Two zero-day vulnerabilities in Ivanti products that were disclosed in January (and patched weeks later) have turned out to be the source of a breach of MITRE, the US government-funded cybersecurity research center that maintains the widely used ATT&CK database. It is possible that China’s nation-state hackers are behind the attack given similarities in exploiting these same vulnerabilities in other incidents, but this is not confirmed as of yet.
One MITRE R&D network penetrated, nation-state hackers may be to blame
Ivanti is a Utah-based cybersecurity firm that has a focus on enterprise VPN products. The MITRE attackers made use of two zero-day vulnerabilities in the company’s Connect Secure VPN devices that were publicly disclosed in early January: CVE-2023-46805 and CVE-2024-21887. The vulnerabilities were in use by attackers for at least a week prior to public disclosure, thus causing the early reporting; it took Ivanti about three weeks, or to the start of February, to issue patches.
MITRE says that the attackers penetrated one of its Networked Experimentation, Research, and Virtualization Environment (NERVE) research & development networks, after performing reconnaissance and finding the zero-day vulnerabilities. The attackers were then able to move laterally into the VMware environment, capture at least one administrator account, install webshells and backdoors for persistent access, and exfiltrate data.
MITRE has also confirmed that they believe nation-state hackers were behind the attack, but they have not named the nationality. Third-party security research firms, including Mandiant, have noted a rash of Chinese nation-state hackers making use of these Ivanti vulnerabilities in their various exploits in recent months. These hackers have also used very similar post-breach actions in their lateral movement process.
MITRE has said that their enterprise network and partner systems were not accessed by the nation-state hackers. Callie Guenther, Senior Manager, Cyber Threat Research at Critical Start, expands on the likely fallout from the incident: “The breach’s reach-limited to NERVE without affecting MITRE’s core enterprise network or partners’ systems-suggests that the damage was contained. However, the sophistication and nature of the attack underline ongoing risks faced by organizations involved in national security and advanced technological research. This incident will likely lead to a reassessment of security measures, particularly around how sensitive unclassified networks are protected. MITRE’s response, including containment, recovery, and forensic analysis, will be critical in mitigating immediate risks and preventing future incidents. The broader security community will be keen on learning from MITRE’s experience to understand the threat actor’s methodologies and enhance their own defensive strategies.”
Zero-day vulnerabilities continue to nag long after patches are issued
Patching backlogs continue to be a serious problem for organizations, with patchable zero-day vulnerabilities that are known to the public often continuing to linger for months simply due to inertia or falling too low on the priority list for strained IT departments. The incident at MITRE may be one of these cases, as the attackers reportedly penetrated the company in January shortly after the vulnerabilities were first discovered yet the intrusion was not discovered until March. It also tracks with the spree conducted by Chinese nation-state hackers shortly after the Ivanti vulnerabilities first appeared.
The MITRE attack is considered relatively low-impact as the R&D network that was breached is unclassified, but it is far from unheard of for breach damage estimates to be revised some weeks or months later. The spree connected to the Chinese nation-state hackers yielded some potentially more damaging information by making use of these particular Ivanti zero-day vulnerabilities, perhaps most notably an attack on the Cybersecurity and Infrastructure Security Agency (CISA) that compromised the “CISA Gateway” used to coordinate critical infrastructure security and a tool that stores information about chemical plant security plans.
MITRE itself has not been breached in 15 years, but Ivanti made the news in 2021 for a hack of its Pulse Connect Secure service. That breach was also connected to Chinese nation-state hackers. Mandiant believes that the specific nation-state hackers behind the recent string of Ivanti breaches is UNC5221, a relatively new group also sometimes called “Red Dev 61.” The group appears to have a focus on international targets known to be of interest to Chinese intelligence, and has mostly been targeting private industry during its spree of compromising about 2,100 unpatched Ivanti devices worldwide. The group seems to follow opportunity more than specific target selection, going after everything from small businesses to Fortune 500 companies. Mandiant says that other Chinese nation-state hackers have likely also been putting the Ivanti flaws to use since the year started.
The year opened with a study from Microsoft’s security division that found about 80% of breaches involved unpatched software vulnerabilities for which a patch was available at the time. The state of patching and software updates has not improved substantially since. Leading reasons for delays in patching known zero-day vulnerabilities remain the same: simple lack of manpower to keep up with manual actions, fear of breaking network applications, and the need to wait on vendors that are themselves strained and backlogged among the leading factors. A recent study from Help Net Security found that most organizations tend to run about two months behind on necessary patches, and that the worst-performing industry sectors are averaging a four month backlog.
Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit, notes that the emergence of AI is thus far not favoring the defenders in terms of addressing zero-day vulnerabilities: “The race to patch against vulnerabilities and de-risk is real in a world where adversaries are lying in wait to attack upon opportunity. In 2024, companies must apply due diligence at every step of the entire lifecycle of threat and vulnerability management (TVM) lifecycle, with the ability to rapidly prioritize patching, workarounds, and other forms of remediation, when justified by escalating threats. The need for strong cyber threat intelligence (CTI) driven programs has never been stronger to proactively reduce risk, quickly detect, and remove threats as fast as possible in the war against cyber threats. Excellence in SecOps includes lowering the impact of an incident by ensuring controls internally to identify and remove threats quickly as well as reduce the blast radius when an attack occurs.”
Darren Guccione, CEO and Co-Founder at Keeper Security, suggests a PAM platform as an immediate step for organizations struggling with patching issues: “A privileged access management (PAM) platform helps organizations manage and secure privileged credentials, and enforce least privilege access. PAM works by tightly monitoring access and activity in privileged accounts. If a cybercriminal is able to gain access to an organization’s networks, PAM platforms can minimize the blast radius by preventing lateral movement. Companies should also have security event monitoring in place. By adopting a zero trust framework within their infrastructure, enterprise leaders will be in a stronger position to not only identify and react to attacks on their organization but also mitigate any potential damage.”