Nation-State Hacker Rampage With Ivanti Zero-Day Vulnerabilities Includes Breach of MITRE

by | Apr 26, 2024

An early 2024 spree that made use of published Ivanti zero-day vulnerabilities has previously been attributed to China’s nation-state hackers, and may well have included a break-in at MITRE.

The group would only confirm that it suspected some sort of nation-state hackers, but outside security researchers have noted similarities between this attack and other incidents attributed to China that made use of Ivanti zero-day vulnerabilities shortly after (and possibly even before) they were published.

Patching backlog allows for exploitation of zero-day vulnerabilities weeks, even months after publication

As the Ivanti and MITRE incident demonstrates, serious zero-day vulnerabilities continue to linger even at security-minded organizations. MITRE was penetrated by a chain of two specific Ivanti vulnerabilities that were reported to the public in January (due to already being seen in use by hackers) and patched at the start of February. The breach is thought to have taken place in January, but was not discovered until March.

In January, Chinese nation-state hackers were on a tear of exploiting the published Ivanti zero-day vulnerabilities before organizations could catch up with patching.  That makes it very likely that the MITRE compromise was part of that campaign, in which the attackers were thought to have compromised about 2,100 unpatched Ivanti instances worldwide. Though this has not yet been confirmed by MITRE, the particular group associated with this spree is called “UNC5221” or “Red Dev 61” and appears to focus on unpatched vulnerabilities in private businesses that might have information of interest to the Chinese government.

It’s impossible to say exactly what the fault was in the MITRE case, but serious zero-day vulnerabilities continue to go unpatched for a variety of the usual reasons. It’s usually either because there simply isn’t enough staff to get to everything, or out of concern that patching will disrupt business operations by causing something to stop working. Nation-state hackers are very much aware of this state of affairs, as can be seen here.

Chinese nation-state hackers lead the suspect list

The two zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, were the entry point for one of MITRE’s NERVE research & development networks. The attackers then moved laterally into the VMware environment, accessed an administrator account, and stole an unknown quantity and type of data. The post-breach process is part of the attribution to the Chinese nation-state hackers, who used very similar techniques to both initially access other targets and to expand access once inside.

The total scope of the damage is still unclear, but appears to be limited as MITRE says that no partner systems or components of the core enterprise network were accessed. China has greatly expanded its count of nation-state hacker teams in recent years, and recent document leaks show that it often turns to private contractors for things like foreign espionage missions. The team involved in this incident, UNC5221, appears to be relatively new but has already been highly active within the space of just a few months.

Recent Posts

How can we help?

4 + 2 =

× How can I help you?