At a glance.
- UK Ministry of Defense hacked by suspected Chinese threat actor.
- Chinese threat actor used Ivanti zero-days to access MITRE's prototyping network.
- Attack technique can bypass VPN encapsulation.
UK Ministry of Defense hacked by suspected Chinese threat actor.
A suspected Chinese threat actor compromised the UK Ministry of Defense's payroll system, gaining access to personal and financial information belonging to around 270,000 current and former armed forces members, POLITICO reports. Reuters quotes UK Prime Minister Rishi Sunak as saying, "There are indications that a malign actor has compromised the armed forces' payment network. I do want to reassure people that the Ministry of Defence has already taken the action of removing the network offline and making sure that people affected are supported in the right way."
Defence Secretary Grant Shapps will make a statement on the incident today, although he's not expected to directly attribute the hack to China. MP Tobias Ellwood told Sky News that China "was probably looking at the financially vulnerable with a view that they may be coerced in exchange for cash."
Chinese threat actor used Ivanti zero-days to access MITRE's prototyping network.
The MITRE Corporation has disclosed additional details of the attack it sustained via two Ivanti Connect Secure zero-days earlier this year. The organization says a "China-nexus espionage threat actor" used the zero-days to bypass multifactor authentication and gain access to MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE). Once inside, "The adversary maneuvered within the research network via VMware infrastructure using a compromised administrator account, then employed a combination of backdoors and web shells to maintain persistence and harvest credentials." The threat actor then began exfiltrating data via the BUSHWALK web shell.
MITRE adds, "From February to mid-March, the adversary attempted lateral movement and maintained persistence within the NERVE. Despite unsuccessful attempts to pivot to other resources, the adversary persisted in accessing other virtual environments within Center."