CISA warns state-sponsored hackers are actively exploiting vulnerable Ivanti mobile endpoint managers

A week after Ivanti released a patch to address several flaws in its mobile device management software, Endpoint Manager Mobile (EPMM), the US Cybersecurity and Critical Infrastructure Agency (CISA) issued a warning that unpatched appliances are being exploited by state-sponsored actors.

The hackers are combining two of the vulnerabilities, designated CVE-2023-35078 and CVE-2023-35081, which enable authentication bypass and directory traversal, to deploy web shells and create administrator accounts. Successful exploitation allows threat actors to access API paths containing names, phone numbers, and other information related to mobile devices managed by the appliance.

Source: Bleeping Computer

Analysis

It’s not surprising that state-sponsored actors would target mobile endpoint management appliances like Ivanti EPMM since they are usually internet-facing and store sensitive information related to mobile devices and their owners. This information can prove very useful to a state’s signals intelligence (SIGINT) agency for tracking a user’s location and intercepting their communications.

Additionally, state-sponsored actors have a track record of compromising Ivanti’s mobile management solutions specifically. For example, in 2020, the UK’s National Cyber Security Centre (NCSC) warned that it was aware of nation-state groups actively using the MobileIron (former name of Ivanti) CVE-2020-1550 vulnerability to compromise networks in the healthcare, local government, logistics, and legal sectors.

Field Effect assesses that nation-state actors will continue to search for and compromise unpatched EPMM appliances belonging to targets of interest for as long as possible. With over 2,300 EPMM appliances deployed worldwide, and 588 located in the US, there is no shortage of potential targets to choose from.

Scan results for EPMM servers (Source: shodan.io)

Mitigation

Field Effect’s elite team of Security Intelligence professionals constantly monitors the cyber threat landscape for vulnerabilities discovered in devices and software like Ivanti EPMM. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software and devices are detected in their environment and are encouraged to review these AROs as quickly as possible.

Field Effect strongly encourages users of Ivanti EPMM to update to the latest version soon as possible.

References

• Ivanti patches zero-day vulnerability in its Endpoint Manager Mobile Software

• Ivanti patches zero MobileIron zero-day bug exploited in attacks

• UK urges orgs to patch critical MobileIron CVE-2020-15505 RCE bug