22 April 2024

MITRE discloses security breach via Ivanti zero-days


MITRE discloses security breach via Ivanti zero-days

The MITRE Corporation, a non-profit overseeing a knowledge base that helps model cyber adversaries' tactics and techniques, disclosed a security breach affecting its Networked Experimentation, Research, and Virtualization Environment (NERVE), a collaborative network used for research, development, and prototyping.

The organization said that an unnamed foreign state-sponsored threat actor was behind the attack.

Following the breach, the non-profit took measures to contain the incident, including taking some systems offline.

As MITRE CTO Charles Clancy and principal cybersecurity engineer Lex Crumpton explained in a separate blog post on Medium, the attackers exploited one of the organization’s Virtual Private Networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) and bypassed multi-factor authentication using session hijacking.

The threat actor then moved laterally and accessed the network’s VMware infrastructure via a compromised administrator account. The attackers employed a combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials.

“MITRE has contacted authorities and notified affected parties and is working to restore operational alternatives for collaboration in an expedited and secure manner,” the organization said, adding that the investigation into the incident is ongoing.

Back to the list

Latest Posts

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

The flaw involves Foxit PDF Reader's handling of pop-up messages.
20 May 2024
China-linked APT group uses malware to spy on commercial shipping

China-linked APT group uses malware to spy on commercial shipping

Mustang Panda infiltrated the computer systems of cargo shipping companies in Norway, Greece, and the Netherlands.
20 May 2024
The Grandoreiro malware is back up and running after January disruption

The Grandoreiro malware is back up and running after January disruption

Grandoreiro now targets over 1,500 banks worldwide, spanning more than 60 countries across Central and South America, Africa, Europe, and the Indo-Pacific region.
20 May 2024