MITRE Hacked: State-Sponsored Breach Exploits Zero-Days

The MITRE Corporation, a non-profit organization, has disclosed that in January 2024, a sophisticated, state-sponsored hacker group infiltrated its systems by chaining together two zero-day exploits in the Ivanti VPN.

The incident was initially identified following the detection of suspicious activity within MITRE’s NERVE (Networked Experimentation, Research, and Virtualization Environment), a non-classified collaborative network utilized for research and development. Subsequently, MITRE notified affected parties, reported the incident to the relevant authorities, and is currently working on restoring its systems.

Evidence gathered during the ongoing investigation indicates that the breach did not extend to the core corporate network or to the systems of its partners.

“No organization is immune from this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible,” said Jason Providakes, president and CEO, MITRE. “We are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well necessary measures to improve the industry’s current cyber defense posture. The threats and cyber attacks are becoming more sophisticated and require increased vigilance and defense approaches. As we have previously, we will share our learnings from this experience to help others and evolve our own practices.”

In a separate release, Charles Clancy, MITRE’s Chief Technology Officer, and Lex Crumpton, a cybersecurity engineer, explained that the attackers compromised one of MITRE’s VPNs using two previously discovered zero-day vulnerabilities in Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887).

Furthermore, the attackers were able to circumvent multi-factor authentication by hijacking a session, allowing them to navigate through VMware infrastructure using a compromised administrator account.

Throughout the attack, the hackers employed a combination of sophisticated web shells and backdoors to maintain access to compromised systems and gather credentials.

It is important to note that vulnerabilities CVE-2023-46805 and CVE-2024-21887 allow for bypassing authentication and injecting arbitrary commands. As reported by the security firm Mandian in January 2024, these bugs were exploited by hackers to deploy several families of custom malware, with espionage being the primary goal of the attackers.

MITRE emphasized that the organization had followed government and Ivanti advice in January to “update, replace, and fortify” its Ivanti systems. However, specialists did not observe any lateral movement of hackers within the VMware infrastructure at that time. “We believed we had taken all necessary actions to mitigate the vulnerability, but clearly, these measures were insufficient,” acknowledged the experts.