MITRE ATT&CKED: InfoSecs Most Trusted Name Falls to Ivanti Bugs

  /     /     /  
Publicated : 23/11/2024   Category : security


MITRE ATT&CKED: InfoSecs Most Trusted Name Falls to Ivanti Bugs


The irony is lost on few, as a nation-state threat actor used eight MITRE techniques to breach MITRE itself — including exploiting the Ivanti bugs that attackers have been swarming on for months.



Foreign nation-state hackers have used vulnerable Ivanti edge devices to gain three months worth of deep access to one of MITRE Corp.s unclassified networks.
MITRE, steward of the ubiquitous ATT&CK glossary of commonly known cyberattack techniques, previously went 15 years without a major incident. The streak snapped in January when, like
so many other organizations
, its Ivanti gateway devices were exploited.
The breach affected the Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified, collaborative network the organization uses for research, development, and prototyping. The extent of the NERVE damage (pun intended) is currently being assessed.
Dark Reading reached out to MITRE to confirm the timeline and details of the attack. MITRE did not provide further clarification.
Stop me if youve heard this one before: In January, after an initial reconnaissance period, a threat actor exploited one of the companys virtual private networks (VPNs) through
two Ivanti Connect Secure zero-day vulnerabilities
(ATT&CK technique T1190, Exploit Public-Facing Applications).
According to a
blog post
from MITREs Center for Threat-Informed Defense, the attackers bypassed the multifactor authentication (MFA) protecting the system with some session hijacking (MITRE ATT&CK T1563, Remote Service Session Hijacking).
They attempted to leverage several different remote services (T1021, Remote Services), including the Remote Desktop Protocol (RDP) and Secure Shell (SSH), to gain access to a valid administrator account (T1078, Valid Accounts). With it, they pivoted and dug deep into the networks VMware virtualization infrastructure.
There, they deployed Web shells (T1505.003, Server Software Component: Web Shell) for persistence, and backdoors to run commands (T1059, Command and Scripting Interpreter) and steal credentials, exfiltrating any stolen data to a command-and-control server (T1041, Exfiltration Over C2 Channel). To hide this activity, the group created its own virtual instances to run within the environment (T1564.006, Hide Artifacts: Run Virtual Instance).
The impact of this cyberattack should not be taken lightly, says Darren Guccione, CEO and co-founder at Keeper Security, highlighting both the foreign ties of the attackers and the ability of the attackers to exploit two serious zero-day vulnerabilities in their quest to compromise MITRE’s NERVE, which could potentially expose sensitive research data and intellectual property.
He posits, Nation-state actors often have strategic motivations behind their cyber operations, and the targeting of a prominent research institution like MITRE, that works on behalf of the US government, could be just one component of a larger effort.
Whatever its goals were, the hackers had ample time to carry them out. Though the compromise occurred in January, MITRE was only able to detect it in April, leaving a quarter-year gap in between.
MITRE followed best practices, vendor instructions, and the government’s advice to
upgrade, replace, and harden our Ivanti system
, the organization wrote on Medium, but we did not detect the lateral movement into our VMware infrastructure. At the time we believed we took all the necessary actions to mitigate the vulnerability, but
these actions were clearly insufficient
.
Editors note: An earlier version of the story attributed the attacks to UNC5221. That attribution has not been made at this time.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
MITRE ATT&CKED: InfoSecs Most Trusted Name Falls to Ivanti Bugs