The US Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) published a joint security advisory providing more details on a couple of zero-day vulnerabilities in Ivanti’s Endpoint Manager Mobile (EPMM) product that were exploited in the recent attacks on Norwegian government.
The intrusion came to light on July 24, when the Norwegian authorities disclosed that at least 12 ministries were targeted in attacks exploiting a zero-day vulnerability (CVE-2023-35078) in the Ivanti Endpoint Manager Mobile (EPMM) software, formerly known as MobileIron Core.
Ivanti released a patch for CVE-2023-35078 on July 23, 2023. The company later revealed that threat actors could use CVE-2023-35078 in conjunction with another vulnerability CVE-2023-35081. The vendor released a patch for the second vulnerability on July 28, 2023.
NCSC-NO observed possible vulnerability chaining of CVE-2023-35081 and CVE-2023-35078 to compromise the infrastructure and upload web shells on the EPMM device and run commands.
The two agencies say that an unnamed threat actor has exploited CVE-2023-35078 since at least April this year. To gain initial access to EPMM devices the hackers compromised small office/home office (SOHO) routers, including ASUS routers.
The threat actor has also been observed tunneling traffic from the internet through Ivanti Sentry, an application gateway appliance that supports EPMM, to at least one Exchange server that was not accessible from the internet. The agency believes the attackers installed web shells on the Exchange server.
CISA’s advisory provides Indicators of Compromise (IoCs) associated with these attacks, as well as recommendations on how organizations can protect their networks against this threat.