Hackers from foreign states used vulnerable Ivanti edge devices to gain three months of “deep” access to one of MITER Corp.’s unclassified networks.
MITER, steward of the ubiquitous ATT&CK glossary of commonly known cyberattack techniques, had previously experienced no major incidents for 15 years. The streak stopped in January when, like many other organizationsits Ivanti gateway devices were exploited.
The breach affected the Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network that the organization uses for research, development and prototyping. The extent of NERVE damage (pun intended) is currently being assessed.
Dark Reading contacted MITER to confirm the timeline and details of the attack. MITER provided no further clarification.
MITER ATT&CK
Stop me if you’ve heard this before: In January, after an initial period of reconnaissance, a hacker exploited one of the company’s virtual private networks (VPNs) via two Ivanti Connect Secure zero-day vulnerabilities (ATT&CK Technique T1190, Leveraging Public-Facing Applications).
According to blog post from MITER’s Center for Threat-Informed Defense, attackers bypassed multi-factor authentication (MFA) by protecting the system with some session hijacking (MITRE ATT&CK T1563, Remote Service Session Hijacking).
They attempted to exploit several remote services (T1021, Remote Services), including Remote Desktop Protocol (RDP) and Secure Shell (SSH), to gain access to a valid administrator account (T1078, Valid Accounts). With it, they pivoted and “dug deep” into the network’s VMware virtualization infrastructure.
There, they deployed web shells (T1505.003, server software component: Web Shell) for persistence and backdoors to execute commands (T1059, command interpreter and scripting) and steal credentials, exfiltrating any stolen data to a command-and-control server (T1041, Exfiltration on the C2 channel). To hide this activity, the group created their own virtual instances to run within the environment (T1564.006, Hide Artifacts: Run Virtual Instance).
The MITER defense
“The impact of this cyberattack should not be taken lightly,” says Darren Guccione, CEO and co-founder of Keeper Security, highlighting “both the attackers’ foreign ties and the attackers’ ability to exploit two serious zero-day vulnerabilities in their attempt to compromise MITER’S NERVE, which could potentially expose sensitive research data and intellectual property.”
He posits: “State actors often have strategic motivations behind their cyber operations, and targeting a major research institution like MITER, working on behalf of the U.S. government, may be just one component of a larger effort.” .
Whatever its goals, the hackers had plenty of time to realize them. Although the compromise occurred in January, MITER was only able to detect it in April, leaving a one-quarter gap in between.
“MITRE followed best practices, supplier instructions and government advice update, replace and strengthen our Ivanti system“, the organization wrote on Medium, “but we have not detected lateral movement in our VMware infrastructure. At the time we believed we had taken all necessary actions to mitigate the vulnerability, but these actions were clearly insufficient.”
Editor’s note: An earlier version of the story attributed the attacks to UNC5221. No such attribution has been made at this time.