Ivanti Zeroday Exploited in Norwegian ministries Attack
Share this:
Norwegian government authorities have revealed that a dozen government ministries had been targeted in a cyberattack involving a previously unknown vulnerability.
Norway National Security Authority later clarified that the attack involved the exploitation of CVE-2023-35078, a zero-day vulnerability impacting Ivanti’s Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core.
EPMM is a widely used mobile management software engine that enables IT teams to set policies for mobile devices, applications, and content. This platform is used by all the Norwegian ministries except the Office of the Prime Minister, the Ministry of Defense, the Ministry of Justice and Public Security, and the Ministry of Foreign affairs.
An advisory by Ivanti for CVE-2023-35078 states that the flaw is an unauthenticated API access issue that can be exploited by remote threat actors to potentially access users’ personally identifiable information and make limited changes to the server.
The authentication bypass vulnerability has been rated ‘critical’ and it impacts all supported versions, including 11.10, 11.9 and 11.8, as well as older releases.
Security researcher Kevin Beaumont has set up a honeypot to monitor CVE-2023-35078, and he has already been seeing exploitation attempts. IoT search engine Shodan can find over 2,900 internet-facing EPMM user portals, mostly in the US and Europe
Ivanti has faced criticism for initially deciding not to make its advisory public it was initially behind a paywall, and exploitation information was hidden.
The US CISA has an alert, clarifying that the zero-day can be exploited by an attacker with access to specific API paths to obtain information such as name, phone number and other mobile device details.
The configuration changes that can be made by an attacker include creating an admin account that can make other modifications to the targeted system.
Ivanti has rushed to release a patch, and organizations have been advised to install it as soon as possible due to how easy it is to exploit the flaw.
