Ivanti zero-day allowed hackers to infiltrate Norwegian government IT systems

A rare Zero-Day vulnerability exploited in Ivanti's EPMM software

A previously unknown security vulnerability in Ivanti's Endpoint Manager Mobile (EPMM) has recently been exploited by cybercriminals, enabling them to breach the IT systems of 12 Norwegian government ministries.^[1] This significant discovery was made and confirmed by the Norwegian National Security Authority (NSM) and the Norwegian Security and Service Organization (DSS).

The Prime Minister's Office, Ministry of Defense, Ministry of Justice, and Ministry of Foreign Affairs were reportedly unaffected by the breach. The newly discovered flaw designated CVE-2023-35078,^[2] is a rare zero-day vulnerability, so named for being exploited before a solution was available.

Sofie Nystrøm, the director of the National Security Agency, stated that the vulnerability was unique and initially withheld to prevent potential misuse of this information both in Norway and globally. She noted:^[3]

This vulnerability was unique, and was discovered for the very first time here in Norway. If we had released the information about the vulnerability too early, it could have contributed to it being misused elsewhere in Norway and in the rest of the world.

NSM took swift action to notify all known MobileIron Core customers in Norway about a critical security update designed to address the actively exploited zero-day vulnerability.

The unsettling reach of the security vulnerability

CVE-2023-35078 is an authentication bypass vulnerability, an alarming flaw that enables remote threat actors to access specific API paths without requiring authentication. This vulnerability affects all versions of Ivanti's EPMM software, encompassing supported, unsupported, and end-of-life releases.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning detailing the significant risks posed by the vulnerability.^[4] Unauthorized users could access personally identifiable information (PII), such as names and phone numbers, and make configuration changes. This access includes the creation of an EPMM administrative account, leading to further changes to a vulnerable system, hence amplifying the potential threat.

Ivanti, recognizing the gravity of the situation, issued an urgent call to action for its customers. They urged immediate measures to ensure comprehensive protection, warning that the zero-day vulnerability was actively being exploited. The total number of impacted customers and the extent of data exfiltration remain undisclosed at this point:^[5]

We have received information from a credible source indicating exploitation has occurred. We continue to work with our customers and partners to investigate this situation.

We are only aware of a very limited number of customers that have been impacted. We are actively working with our customers and partners to investigate this situation.

Urgent measures needed

Ivanti has promptly developed and released a security patch to address this zero-day vulnerability. The patch serves as a crucial countermeasure to mitigate the damage and secure vulnerable systems. However, the full extent of potential damage remains uncertain.

Shodan's Internet exposure scanning platform has discovered more than 2,900 exposed MobileIron user portals globally.^[6] With a significant number of these servers located in the United States, Germany, the United Kingdom, and Hong Kong, the urgency to install the Ivanti EPMM patches and secure these systems is at an all-time high.

In recent years, Norway has experienced a number of significant cyberattacks, including ones perpetrated by state-sponsored hackers from Russia and China, emphasizing the ongoing challenges in the realm of cybersecurity.^[7]

The Ivanti zero-day vulnerability breach serves as a potent reminder of the evolving threat landscape, underlining the vital importance of robust and agile cybersecurity measures. This incident further underscores the necessity for vigilance among network administrators and the urgency of timely software updates to protect sensitive systems and data from future attacks.

Organizations must place an increased emphasis on securing their systems, ensuring they are updated regularly and equipped to respond to emerging threats. As the case of the Ivanti vulnerability has shown, the fallout from these attacks can be far-reaching and potentially devastating, necessitating a culture of constant vigilance and proactive defense strategies.