A recent attack was reported in July 2023; attackers were able to exploit Ivanti Zero-Day vulnerability in an attack on the Norwegian government.
The product EPMM (End-Point Manager Mobile), owned by IVANTI has been exploited in a target towards the Norwegian government.
The Countries authorities made a public announcement on the 24th July 2023, that a list of government ministries have been targeted by malicious intended groups, involving a previously zero-day.
Information from the country’s National Security Authority, in a LinkedIn-post, made the public to be aware that the attack involved the exploitation of an unknown vulnerability with CVE-2023-35078. The attack is said to impact the Ivanti’s EPMM (End-Point Manager Mobile), which was formerly known as MobileIron Core.
What is EPMM (End-Point Manager Mobile)?
From a general definition, an “end-point manager” refers to software or a system used to manage and control endpoints in a network, such as computers, mobile devices, or IoT devices.
It allows administrators to monitor, configure, update, and secure these devices remotely. It is a system, that is commonly used in IT environments to ensure devices are properly managed and secure.
“EPMM from the definition above, can be categorically defined as a management software for mobile devices or mobile technology software, which allows IT security experts or teams to setup security policies for mobile devices, mobile applications, and its contents.”
Vulnerability Description CVE-2023-35078:
The CVE-2023-35078 that was disclosed according to an article published on the 24th July 2023, and modified on the 25th July 2023, was said to be associated with authenticated API access issue, that allows remote exploit by a malicious intended persons or groups.
The access by threat actors can potentially reveal legitimate customers and users of the ivanti product personal identifiable information, and also allow the threat actor to make limited changes to the server.
Information released by ivanti stated:
“We have received information from a credible source indicating exploitation has occurred. We continue to work with our customers and partners to investigate this situation.”
The company said they are aware that a limited number of their customers, may have been impacted.
The authentication bypass vulnerability has a base score rated 10.0, and is said to be associated with versions 11.10 and less.
Ivanti has released a patch and organizations have advised users to install it as soon as they can.
Security researcher by the name Kevin Beaumont disclosed on Mastodon, that he has set up a honeypot to monitor the CVE-2023-35078, and was able to see exploitation attempts.
Research by a twitter user by the handle mRr3b00t shows that there are numerous exposed persons globally, and majorly in the United States and Europe.
Ivanti is known to offer numerous services including cybersecurity, and has been facing criticism on twitter for not disclosing the advisory to the public; which was behind a paywall and information about the exploitation was hidden from the public.
CISA-US (Cybersecurity and Infrastructure Security Agency United States), has gone to release an alert, that clarifies that the zero-day can be exploited by a threat actor with access to specific API paths to obtain personal information’s such as name, phone-number, and other mobile device details.
Attacker are able to create privilege user accounts such as Admin, enabling them to make other further modifications to the targeted system.
Please do let us know in the comment section what are your thoughts about this.