Norway Alerts About Active Exploitation of Ivanti EPMM Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have issued a joint Cybersecurity Advisory (CSA) to address the ongoing exploitation of vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), previously known as MobileIron Core. The vulnerabilities, designated as CVE-2023-35078 and CVE-2023-35081, have been exploited by advanced persistent threat (APT) actors, resulting in data compromise and unauthorized network access.

CVE-2023-35078 is a critical vulnerability allowing unauthenticated access to specific application programming interface (API) paths, enabling attackers to retrieve personally identifiable information (PII) and make configuration changes on compromised systems. CVE-2023-35081 is a directory traversal vulnerability, permitting threat actors with administrator privileges to write arbitrary files, including potentially malicious webshells, on the EPMM web application server.

The Norwegian authorities observed that APT actors exploited CVE-2023-35078 as a zero-day vulnerability between April 2023 and July 2023. The attackers targeted multiple Norwegian organizations and even gained unauthorized access to a Norwegian government agency’s network. Ivanti released patches for these vulnerabilities on July 23, 2023, and July 28, 2023, respectively.

NCSC-NO identified possible vulnerability chaining, wherein the two vulnerabilities were exploited in tandem for initial privileged access to EPMM systems, posing serious risks to the security of both government and private sector networks. Attackers’ activities included performing LDAP queries against Active Directory, retrieving LDAP endpoints, listing users and administrators on compromised EPMM devices, modifying EPMM configurations, and more.

To aid organizations in addressing this threat, the advisory provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) that NCSC-NO investigations have revealed. In addition, it offers detection guidance to assist organizations in hunting for signs of compromise. CISA and NCSC-NO strongly encourage prompt application of Ivanti’s released patches to mitigate potential threats and vulnerabilities.

For a more comprehensive understanding of the ongoing situation, organizations are urged to refer to the official statements from CISA and NCSC-NO, which provide detailed technical information, mitigation strategies, and further recommended actions.