Norway Says Ivanti Zero-Day Was Used to Hack Govt IT Systems

Cyber Security Threat Summary:
"The Norwegian National Security Authority (NSM) has confirmed that attackers used a zero-day vulnerability in Ivanti's Endpoint Manager Mobile (EPMM) solution to breach a software platform used by 12 ministries in the country. The Norwegian Security and Service Organization (DSS) said on Monday that the cyberattack did not affect Norway's Prime Minister's Office, the Ministry of Defense, the Ministry of Justice, and the Ministry of Foreign Affairs. The Norwegian Data Protection Authority (DPA) was also notified about the incident, indicating that the hackers might have gained access to and/or exfiltrated sensitive data from compromised systems, leading to a data breach. The Norwegian National Cyber Security Center (NCSC) also notified all known MobileIron Core customers in Norway about the existence of a security update to address this actively exploited zero-day bug (tracked as CVE-2023-35078)” (Bleeping Computer, 2023).

CVE-2023-35078 relates to an authentication bypass vulnerability impacting Ivanti’s Endpoint Manager Mobile (EPMM) mobile device management software (formerly MobileIron Core), which could allow remote threat actors to access specific API paths without requiring authentication. According to an advisory released by CISA yesterday, “an attacker with access to these API paths can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system. Furthermore, the attacker can “also make other configuration changes, including creating an EPMM administrative account that can make further changes to a vulnerable system.”

Security Officer Comments:
Based on a Shodan scan, there are more than 2,900 MobileIron user portals currently exposed to the internet, many of which are linked with U.S local and state government agencies. The majority of the exposed servers are located in the United States, with Germany, the United Kingdom, and Hong Kong following behind. Given the severity (CVSS: 10) of the flaw and active exploitation attempts in the wild, network administrators should update their systems as soon as possible.

Suggested Correction(s):
CVE-2023-35078 impacts all supported versions of Ivanti Endpoint Manager Mobile (EPMM) - version 11.4 releases 11.10, 11.9 and 11.8. Older, unsupported versions are also at risk of exploitation. The vulnerability has been patched in versions 11.10.0.2, 11.9.1.1 and 11.8.1.1.

Link(s):
https://www.bleepingcomputer.com/
https://www.cisa.gov/news-events/
https://forums.ivanti.com/s/