24 Apr, 2024
Nation & State
MITRE Hacked by State-Sponsored Group via Ivanti Zero-Days
MITRE revealed on Friday that one of its R&D networks was hacked a few months ago by a foreign state-sponsored threat actor leveraging zero-day vulnerabilities in an Ivanti product.
The attack occurred in early January, but it was only discovered this month. It targeted MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network that is used for research, development, and prototyping.
Following the discovery of the breach, MITRE took the NERVE environment offline and launched an investigation. The organization determined that the attack involved exploitation of two Ivanti Connect Secure VPN device vulnerabilities for initial access.
The vulnerabilities, tracked as CVE-2023-46805 and CVE-2024-21887, were zero-days at the time of the attack. They came to light on January 10, when cybersecurity firm Volexity warned that they had been exploited by hackers backed by the Chinese government to compromise Ivanti VPN devices.
Ivanti immediately provided mitigations, but it took the company nearly three weeks to start releasing proper patches.
Widespread exploitation of the Ivanti flaws started roughly a week after they came to light. Considering that MITRE was targeted before the zero-days were disclosed, the organization may have been targeted by the Chinese threat actors, but it has not shared any attribution details beyond saying that it was a foreign nation-state threat actor.
Google Cloud’s Mandiant is aware of several China-linked threat actors that have exploited the Ivanti VPN vulnerabilities in their attacks.
MITRE said the attackers performed reconnaissance, exploited the Ivanti zero-days, and bypassed its multi-factor authentication system using session hijacking.
“From there, they moved laterally and dug deep into our network’s VMware infrastructure using a compromised administrator account,” MITRE explained. “They employed a combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials.”
MITRE’s investigation is ongoing, but at this point there is no evidence that its core enterprise network or partners’ systems are impacted by the incident.
MITRE is a not-for-profit company operating federally funded R&D centers on behalf of U.S. government sponsors. The company is widely known in the cybersecurity for its ATT&CK knowledge base of adversary tactics and techniques based on real-world cyberattack observations.
MITRE has shared information on the observed ATT&CK techniques, as well as best practice tips for detecting such attacks, and recommendations for hardening networks.
CVE-2023-46805 and CVE-2024-21887 have also been used to hack into systems belonging to the cybersecurity agency CISA, which revealed earlier this month that the incident could affect 100,000 individuals.
Late last month MITRE opened a new AI Assurance and Discovery Lab for discovering and managing risks in AI-enabled systems.
21 Feb, 2024
Swiss Cyber Security Days 2024
Shaping Cyber Resilience
Secure your place for a secure future and discover the top-class programme with representatives from NATO, the Swiss Armed Forces and ETH Zurich Space, among others, on the BERNEXPO site!
Information :
Swiss Cyber Security Days
15 Feb, 2024
Security Summit
SecurityWeek’s Security Summit events are a series of topic-specific virtual conferences that allow attendees from around the world to immerse in a virtual world to discuss the latest cybersecurity trends and gain insights into security strategies and emerging cyber threats faced by businesses.
- Attack Surface Management Summit | February 15, 2024
- Supply Chain Security and Third-Party Risk Summit | March 20, 2024
- Ransomware Resilience & Recovery Summit | April 17, 2024
- Threat Detection and Incident Response Summit | May 22, 2024
- CISO Forum Virtual Summit – June 18-19, 2024
- Cloud Security Summit | July 17, 2024
- Identity & Zero Trust Strategies Summit | August 7, 2024
- ICS Cybersecurity Conference – October 21-24, 2024 | Atlanta + Hybrid
- Cyber AI & Automation Summit |- December 4, 2024
Information : Security Summits
12 Feb, 2024
Vulnerabilities : Exploitation of Another Ivanti VPN Vulnerability Observed
12 Feb, 2024
Vulnerabilities
ExpressVPN User Data Exposed Due to Bug
10 Feb, 2024
State
UN Experts Investigating 58 Suspected North Korean Cyberattacks Valued at About $3 Billion
09 Feb, 2024
Malware & Threats : New macOS Backdoor Linked to Prominent Ransomware Groups
09 Feb, 2024
Malware & Threats : New macOS Backdoor Linked to Prominent Ransomware Groups
09 Feb, 2024
Ransomware
Ransomware Payments Surpassed $1 Billion in 2023: Analysis
07 Feb, 2024
Vulnerabilities : Most Linux Systems Exposed to Complete Compromise via Shim Vulnerability
10 Jan, 2024
GOVERNMENT : US Disrupted Chinese Hacking Operation Aimed at Critical Infrastructure: Report
US government reportedly disabled parts of a botnet-powered cyber campaign conducted by the Chinese threat actor Volt Typhoon. by Eduard Kovacs
The United States government has disrupted parts of a major hacking campaign attributed to a threat actor linked to China, according to Reuters.
The news giant learned from unnamed Western security officials and one person familiar with the matter that the FBI and the Justice Department have been authorized to remotely disable some aspects of a Chinese cyber operation named Volt Typhoon, which has been known to target critical infrastructure.
The disruption attempt reportedly took place in recent months, but no details are available on exactly what was targeted or what actions were taken.
Volt Typhoon came to light in May 2023, when Microsoft warned that Chinese government hackers had been stealing data from critical infrastructure in the US territory of Guam.
In December, the hacking operation was linked to what was described as an ‘unkillable’ botnet powered by many routers and other IoT devices, predominantly easy-to-hack products that had reached end of life.
Cybersecurity firm SecurityScorecard reported earlier this month that it had found evidence suggesting that the UK and Australian governments have also been targeted by Volt Typhoon.
SecurityScorecard’s research found that the hackers had compromised many vulnerable Cisco routers between late-November and early January. The fact that these router hijacking attacks are very recent indicates that the hackers are likely still active even after the US’s disruption attempt.
The threat actor has been around since at least mid-2021, targeting organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, IT, and education sectors.
Reuters reported that the White House has asked the private sector for assistance in tracking Volt Typhoon. National security experts told the news service that attacks such as the ones conducted by this group could enable China to “remotely disrupt important facilities in the Indo-Pacific region that in some form support or service US military operations”.
Some of Reuters’ sources raised concerns that the hackers’ goal may be to disrupt the readiness of the United States in case China invades Taiwan.
“This actor is not doing the quiet intelligence collection and theft of secrets that has been the norm in the US. They are probing sensitive critical infrastructure so they can disrupt major services if, and when, the order comes down,” John Hultquist, chief analyst at Mandiant Intelligence, which is part of Google Cloud, told SecurityWeek.
Hultquist previously discussed the activities of Volt Typhoon and the threat posed by the hacker group at SecurityWeek’s 2023 ICS Cybersecurity Conference.
Information : US Disrupted Chinese Hacking Operation Aimed at Critical Infrastructure: Report
30 Aug, 2023
DATA BREACHES : 1.5 Million Affected by Data Breach at Insurance Broker Keenan & Associates
Insurance brokerage firm Keenan & Associates says personal information stolen in an August 2023 cyberattack. by Ionut Arghire
Insurance consulting and brokerage firm Keenan & Associates is informing more than 1.5 million individuals that their personal information was stolen in an August 2023 cyberattack.
30 Jan, 0024
WHITEPAPER : Buyer's Guide for Generative AI Code Security
- How to properly educate your teams on generative AI tools and usage.
- The tools necessary for effectively leveraging and securing AI generated code.
- The importance of using the right tool for the job–securing your AI generated code.
Information : Snyk