The MITER Corporation revealed that it was the target of a nationwide cyberattack that exploited two zero-day flaws in Ivanti Connect Secure appliances starting in January 2024.
The intrusion led to the compromise of its Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified research and prototyping network.
The unknown adversary “performed reconnaissance of our networks, exploited one of our virtual private networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities, and circumvented our multi-factor authentication using session hijacking,” said Lex Crumpton, defensive cyber operations expert. researcher at the nonprofit organization, said last week.
The attack involved the exploitation of CVE-2023-46805 (CVSS score: 8.2) and CVE-2024-21887 (CVSS score: 9.1), which could be weaponized by threat actors to bypass the authentication and execute arbitrary commands on the infected system.
After gaining initial access, the threat actors moved laterally and breached the VMware infrastructure using a compromised administrator account, eventually paving the way for the deployment of backdoors and web shells for persistence and credential harvesting.
“NERVE is an unclassified collaborative network that provides storage, compute and networking resources,” MITER said. “Based on our investigations to date, there is no indication that MITER’s core corporate network or partner systems were affected by this incident.”
The organization said it had taken measures to contain the incident and had undertaken response and recovery efforts, as well as forensic analysis to identify the extent of the compromise.
The initial exploitation of the two flaws was attributed to a cluster monitored by cybersecurity firm Volexity under the name UTA0178, a state actor possibly linked to China. Since then, several other China-linked hacker groups have joined the exploitation bandwagon, according to Mandiant.
“No organization is immune to this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible,” said Jason Providakes, president and CEO of MITER.
“We are disclosing this incident in a timely manner because of our commitment to operating in the public interest and upholding best practices that enhance corporate security, as well as measures necessary to improve the industry’s current cyber defense posture.”