April 22, 2024 at 06:21AM
MITRE’s R&D network was hacked using zero-day vulnerabilities in an Ivanti product by a foreign state-sponsored threat actor. The attack, identified in January and affecting the NERVE network, prompted MITRE to take the environment offline and investigate. The organization has duly shared attack techniques and mitigation recommendations. Exploitations of the same vulnerabilities have also impacted CISA’s systems.
Key Takeaways from the Meeting Notes:
1. MITRE’s R&D network, NERVE, was targeted in a cyber attack using zero-day vulnerabilities in Ivanti Connect Secure VPN devices by a foreign state-sponsored threat actor, likely backed by the Chinese government.
2. The attack occurred in early January and was only discovered this month, prompting MITRE to take the NERVE environment offline and launch an investigation.
3. The attackers exploited the vulnerabilities to bypass multi-factor authentication, gain access to the network’s VMware infrastructure, and maintain persistence using sophisticated backdoors and webshells.
4. Mitigations for the vulnerabilities were provided by Ivanti immediately, but proper patches were released nearly three weeks later, during which widespread exploitation of the flaws occurred.
5. MITRE has shared information on observed attack techniques and best practices for detection, as well as recommendations for network hardening, with no evidence at this point that its core enterprise network or partners’ systems are impacted.
6. The same Ivanti vulnerabilities have been used to hack into systems belonging to the cybersecurity agency CISA, potentially affecting 100,000 individuals.
Additionally, it’s noted that Google Cloud’s Mandiant is aware of several China-linked threat actors exploiting the Ivanti VPN vulnerabilities.
The meeting notes also include related articles about Ivanti’s response to the zero-day vulnerabilities and incidents related to the exploitation of Ivanti vulnerabilities.