MITRE ATT&CKED: InfoSec's Most Trusted Name Falls to Ivanti Bugs

Foreign nation-state hackers have used vulnerable Ivanti edge devices to gain three months' worth of "deep" access to one of MITRE Corp.'s unclassified networks.

MITRE, steward of the ubiquitous ATT&CK glossary of commonly known cyberattack techniques, previously went 15 years without a major incident. The streak snapped in January when, like so many other organizations, its Ivanti gateway devices were exploited.

The breach affected the Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified, collaborative network the organization uses for research, development, and prototyping. The extent of the NERVE damage (pun intended) is currently being assessed.

Dark Reading reached out to MITRE to confirm the timeline and details of the attack. MITRE did not provide further clarification.

MITRE's ATT&CK

Stop me if you've heard this one before: In January, after an initial reconnaissance period, a threat actor exploited one of the company's virtual private networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities (ATT&CK technique T1190, Exploit Public-Facing Applications).

According to a blog post from MITRE's Center for Threat-Informed Defense, the attackers bypassed the multifactor authentication (MFA) protecting the system with some session hijacking (MITRE ATT&CK T1563, Remote Service Session Hijacking).

They attempted to leverage several different remote services (T1021, Remote Services), including the Remote Desktop Protocol (RDP) and Secure Shell (SSH), to gain access to a valid administrator account (T1078, Valid Accounts). With it, they pivoted and "dug deep" into the network's VMware virtualization infrastructure.

There, they deployed Web shells (T1505.003, Server Software Component: Web Shell) for persistence, and backdoors to run commands (T1059, Command and Scripting Interpreter) and steal credentials, exfiltrating any stolen data to a command-and-control server (T1041, Exfiltration Over C2 Channel). To hide this activity, the group created its own virtual instances to run within the environment (T1564.006, Hide Artifacts: Run Virtual Instance).

MITRE's Defense

"The impact of this cyberattack should not be taken lightly," says Darren Guccione, CEO and co-founder at Keeper Security, highlighting "both the foreign ties of the attackers and the ability of the attackers to exploit two serious zero-day vulnerabilities in their quest to compromise MITRE’s NERVE, which could potentially expose sensitive research data and intellectual property."

He posits, "Nation-state actors often have strategic motivations behind their cyber operations, and the targeting of a prominent research institution like MITRE, that works on behalf of the US government, could be just one component of a larger effort."

Whatever its goals were, the hackers had ample time to carry them out. Though the compromise occurred in January, MITRE was only able to detect it in April, leaving a quarter-year gap in between.

"MITRE followed best practices, vendor instructions, and the government’s advice to upgrade, replace, and harden our Ivanti system," the organization wrote on Medium, "but we did not detect the lateral movement into our VMware infrastructure. At the time we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient."

Editor's note: An earlier version of the story attributed the attacks to UNC5221. That attribution has not been made at this time.