Early this year, the not-for-profit research and development organization MITRE fell victim to a cyberattack orchestrated by hackers who exploited vulnerabilities within Ivanti software. Fortunately, no data breaches were reported, but the incident impacted some of MITRE’s operations. CEO and president Jason Providakes shared a breach notification on the MITRE website outlining the attack and the organization’s response.
The attack targeted MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE), prompting the organization to take the environment offline, launch an investigation, and notify relevant authorities. MITRE is currently focused on restoring operational capabilities to facilitate collaboration, indicating that the attack disrupted certain functions.
Insights into the Attack
The breach notification labeled the attacker as a “foreign nation-state threat actor,” and further details were uncovered in an advisory by MITRE CTO Charles Clancy and Cybersecurity Engineer Lex Crumpton. It was revealed that the hackers leveraged two zero-day vulnerabilities in Ivanti Connect Secure to breach MITRE’s Virtual Private Network (VPN).
Exploiting these vulnerabilities enabled the attackers to take control of user sessions, circumventing multi-factor authentication solutions and moving laterally across the compromised network. In a related development, Ivanti had previously identified security flaws in their VPN products, such as an authentication bypass vulnerability (CVE-2023-46805) and a command injection flaw (CVE-2024-21887). Subsequently, threat actors capitalized on these vulnerabilities to deploy infostealers, malware, and ransomware against vulnerable targets.
Public warnings from security researchers highlighted the involvement of Chinese state-sponsored threat actors in exploiting these Ivanti flaws. Reports indicated that more than 2,000 Ivanti appliances were being misused for stealing login credentials and session data. The severity of these attacks prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive, urging federal agencies to promptly apply the necessary security patches.
