April 19, 2024 at 03:03PM
MITRE Corporation confirmed a state-backed hacking group breached its systems in January 2024 using two Ivanti VPN zero-days. The breach affected the NERVE network used for research. MITRE notified affected parties, authorities, and is restoring operational alternatives. The investigation found no impact on core systems and partners’ systems. CISA issued an emergency directive to mitigate the Ivanti zero-days.
Meeting Takeaways:
1. The MITRE Corporation experienced a cybersecurity breach in January 2024, involving the exploitation of two Ivanti VPN zero-days by a state-backed hacking group.
2. The breach occurred within MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE), a collaborative research and development network.
3. MITRE has taken prompt action by notifying affected parties, engaging with relevant authorities, and working on restoring “operational alternatives.”
4. The breach did not impact MITRE’s core enterprise network or its partners’ systems.
5. MITRE’s CEO, Jason Providakes, emphasized the importance of transparency and commitment to public interest with regards to cybersecurity incidents.
6. The threat actors compromised the VPNs using Ivanti Connect Secure zero-days and bypassed multi-factor authentication (MFA) defenses using session hijacking.
7. They leveraged sophisticated webshells and backdoors to maintain access and harvest credentials, deploying multiple malware families for espionage purposes.
8. The attacks have been linked to an advanced persistent threat (APT) known as UNC5221 by Mandiant, with indications of Chinese state-sponsored threat actor involvement, as reported by Volexity.
9. CISA issued an emergency directive for federal agencies to mitigate the Ivanti zero-days due to their wide-scale exploitation and significant attack surface.
These takeaways outline the key events and implications of the cybersecurity breach, highlighting the actions taken and the broader impact on industry and government entities.