Security News > 2024 > May > MITRE breach details reveal attackers’ successes and failures
MITRE has shared a timeline of the recent breach if fell victim to and has confirmed that it began earlier than previously thought: on December 31, 2023.
Tools and techniques used to breach MITRE. The attackers leveraged the Ivanti zero-days to gain access to the organization's research and prototyping network, from which they performed additional reconnaissance, moved into its VMware environment and exfitrated data.
"UNC5221 is a suspected China-nexus actor that Mandiant is tracking as the only group exploiting CVE-2023-46805 and CVE-2024-21887 during the pre-disclosure time frame since early Dec. 2023," Mandiant analysts noted in early April.
One of the web shells used by that attackers has been spotted for the first time.
The exfiltration of compromised data began on January 19 and the attackers tried to pivot to other resources outside the VMware environment throughout February and March.
MITRE has promised to shared additional details on the adversary's persistence techniques next week, when they will also provide tools for detection.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-01-12 | CVE-2024-21887 | Command Injection vulnerability in Ivanti Connect Secure and Policy Secure A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. | 9.1 |
| 2024-01-12 | CVE-2023-46805 | Improper Authentication vulnerability in Ivanti Connect Secure and Policy Secure An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. | 8.2 |