MITRE has disclosed a security breach in one of its research and prototyping networks. A nation-state actor breached its systems in January 2024 by chaining two Ivanti Connect Secure zero-day vulnerabilities.
MITRE promptly launched an investigation and engaged third-party forensics Incident Response teams to conduct independent analysis in collaboration with internal experts.
Based on the investigation, the company states that a threat actor performed reconnaissance of our networks, exploited one of VPN through two Ivanti Connect Secure zero-day vulnerabilities, and bupassed MFA, using session hijacking. Then, they moved laterally and dug deep into our network’s VMware infrastructure using a compromised administrator account. They remained persistent in the network.
MITRE spotted a foreign nation-state threat actor probing its Networked Experimentation, Research, and Virtualization Environment (NERVE), used for research and prototyping. The organization immediately started mitigation actions which included taking NERVE offline. The investigation is still ongoing to determine the extent of information involved.
The organization notified authorities and affected parties and is working to restore operational alternatives for collaboration.
Despite MITRE diligently following industry best practices, implementing vendor recommendations, and complying with government guidance to strengthen, update, and fortify its Ivanti system, they overlooked the lateral movement into their VMware infrastructure. MITRE said that the core enterprise network or partners’ systems were not affected by this incident.
