MITRE says it was hit by hackers exploiting Ivanti flaws

News
By Sead Fadilpašić
published

They chained two flaws to bypass MFA and steal session cookies.

Red padlock open on electric circuits network dark red background
(Image credit: Shutterstock/Chor muang)

The not-for-profit research and development organization MITRE suffered a cyberattack early this year, with the attack apparently hindering some operations, but there was no talk of stolen data.

In a breach notification published on the MITRE website late last week, CEO and president Jason Providakes explained what happened and what the organization was doing about it.

Apparently, the company spotted suspicious activity on its Networked Experimentation, Research, and Virtualization Environment (NERVE), a collaborative network used for research, development, and prototyping.

Chinese threat actors

To contain the incident, the organization took the NERVE environment offline, launched an investigation, and notified relevant authorities. It is currently working to restore “operational alternatives for collaboration,” suggesting that some operations were hampered by the attack.

Nothing else was said in the notification, other than it was a “foreign nation-state threat actor” behind the attack. However, BleepingComputer found a separate advisory, published by MITRE CTO Charles Clancy, and Cybersecurity Engineer Lex Crumpton, in which it was explained that the attackers had chained two Ivanti Connect Secure zero-day vulnerabilities to breach a MITRE Virtual Private Network (VPN).

By using the two flaws, the attackers were also able to hijack user sessions, thus bypassing multi-factor authentication (MFA) solutions and moving laterally throughout the compromised network. 

Late last year, Ivanti warned its users that it discovered multiple security vulnerabilities in its VPN products, including an authentication bypass vulnerability (CVE-2023-46805), and a command injection flaw (CVE-2024-21887). These flaws were used by different threat actors to drop infostealers, malware, and ransomware, on vulnerable targets. 

Some researchers said Chinese state-sponsored threat actors were actively exploiting the flaws, while others were warning that more than 2,000 Ivanti appliances were being abused to steal login credentials, session data, and more. The large scale of the attacks even prompted the U.S. Cybersecurity and Infrastructure Security (CISA) agency to issue an emergency directive and urge federal agencies to apply the patches immediately.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.