The MITRE Corporation, a non-profit organization that collaborates with the U.S. government on cybersecurity research and development, disclosed a data breach on Friday caused by unidentified state-backed hackers. The attackers gained access to MITRE's network by exploiting two zero-day vulnerabilities, previously unknown flaws, in software from Ivanti, a company that provides IT security solutions.
MITRE discovered the intrusion after detecting suspicious activity on its Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified network used for collaborative research projects. Investigators determined that the attackers leveraged a series of techniques to compromise the network. First, they exploited the Ivanti zero-day vulnerabilities to infiltrate one of MITRE's Virtual Private Networks (VPNs). VPNs are encrypted connections that allow users to securely access a private network remotely. By exploiting these vulnerabilities, the attackers were able to bypass security measures typically in place for VPN connections.
Next, the attackers employed a technique known as session hijacking to gain access to a legitimate user's session. Session hijacking involves taking over an existing communication session between a user and a server. This allowed the attackers to bypass multi-factor authentication (MFA), an additional security layer that requires a second form of identification beyond a username and password.
Once inside the network, the attackers gained access to a privileged administrator account, significantly escalating their access levels. They then deployed various tools within the network, including backdoors and webshells, to maintain persistence and steal data. Backdoors are essentially hidden entrances that provide attackers with continued access to a compromised system, while webshells are web-based interfaces that allow attackers to remotely control infected devices.
MITRE stated that the breach was limited to their NERVE network and there is no evidence that their core enterprise network or partner systems were compromised. The organization is currently working to identify the attackers and assess the potential impact of the incident. They have also notified relevant authorities and parties potentially affected by the breach.
The MITRE breach is a stark reminder of the evolving tactics employed by state-backed hackers. These groups are constantly developing new methods to exploit vulnerabilities and bypass security controls. The incident also highlights the importance of patching security vulnerabilities promptly, particularly zero-day vulnerabilities which by definition lack existing security patches. Additionally, the use of session hijacking underscores the need for robust MFA implementation to mitigate the risks associated with stolen credentials.
MITRE's collaboration with the U.S. government positions them at the forefront of cybersecurity research. The knowledge gained from this breach will undoubtedly be valuable in developing improved defensive strategies against future cyberattacks.