MITRE research and prototyping network breached via Ivanti zero-days

The MITRE Corporation disclosed late last week that one of its unclassified research and prototyping networks was breached by an undisclosed nation-state.

Lex Crumpton, a principal cybersecurity engineer at MITRE, said in a blog post that starting in January 2024, a threat actor performed reconnaissance of MITRE’s networks and exploited one of the organization’s VPNs through two Ivanti Connect Secure zero-day vulnerabilities.  

Crumpton said the threat actor then moved past MITRE’s multi-factor authentication using session hijacking. From there, it moved laterally and dug into MITRE’s VMware infrastructure using a compromised administrator account. They then employed a combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials.

“MITRE followed best practices, vendor instructions, and the government’s advice to upgrade, replace and harden our Ivanti systems, but we did not detect the lateral movement into our VMware infrastructure,” said Crumpton. “At the time we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient.”

Callie Guenther, senior manager of threat research at Critical Start, and an SC Media columnist, explained that the exploitation of two zero-day vulnerabilities in Ivanti Connect Secure appliances points to a high level of sophistication and resources typical of nation-state actors.

The flaws exploited (CVE-2023-46805  and CVE-2024-21887) let the attackers bypass authentication and execute arbitrary commands, which Guenther said are severe exploits with high CVSS scores — 8.2 and 9.1, respectively.

Why the attack hit a NERVE

The network targeted was MITRE’s networked experimentation, research and virtualization environment — better known as NERVE.

John Bambenek, president of Bambenek Consulting, explained that NERVE was created to allow a rapid prototyping environment accessible by third-parties to do research quickly in ways that might take many layers of approvals in the formal production environment.

“It’s somewhat akin to an enterprise having a development environment with less controls to allow faster development,” explained Bambenek.

While NERVE is described as an unclassified network that offers storage, computing and networking resources, its role in facilitating research and prototyping could mean it contains valuable data on experimental technologies or methodologies, said Critical Start's Guenther. Although it's stated as unclassified, Guenther said the information it holds could still be of interest to adversaries, particularly those looking for insights into developing technologies or security defenses.

“While it might not be the primary network used by all security researchers at MITRE, its compromise can hinder ongoing research efforts, potentially delay projects, and necessitate significant resources to manage the breach and bolster security,” said Guenther. “The loss of trust in a key tool like NERVE could also impact collaborative efforts with other institutions or partners, especially if data integrity becomes a concern.”

MITRE's Crumpton added that they released information about the beach as well as the threat actors tactics, techniques, and procedures in the spirit of sharing their experiences with the security industry. Crumpton said the last time MITRE experienced a breach was 15 years ago, which led to the development of the now widely used MITRE ATT&CK framework.

“You can learn a lot from being hacked, and that knowledge can transform an entire industry” said Crumpton.