Ivanti has released a patch to fix several flaws in its mobile device management software, Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. The patch addresses an actively exploited zero-day authentication bypass vulnerability that allows access to API paths containing personally identifiable information. The vulnerability, designated CVE-2023-35078, also allows threat actors to create administrative accounts for further manipulation of vulnerable systems.
The Government of Norway has confirmed that unknown attackers used the zero-day vulnerability to breach 12 ministries in the country, adding that the hackers may have accessed and exfiltrated sensitive data from the compromised systems.
Source: Bleeping Computer
Analysis
With organizations increasingly implementing Bring Your Own Device (BYOD) policies, software such as Ivanti’s EPMM is required to help administrators securely monitor and manage mobile devices that access the corporate network. The appliances running this software are usually internet-facing and store information related to mobile devices and their owners, making them an appealing target for hackers looking for sensitive information.
For example, in 2020, the UK’s National Cyber Security Centre (NCSC) warned that it was aware of nation-state groups and cyber criminals actively using the MobileIron CVE-2020-1550 vulnerability to compromise the networks in the healthcare, local government, logistics, and legal sectors.
According to Shodan, Norway hosts a considerable amount of EPMM servers, thus it’s possible that Norway was targeted simply by opportunity. However, given Norway’s support of Ukraine, the fact that this attack wasn’t financially motivated, and Russian state-sponsored cyber actor’s history of targeting Norway, it wouldn’t be surprising if Norway attributes this attack to Russia when its investigation is complete.
Heat map of EPMM servers (Source: shodan.io)
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in devices and software like Ivanti EPMM. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software and devices are detected in their environment and are encouraged to review these AROs as quickly as possible.
Field Effect strongly encourages users of Ivanti’s EPMM to update to the latest version soon as possible.
References