The non-profit research and development organization MITER suffered a cyber attack early this year, with the attack apparently hampering some operations, but no stolen data.
In a breach notice published on the MITER website late last week, CEO and President Jason Providakes explained what happened and what the organization was doing about it.
Apparently, the company has noticed suspicious activity in its Networked Experimentation, Research, and Virtualization Environment (NERVE), a collaborative network used for research, development, and prototyping.
Chinese threat actors
To get the incident under control, the organization took the NERVE environment offline, initiated an investigation and notified the relevant authorities. It is currently working to restore “operational alternatives for cooperation,” indicating that some operations were hampered by the attack.
Nothing else was said in the notice other than that a “foreign nation-state threat actor” was behind the attack. However, BleepingComputer found a separate advisory, published by MITER CTO Charles Clancy, and Cybersecurity Engineer Lex Crumpton, explaining that the attackers had linked two Ivanti Connect Secure zero-day vulnerabilities together to create a MITER Virtual Private Network (VPN). breaking through.
Exploiting the two flaws also allowed the attackers to hijack user sessions, bypassing multi-factor authentication (MFA) solutions and moving laterally through the compromised network.
Late last year, Ivanti alerted its users that it discovered multiple security issues in its VPN products, including an authentication bypass vulnerability (CVE-2023-46805) and a command injection flaw (CVE-2024-21887). These flaws were used by various threat actors to deliver infostealers, malware, and ransomware to vulnerable targets.
Some researchers said Chinese state-sponsored threat actors were actively exploiting the flaws, while others warned that more than 2,000 Ivanti devices were being exploited to steal login credentials, session data and more. The sheer scale of the attacks even prompted the US Cybersecurity and Infrastructure Security (CISA) organization to issue an emergency directive urging federal agencies to apply the patches immediately.