The MITRE Company revealed that it was the goal of a nation-state cyber assault that exploited two zero-day flaws in Ivanti Join Safe home equipment beginning in January 2024.
The intrusion led to the compromise of its Networked Experimentation, Analysis, and Virtualization Surroundings (NERVE), an unclassified analysis and prototyping community.
The unknown adversary “performed reconnaissance of our networks, exploited one of our Virtual Private Networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities, and skirted past our multi-factor authentication using session hijacking,” Lex Crumpton, a defensive cyber operations researcher on the non-profit, mentioned final week.
The assault entailed the exploitation of CVE-2023-46805 (CVSS rating: 8.2) and CVE-2024-21887 (CVSS rating: 9.1), which could possibly be weaponized by risk actors to bypass authentication and run arbitrary instructions on the contaminated system.
Upon gaining preliminary entry, the risk actors moved laterally and breached its VMware infrastructure utilizing a compromised administrator account, in the end paving the best way for the deployment of backdoors and internet shells for persistence and credential harvesting.
“NERVE is an unclassified collaborative network that provides storage, computing, and networking resources,” MITRE mentioned. “Based on our investigation to date, there is no indication that MITRE’s core enterprise network or partners’ systems were affected by this incident.”
The group mentioned that it has since taken steps to comprise the incident, and that it undertook response and restoration efforts in addition to forensic evaluation to determine the extent of the compromise.
The preliminary exploitation of the dual flaws has been attributed to a cluster tracked by cybersecurity firm Volexity underneath the identify UTA0178, a nation-state actor seemingly linked to China. Since then, a number of different China-nexus hacking teams have joined the exploitation bandwagon, in response to Mandiant.
“No organization is immune from this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible,” Jason Providakes, president and CEO of MITRE, mentioned.
“We are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well as necessary measures to improve the industry’s current cyber defense posture.”
