The MITRE Corporation has become the latest high-profile victim of an Ivanti-related breach, after a nation state actor compromised its R&D network via two chained zero-day vulnerabilities.
The non-profit said the last time it suffered a major cyber-incident like this was 15 years ago – an event which precipitated the creation of its MITRE ATT&CK knowledge base of adversary tactics and techniques.
On this occasion, an unnamed state actor comprised MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE) – an unclassified collaborative network that provides storage, computing and networking resources. There’s no indication the actor breached MITRE’s core network or partner systems.
“Starting in January 2024, a threat actor performed reconnaissance of our networks, exploited one of our Virtual Private Networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities, and skirted past our multi-factor authentication using session hijacking. From there, they moved laterally and dug deep into our network’s VMware infrastructure using a compromised administrator account. They employed a combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials,” explained MITRE CTO, Charles Clancy, and principal cybersecurity engineer, Lex Crumpton.
“MITRE followed best practices, vendor instructions, and the government’s advice to upgrade, replace, and harden our Ivanti system, but we did not detect the lateral movement into our VMware infrastructure. At the time we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient.”
Read more on MITRE: MITRE Launches Critical Infrastructure Threat Model Framework
As befits a security-focused organization, MITRE has used the incident as an opportunity to share its learnings with the community.
“We are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well necessary measures to improve the industry’s current cyber-defense posture,” said CEO, Jason Providakes.
MITRE said the incident had been contained, the authorities informed, and it is now working to restore “operational alternatives for collaboration” in an expedited and secure manner.
Clancy and Crumpton’s blog has a range of advice for organizations looking to harden their networks and improve detection. The non-profit itself has committed to the following going forward:
- A full incident review including vulnerability assessments and penetration testing
- Enhanced employee training and awareness programs
- Enhanced defensive posture based on lessons learned
Image credit: JHVEPhoto / Shutterstock.com