2 August 2023

Cybersecurity authorities share more details on Ivanti hacks


Cybersecurity authorities share more details on Ivanti hacks

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) published a joint security advisory providing more details on a couple of zero-day vulnerabilities in Ivanti’s Endpoint Manager Mobile (EPMM) product that were exploited in the recent attacks on Norwegian government.

The intrusion came to light on July 24, when the Norwegian authorities disclosed that at least 12 ministries were targeted in attacks exploiting a zero-day vulnerability (CVE-2023-35078) in the Ivanti Endpoint Manager Mobile (EPMM) software, formerly known as MobileIron Core.

Ivanti released a patch for CVE-2023-35078 on July 23, 2023. The company later revealed that threat actors could use CVE-2023-35078 in conjunction with another vulnerability CVE-2023-35081. The vendor released a patch for the second vulnerability on July 28, 2023.

NCSC-NO observed possible vulnerability chaining of CVE-2023-35081 and CVE-2023-35078 to compromise the infrastructure and upload web shells on the EPMM device and run commands.

The two agencies say that an unnamed threat actor has exploited CVE-2023-35078 since at least April this year. To gain initial access to EPMM devices the hackers compromised small office/home office (SOHO) routers, including ASUS routers.

The threat actor has also been observed tunneling traffic from the internet through Ivanti Sentry, an application gateway appliance that supports EPMM, to at least one Exchange server that was not accessible from the internet. The agency believes the attackers installed web shells on the Exchange server.

CISA’s advisory provides Indicators of Compromise (IoCs) associated with these attacks, as well as recommendations on how organizations can protect their networks against this threat.

Back to the list

Latest Posts

Cyber Security Week in Review: December 20, 2024

Cyber Security Week in Review: December 20, 2024

In brief: A suspected Russian cyberattack hits Ukraine's state registries, new ICS malware targets Mitsubishi and Siemens systems, and more.
20 December 2024
Major phishing campaign abuses HubSpot to steal credentials from European firms

Major phishing campaign abuses HubSpot to steal credentials from European firms

The attackers exploited the service’s legitimate functionality to create convincing phishing pages.
19 December 2024
UAC-0125 malware campaign targeting Ukrainian military personnel

UAC-0125 malware campaign targeting Ukrainian military personnel

Victims are lured to fraudulent websites offering to download a malicious version of the Army+ app.
19 December 2024