The American non-profit corporation MITRE fell victim to an attack by a hacker group. The corporation is engaged in systems engineering for the U.S. government and is known among cybersecurity specialists for the CVE vulnerability database. In April 2024, it became known that the company’s research and prototyping computer network was attacked in January.

Despite MITRE following all information security protection rules, including recommendations for Ivanti Connect Secure protection, it proved to be insufficient. Hackers breached the VMware infrastructure through a virtual private network (VPN) using two zero-day vulnerabilities in Ivanti Connect Secure and bypassed multi-factor authentication by session hijacking. Subsequently, using a compromised administrator account, the hackers gained access to VMware.

The investigation into the attack is ongoing, but it is already known that the attackers exploited two zero-day vulnerabilities CVE-2023-46805 and CVE-2024-21887 in Ivanty Connect Secure.

Of particular concern is the fact that the entry point into the system was Ivanti devices designed for security.

Vulnerabilities CVE-2023-46805 and CVE-2024-21887 are exploited together (Metasploit module) and allow bypassing authentication and injecting commands to use vulnerable instances of Ivanti Connect Secure or Ivanti Policy Secure, enabling remote code execution without authentication. All currently supported versions 9.x of Ivanti Connect Secure and 22.x of Ivanti Policy Secure are vulnerable until the issue is addressed by the vendor. It is unknown if the unsupported versions 8.x and below are also vulnerable.

Exploiting these vulnerabilities opens up the possibility of gaining initial access, using web shells (remote web server management shells), embedding backdoors in legitimate files, intercepting access credentials, and then penetrating the internal resources of the target. But using the Intruforce service, such vulnerabilities can be identified and eliminated before hackers exploit them.