The MITRE Corporation reported a cyber attack that began in January 2024, involving a nation-state actor exploiting two zero-day vulnerabilities in Ivanti Connect Secure appliances. The attack compromised MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE), which is an unclassified network used for research and prototyping.
The attackers used these vulnerabilities to bypass multi-factor authentication and execute arbitrary commands. They gained initial access, moved laterally within the network, and compromised the VMware infrastructure using an administrator account. This allowed them to deploy backdoors and web shells for ongoing access and data extraction.
Despite the severity of the breach, there’s no evidence that MITRE’s main enterprise network or its partners’ systems were affected. MITRE has since contained the incident and conducted a thorough investigation and recovery process. The exploitation of the vulnerabilities was first linked to a group named UTA0178, believed to be associated with China. Following this, other groups connected to China also began exploiting these vulnerabilities, according to cybersecurity firm Mandiant.
