Skip to main content
close search
site logo
Dive Brief

Mitre R&D network hit by Ivanti zero-day exploits

Exploits of Ivanti VPN products have hit roughly 1,700 organizations. To Mitre, guidance from the vendor and government fell short.

Published April 22, 2024
Matt Kapko's headshot
Senior Reporter
Abstract black and white monochrome art with surreal funnel.
Philipp Tur/Getty Images Plus via Getty Images

Dive Brief:

  • Mitre Corp. said one of its research and prototyping networks was intruded in January by a nation-state linked attacker that exploited a pair of zero-day vulnerabilities in the organization’s remote access Ivanti VPN.
  • “We took all the recommended actions from the vendor, from the U.S. government, but they were clearly not enough,” Charles Clancy, SVP and CTO at Mitre, said Friday in a video statement. “As a result, we are issuing a call to action to the industry. The threat has gotten more sophisticated, and so too must our solutions to combat that threat.”
  • Mitre detected the cyberattack in its Network Experimentation, Research and Virtualization Environment, and the company quickly took the unclassified, collaborative network offline. “Based on our investigation to date, there is no indication that MITRE’s core enterprise network or partners’ systems were affected by this incident,” Mitre said Friday.

Dive Insight:

Mitre, a non-profit organization with close ties to the federal government and plays a central role in cyber defense research, is one of about 1,700 entities impacted by zero-day exploits in Ivanti Connect Secure products this year.

Mitre operates federally funded research and development centers for U.S. government sponsors. Some of Mitre’s contributions to the cybersecurity sector include CVE.org and the Mitre Att&ck matrix and knowledge base of attackers’ tactics and techniques.

The zero-day exploits of Ivanti products have ensnared some of the most important organizations and agencies in cybersecurity. The Cybersecurity and Infrastructure Security Agency was also hit in January by a yet-to-be identified attacker that exploited the critical vulnerabilities in Ivanti products the agency used at the time.

The attack against Mitre, which involved lateral movement from an Ivanti VPN into VMware infrastructure, occurred before the Ivanti zero-day vulnerabilities were disclosed, Charles Clancy, SVP and CTO at Mitre, said Friday in a LinkedIn post.

The attacker performed reconnaissance on one of Mitre’s networks, exploited one of its Ivanti VPNs and “skirted past our multifactor authentication using session hijacking,” Clancy and Lex Crumpton, defensive cyber operations researcher, said in a blog post.

“From there, they moved laterally and dug deep into our network’s VMware infrastructure using a compromised administrator account. They employed a combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials,” Clancy and Crumpton said.

Mitre said the attack underscores the need to advance secure-by-design principles, improve supply chain security, micro-segment networks and deploy zero-trust architecture. The company did not immediately respond to a request for comment.

An investigation into the full impact and scope of information exposed as a result of the attack is ongoing.

Editors' picks

Company Announcements

View all | Post a press release
Rumpke Data Breach Investigation
From Migliaccio and Rathod
December 11, 2024
Why Cybersecurity Leaders Trust the MITRE ATT&CK Evaluations
From Cynet Security
December 05, 2024
Only Cynet Delivers 100% Protection and 100% Detection Visibility in the 2024 MITRE ATT&CK Eva…
From Cynet Security
December 11, 2024
Migliaccio and Rathod Investigates Byte Federal Data Breach
From Migliaccio and Rathod
December 12, 2024
Editors' picks
Latest in Breaches
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.