The MITRE Corporation on Friday disclosed a breach impacting one of its collaborative networks used for research, development and prototyping. MITRE said in January attackers had exploited two known Ivanti Connect Secure vulnerabilities in order to deploy sophisticated backdoors and harvest credentials.
MITRE, a nonprofit organization that manages federally funded research and development centers supporting government agencies in cybersecurity, defense, homeland security and more, is only the latest high-profile organization to be hit via Ivanti’s vulnerabilities in its Connect Secure and Policy Secure gateways - the U.S. Cybersecurity and Infrastructure Security Agency (CISA) was another recent target, according to officials. MITRE said that, in its specific incident, the nation-state actor behind the attack first performed reconnaissance before exploiting the Ivanti flaws in one of its VPNs and bypassing its multi-factor authentication measures via session hijacking.
“In April 2024 we confirmed that MITRE was subject to an intrusion into one of our research and prototyping networks," said Lex Crumpton and Charles Clancy with MITRE in a Friday post. "MITRE’s security team immediately began an investigation, cut off all known access to the threat actor, and brought in third-party Digital Forensics Incident Response teams to perform their own independent analysis alongside our in-house experts."
After initial access, attackers were able to move laterally and use a compromised administrator account to dig into the network’s VMware infrastructure. Though MITRE had followed best practices and instructions from Ivanti and the U.S. government to upgrade, replace and harden their Ivanti devices, they did not detect the lateral movement into the VMware infrastructure, said Crumpton and Clancy.
During the course of the incident response, MITRE took various measures, including isolating impacted systems and segments of the network to curb the scope of the attack, improving their monitoring of impacted systems and migrating to new systems.
“We launched multiple streams of forensic analysis to identify the extent of the compromise, the techniques employed by the adversaries, and whether the attack was limited to the research and prototyping network or had spread further,” according to Crumpton and Clancy. “While this process is still underway, and we have a lot more to uncover about how the adversary interacted with our systems, trusted log aggregation was perhaps the most important component to enabling our forensic investigation.”
MITRE said the investigation is ongoing and it is still working to determine the scope of the information potentially compromised. The impacted unclassified MITRE research and development system, called the Networked Experimentation, Research, and Virtualization Environment (NERVE), was launched in 2015 as a way to help researchers better collaborate with external labs and partners. MITRE said there is currently no indication that its core enterprise network or partner systems have been impacted.
The incident shows the continued level of fallout from Ivanti’s flaws, disclosed in January (CVE-2024-21887 and CVE-2023-46805), which have been widely exploited by threat actors and also led to an emergency directive by the U.S. government ordering federal agencies to temporarily disconnect all instances of the appliances from agency networks, perform a factory reset and then rebuild and upgrade them.