to the incident included notifying affected parties and contacting the relevant authorities to address the breach. They are currently working on establishing operational alternatives to mitigate the impact and prevent future occurrences. MITRE’s CEO, Jason Providakes, emphasized that no organization is immune to such cyber threats, highlighting the importance of transparency and the organization’s commitment to public interest and advocacy for improved cybersecurity practices across industries.
During the breach, the attackers employed a mix of sophisticated webshells and backdoors to maintain access and harvest credentials from the compromised systems. This allowed for an extensive period of espionage and data extraction undetected. The vulnerabilities exploited were an auth bypass (CVE-2023-46805) and a command injection (CVE-2024-21887), which had been used since early December to target multiple organizations worldwide, deploying various malware families for espionage.
The exploitation of these vulnerabilities was so widespread that CISA issued the year’s first emergency directive on January 19, mandating federal agencies to address the Ivanti zero-days immediately. This incident not only underscores the pervasive threat posed by state-sponsored cyber actors but also the critical vulnerabilities that can be exploited in widely used VPN appliances. The breach at MITRE, a leader in security and defense research, serves as a stark reminder of the persistent and evolving nature of cyber threats facing organizations globally.
