A zero-day vulnerability (CVE-2023-35078) affecting Ivanti Endpoint Manager Mobile (EPMM) has been exploited to carry out an attack that affected 12 Norwegian ministries, the Norwegian National Security Authority (NSM) has confirmed on Tuesday.
What is known about the attacks?
On Monday, the Norwegian government said that the attack was detected on the ICT platform used by the 12 ministries, though it did not name the platform at the time.
The ICT platform – now confirmed to be Ivanti Endpoint Manager Mobile (formerly MobileIron Core) – is used by all the Norwegian ministries except the Office of the Prime Minister, the Ministry of Defence, the Ministry of Justice and Public Security and the Ministry of Foreign Affairs.
“We have detected a previously unknown vulnerability in one of our suppliers’ software. This vulnerability has been exploited by an unknown third party. This vulnerability has now been fixed. It is still too early to say anything about who is behind the attack or the extent of the attack. Our investigations and the police investigations will provide more answers,” said Erik Hope, Director General of the Norwegian Government Security and Service Organisation (DSS).
According to Reuters, the attack was spotted on July 12 due to “unusual” traffic on the vulnerable mobile endpoint management platform.
Since the Norwegian Data Protection Authority has also been notified about the attack, it’s likely that the attackers managed to access and/or steal sensitive data from the compromised platform.
About the vulnerability (CVE-2023-35078)
CVE-2023-35078 is an authentication bypass vulnerability that allows remote unauthenticated API access to specific paths.
“An attacker with access to these API paths can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system. An attacker can also make other configuration changes, including creating an EPMM administrative account that can make further changes to a vulnerable system,” the Cybersecurity and Infrastructure Agency (CISA) explained.
Ivanti said on Monday that they have received information from a credible source indicating exploitation has occurred. “We are only aware of a very limited number of customers that have been impacted.”
CVE-2023-35078 affects all supported versions of EPMM (v11.10, 11.9 and 11.8) and older unsupported releases. The vulnerability has been patched in versions 11.10.0.2, 11.9.1.1 and 11.8.1.1.
The flaw has a “perfect” 10.0 CVSS score. Security researcher Kevin Beaumont says that it’s very easy to exploit and recommend admins to upgrade to a fixed version as soon as possible. “If you can’t get off EOL [end-of-life versions], switch off the appliance.”
IoT search engine Shodan can find over 2,900 internet-facing EPMM user portals, mostly in the US and Europe. Shadowserver shows similar results.
Beaumont says that a vast majority of organizations haven’t patched, including UK and US government orgs. He also says that he has set up a honeypot and it’s already being probed via the API.
Vulnerability disclosure
Rumors about an “Ivanti Endpoint Manager” zero-day being exploited in the wild floated around the internet half a day before Ivanti published the post telling users about the critical updates.
No known indicators of compromise have been publicly shared to allow customers to check whether the attackers hit more that just the Norwegian government.
“This vulnerability was unique, and was discovered for the very first time here in Norway. If we had released the information about the vulnerability too early, it could have contributed to it being misused elsewhere in Norway and in the rest of the world. The update is now generally available and it is prudent to announce what kind of vulnerability it is,” Sofie Nystrøm, director of the National Security Agency, said today.
The Norwegian National Cyber Security Center has notified all known system owners (businesses) in the country who have MobileIron Core available on the internet about the released security update.