US and Norwegian security agencies issue joint advisory on ongoing exploitation of vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) {US and Norwegian security agencies warn of ongoing exploitation of vulnerabilities in Ivanti EPMM by advanced persistent threat actors targeting Norwegian government ministries since April 2023.

August 3, 2023

US and Norwegian security agencies issue joint advisory on ongoing exploitation of vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) {US and Norwegian security agencies warn of ongoing exploitation of vulnerabilities in Ivanti EPMM by advanced persistent threat actors targeting Norwegian government ministries since April 2023.

US and Norwegian security agencies have issued a joint Cybersecurity Advisory (CSA) warning about ongoing exploitation of two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). These vulnerabilities [1] [2] [3] [4] [5] [6] [7] [8] [9], CVE-2023-35078 and CVE-2023-35081 [2] [5] [6] [8], have been targeted by advanced persistent threat (APT) actors since April 2023.

Description

These APT actors have specifically targeted Norwegian government ministries [9], using the CVE-2023-35078 vulnerability to access users’ personal information and gain control over vulnerable systems [9]. They have also exploited the CVE-2023-35081 flaw to affect targeted devices. If both vulnerabilities are successfully exploited [9], attackers with administrator access to EPMM can write arbitrary files with operating system privileges [9].

The attackers have utilized hacked small office/home office routers [9], particularly from ASUS [9], to proxy to the intended facilities [9]. They have also tunneled traffic from the internet to at least one inaccessible Exchange server through Ivanti Sentry [9]. A rogue Tomcat application called “mi.war” was discovered on Ivanti Sentry [9], which eliminates log records based on a specific string [9]. The APT actors have communicated with EPMM using Firefox/107.0 with Linux and Windows user agents.

Mobile device management (MDM) systems like EPMM are attractive targets for APT actors due to their elevated access to numerous mobile devices [8]. Most EPMM servers on the internet are located in Germany [9], followed by the United States [9], the UK [9], France [9], Switzerland [9], the Netherlands [9], Hong Kong [9], Austria [9], China [9], and Sweden [9].

Ivanti released patches for these vulnerabilities on July 23 and July 28, 2023, respectively [8], and organizations are advised to implement these updates [9]. The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have issued advisories urging organizations to apply the patches and search for potential compromises. They also recommend upgrading to the latest version of Ivanti EPMM and treating MDM systems as high-value assets with additional restrictions and monitoring [5]. Organizations are advised to require multi-factor authentication and assess their safety procedures [9]. The Federal Civilian Executive Branch (FCEB) agencies are required to remediate this vulnerability by August 21, 2023 [3].

Conclusion

The ongoing exploitation of the vulnerabilities in Ivanti EPMM poses significant risks to organizations, particularly those in the Norwegian government. It is crucial for organizations to promptly apply the released patches and implement recommended security measures to mitigate the threat. Additionally, the incident highlights the importance of treating MDM systems as high-value assets and implementing robust security protocols. The disclosure of the threat group behind these attacks and any potential nation-state affiliation remains undisclosed, raising concerns about future implications and the need for continued vigilance in the face of evolving cyber threats.

References

[1] https://www.infosecurity-magazine.com/news/cisa-in-new-warning-ivanti/
[2] https://www.cisa.gov/news-events/alerts/2023/07/28/ivanti-releases-security-updates-epmm-address-cve-2023-35081
[3] https://www.malwarebytes.com/blog/news/2023/08/ivanti-patches-second-zero-day-vulnerability-actively-used-in-attacks
[4] https://www.computerweekly.com/news/366546613/Ivanti-MDM-users-told-to-patch-against-two-dangerous-flaws
[5] https://gbhackers.com/cisa-ivanti-zero-day/
[6] https://agilitynetworks.com/ivanti-has-identified-and-released-patches-for-a-directory-traversal-vulnerability-cve-2023-35081-cwe-22-in-ivanti-endpoint-manager-mobile-epmm-this-vulnerability-allo/
[7] https://techcrunch.com/2023/08/02/ivanti-zero-day-exploit-april-government/
[8] https://cybersafenv.org/2023/08/01/threat-actors-exploiting-ivanti-epmm-vulnerabilities/
[9] https://www.linkedin.com/pulse/attacks-targeting-norwegian-organizations-continue-use-ivanti