In January, hackers infiltrated a MITRE Corporation network. The attackers, believed to be of Chinese origin and identified as UTA0178, exploited two vulnerabilities in VPN solution Ivanti Connect Secure. MITRE argues that the incident shows that even organizations with the very best preparation can be affected. But is that really the case? Was the attack truly not preventable?
Defensive Cyber Operations researcher at MITRE Lex Crumpton and CTO Charles Clancy explain how the organization was affected. In January, hackers infiltrated a MITRE VPN by exploiting two vulnerabilities in Ivanti Connect Secure. CVE-2023-46805 involves an authentication bypass, while CVE-2024-21887 is a command-injection vulnerability. Collectively, they make it “trivial” to execute system commands, security firm Volexity noted in January. The CVEs were published on Jan. 12, but it is not known from MITRE exactly when the attack occurred.
The attack took place on the so-called NERVE, the network MITRE uses for R&D and prototyping. Crucially, MITRE did not trace the lateral movement after the initial infiltration of this network. The company was under the impression in January that it had taken all steps to mitigate the vulnerabilities, but these actions were clearly not sufficient, by MITRE’s own admission. Patches for Ivanti Connect Secure appeared later, but by then the attackers had created a backdoor elsewhere. They also bypassed MFA by using session hijacking.
Compromised admin account
The key to success for the hackers was breaking into the VMware infrastructure. In doing so, the attackers exploited an admin account, which had been compromised previously. Subsequently, the group was able to get to work with more credential harvesting to continue the infiltration.
MITRE wasn’t the only victim of the Ivanti vulnerabilities. However, the threat had been pretty clearly defined elsewhere. Google’s Mandiant team, not the least among security researchers, published four blogs between January and April examining attacks on Ivanti Connect Secure and their perpetrators. After an initial blog revelation, Mandiant went into detail with Part 2 in late January: even after mitigation provided by Ivanti, the threat remained active. Critically, there was plenty of reason for MITRE to be extra alert for threats that had already compromised its network, meaning additional monitoring of admin activity should have been high on the checklist.
In late February, well before MITRE finally caught on to the attackers, Mandiant revealed the attack methods and concealment techniques of a certain group it called UNC5325. MITRE uses a different internal name for this group: UTA0178. Yes, the one already mentioned. In other words: Mandiant had actually already described the modus operandi of the MITRE attackers in great detail.
No excuse
Although the attack does not appear to have had nearly as much impact as the state hacks on Microsoft, the rhetoric accompanying MITRE’s explanation appears largely the same as that of the tech giant. The emphasis this time is on how this attack shows even the highest-quality defenses aren’t always safe from attack, but that is only a valid explanation if the attacks were clearly nearly impossible to prevent. However, the exploitation of Ivanti Connect Secure was not an act of God. The assumption when publishing such zero-days has to be that your organization (especially if it’s a prominent one) has already been compromised. Verifying admin accounts and being generally more alert to suspicious network traffic is essential.
Patch management and tracking mitigations are not the only means of protecting VPNs. For example, the makers of ManageEngine Log360 explain that regular threat hunting activities are necessary when using a VPN infrastructure. This is because they inherently carry dangers as they are used to connect to corporate data at remote locations. Also, signs of session hijacking, however subtle, could have led to earlier detection.
All this sounds like we’re setting exceedingly high security requirements for organizations. However, we should expect the very highest security standards from the likes of MITRE. After all, it advises the U.S. government on security best practices and, through ATT&CK, tracks how attackers operate worldwide. It even publishes several times a year how well security tooling from commercial companies stands up against (advanced) attacks. On the latter front, the company doesn’t seem to have looked into its own backyard enough. The upside is that an infiltration this time seems to have caused little damage, although not all the details have been shared yet.
Also read: Bug bounty in practice: the final layer of security