Zero-day exploitation detected: Ivanti EPMM vulnerability used against Norwegian agencies

Advanced persistent threat (APT) hackers exploited a recently revealed critical vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) as a zero-day since at least April 2023 in attacks against Norwegian entities, including a government network.

💻CVE-2023-35078💻

Remote Unauthenticated API Access vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability impacts all supported versions.#bugbountytips #BugBounty pic.twitter.com/1Kj4DizJOW

— Bug X Hunter 💻 (@Bug_X_hunter) August 1, 2023

The disclosure came through a joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) on Tuesday. The exact identity or origin of the hackers is still unknown.

“The APT hackers have been using CVE-2023-35078 since at least April 2023,” the authorities informed. “They used compromised small office/home office (SOHO) routers, like ASUS routers, to proxy to the target infrastructure.”

CVE-2023-35078- An overview

It is a serious flaw that allows hackers to access 

• personally identifiable information (PII) and make configuration changes on compromised systems
• can be combined with another vulnerability, CVE-2023-35081, to cause unintended consequences on targeted devices.

What’s the most immediate impact?

Successful exploitation of these two vulnerabilities allows attackers with EPMM administrator privileges to 

• Write arbitrary files, such as web shells, with operating system privileges of the EPMM web application server
• Tunneling internet traffic through Ivanti Sentry, an application gateway appliance supporting EPMM, to at least one Exchange server that was not accessible from the internet. 

It is currently unknown how they accomplished this.

Is Ivanti at risk of an imminent threat?

Further analysis found a WAR file called “mi.war” on Ivanti Sentry, described as a malicious Tomcat application that deletes log entries based on a specific string – “Firefox/107.0” – found in a text file.

“The APT hackers used Linux and Windows user agents with Firefox/107.0 to communicate with EPMM,” the agencies said. “Mobile device management (MDM) systems are attractive targets for hackers because they provide elevated access to thousands of mobile devices.”

Most of the 5,500 EPMM servers on the internet are in Germany, followed by the U.S., the U.K., France, Switzerland, the Netherlands, Hong Kong, Austria, China, and Sweden, as per Palo Alto Networks Unit 42.

Source: Chart showing the number of hosts running Ivanti Endpoint Manager Mobile (MobileIron Core), by their versions (where the version was obtainable).

At the end of the day…

To defend against the ongoing threat, organizations should apply the latest patches promptly, enforce phishing-resistant multi-factor authentication (MFA) for all staff and services, and validate security controls to test their effectiveness.

Organizations must also collaborate with security agencies to stay ahead of emerging threats. Only collective efforts can enable the best digital landscape.