CISA warns of hackers exploiting Ivanti EPMM vulnerabilities, after several Norwegian entities targeted

Responding to active exploitation of CVE-2023-35078 and CVE-2023-35081 vulnerabilities, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) jointly released this week cybersecurity advisory. From at least April to July this year, advanced persistent threat (APT) actors used a critical vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) as a zero-day exploit to harvest data from a number of Norwegian organizations while also gaining access to and compromising a Norwegian government agency’s network. 

The advisory disclosed that the Ivanti EPMM vulnerability, formerly known as MobileIron Core, allows threat actors to access personally identifiable information (PII) and gain the ability to make configuration changes on compromised systems.  It added that the “CVE-2023-35081 enables actors with EPMM administrator privileges to write arbitrary files with the operating system privileges of the EPMM web application server. Threat actors can chain these vulnerabilities to gain initial, privileged access to EPMM systems and execute uploaded files, such as webshells.”

Ivanti released a patch for CVE-2023-35078 on July 23 and later determined that hackers could use CVE-2023-35078 in conjunction with another vulnerability CVE-2023-35081. The company released a patch for the second vulnerability on July 28. 

NCSC-NO observed possible vulnerability chaining of CVE-2023-35081 and CVE-2023-35078. Recognizing the second vulnerability as a directory traversal vulnerability in EPMM, the advisory disclosed that this vulnerability enables hackers with EPMM administrator privileges to write arbitrary files, which the hackers can then execute the uploaded file.

The advisory provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) obtained by NCSC-NO investigations. 

Additionally, the advisory includes a nuclei template to identify unpatched devices and detection guidance organizations can use to hunt for compromise. “CISA and NCSC-NO encourage organizations to hunt for malicious activity using the detection guidance in this CSA. If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA. If no compromise is detected, organizations should still immediately apply patches released by Ivanti,” it added. 

“CISA and NCSC-NO are concerned about the potential for widespread exploitation of both vulnerabilities in government and private sector networks because MDM systems provide elevated access to thousands of mobile devices,” the advisory said. “Threat actors, including APT actors, have previously exploited a MobileIron vulnerability.”

The APT hackers have exploited the CVE-2023-35078 vulnerability since at least April this year. NCSC-NO observed the hackers exploiting CVE-2023-35078 to obtain initial access to EPMM devices and perform arbitrary Lightweight Directory Access Protocol (LDAP) queries against the Active Directory (AD); retrieve LDAP endpoints; use API path to list users and administrators on the EPMM device; make EPMM configuration changes; and regularly check EPMM Core audit logs.

The advisory detailed that the APT hackers deleted some of their entries in Apache httpd logs using ‘mi[dot]war,’ a malicious Tomcat application that deletes log entries based on the string. The actors deleted log entries with the string and used Linux and Windows user agents with Firefox/107.0 to communicate with EPMM. Other agents were used; however, these user agents did not appear in the device logs. 

It is unconfirmed how the threat actors ran shell commands on the EPMM device; however, NCSC-NO suspects the actors exploited CVE-2023-35081 to upload webshells on the EPMM device and run commands. The APT actors tunneled traffic from the internet through Ivanti Sentry, an application gateway appliance that supports EPMM, to at least one Exchange server that was not accessible from the internet. It is unknown how they tunneled traffic. NCSC-NO observed that the network traffic used the TLS certificate of the internal Exchange server. The APT hackers likely installed webshells on the Exchange server. 

Commenting on the data breach, Cydome wrote in a blog post that “the vulnerability was in one of the government’s third-party platforms, @Ivanti’s mobile endpoint management system, that allows users to access the Norwegian government network. By exploiting the vulnerability, attackers could remotely access users’ information, including emails, without requiring credentials.”

The post added that the breach only came to light when unusual data traffic was detected, raising a red flag. “It still remains unclear who is responsible for the hack; however, it is worth noting that a recent attack in Norway was attributed to Russia-linked group, Killnet.”

CISA and NCSC-NO recommend organizations upgrade Ivanti EPMM versions to the latest version as soon as possible. Organizations using unsupported versions (i.e., versions prior to 11.8.1.0) should immediately upgrade to a supported version. The document also suggests treating MDM systems as high-value assets (HVAs) with additional restrictions and monitoring. 

MDM systems provide elevated access to thousands of hosts and should be treated as HVAs with additional restrictions and monitoring. It added that organizations must follow best cybersecurity practices in production and enterprise environments, including mandating phishing-resistant multi-factor authentication (MFA) for all staff and services.

In addition to applying mitigations, CISA and NCSC-NO recommends exercising, testing, and validating the organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing existing security controls inventory to assess how they perform against the ATT&CK techniques.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.