Arwa AlomariApr 19, 2024
Not Simon

MITRE disclosed that one of their research and development networks was compromised by a foreign nation-state threat actor in January 2024 using Ivanti Connect Secure zero-days CVE-2023-46805 and CVE-2024-21887. Networked Experimentation, Research, and Virtualization Environment (NERVE) is a collaborative network used for research, development, and prototyping. MITRE included a timeline, observed TTP methods (mapped out to MITRE ATT&CK techniques cc: @howelloneill) and their incident response actions. No IOC provided. 🔗 https://www.mitre.org/news-insights/news-release/mitre-response-cyber-attack-one-its-rd-networks and https://medium.com/mitre-engenuity/advanced-cyber-threats-impact-even-the-most-prepared-56444e980dc8 h/t @reverseics

cc: @campuscodi @briankrebs

#MITRE #Ivanti #ConnectSecure #CVE_2023_46805 #CVE_2024_21887 #threatintel #cyberespionage

Apr 19, 2024 at 6:11pmWeb
Show threadJAApr 19, 2024

@simontsui >From there, they moved laterally and dug deep into our network’s VMware infrastructure using a compromised administrator account. They employed a combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials.

Hmm the post doesn't explain how the initial VPN exploit leads to vmware admin compromise. Do you have a guess how they got the admin password? Keylogger on VPN --> admin AD password --> vmware on AD login?

Show threadNot SimonApr 19, 2024

@caspicat By linking to the Mandiant article Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies, MITRE might have unofficially acknowledged that they were the victim organization described in Mandiant's incident response.

Mandiant does not elaborate on how the threat actor compromised MITRE's VMware vCenter.

EDIT: However, by tying MITRE to Mandiant, it is safe to assume that the threat actor used a WARPWIRE credential harvester (or WARPWIRE variant) which "is embedded into a legitimate Connect Secure file. WARPWIRE targets plaintext passwords and usernames which are submitted via a HTTP GET request to a command and control (C2) server." https://cloud.google.com/blog/topics/threat-intelligence/suspected-apt-targets-ivanti-zero-day

Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies | Google Cloud Blog

We have conducted multiple incident response engagements across a range of industry verticals and geographic regions.

Google Cloud Blog
Show threadJAApr 19, 2024
@simontsui yep, that's why I guessed it's probably either vmware on AD login or password reuse (less likely). But haven't worked with vmware things