Hackers exploited a zero-day flaw in Ivanti’s mobile endpoint management software undetected for at least three months, U.S. and Norwegian cybersecurity agencies have warned.
It was confirmed last week that hackers had compromised multiple Norwegian government agencies by exploiting a previously undiscovered vulnerability in Ivanti Endpoint Manager Mobile (EPMM; formerly MobileIron Core), software that is also used by government departments across the United States and the United Kingdom.
While the impact of the cyberattacks on Norway’s ministries remains unknown, successful exploitation of the flaw — tracked as CVE-2023-35078 — allows unauthenticated access to users’ personal information and the ability to make changes to the vulnerable server. CISA warned last week that the flaw could be exploited to create an admin account on a vulnerable server, allowing for further server configuration changes.
CISA, along with the Norwegian National Cyber Security Centre (NCSC-NO), on Tuesday released an advisory warning that attackers have been abusing the zero-day flaw since as far back as April before exploitation was first discovered.
The advisory explains that unnamed government-backed actors “leveraged compromised small office/home office (SOHO) routers, including ASUS routers,” as proxies to conceal the source of their attacks. It also warns that hackers are leveraging a second vulnerability, tracked as CVE-2023-35081, which reduces the complexity of executing attacks. In an advisory published on Friday, Ivanti warned that the new remote arbitrary file write bug could allow a threat actor to remotely create, modify, or delete files in the Ivanti EPMM server, and said it can be used in conjunction with the previous flaw to bypass administrator authentication restrictions.
Ivanti released a patch for the first zero-day on July 23 and another for the vulnerability on July 28. CISA added both flaws to its catalog of Known Exploited Vulnerabilities, giving federal civilian agencies until August 21 to apply patches.
CISA and NCSC-NO also urged agencies to use the advisory to search their systems for potential compromise and immediately report any issues.
CISA noted that government-backed actors have been known to exploit previous MobileIron vulnerabilities and previously linked intrusions to Chinese state-sponsored hackers. “Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks,” the advisory says.
Ivanti chief security officer Daniel Spicer declined to comment on attribution or motivation. “What we can say is that threat actors continue to mature their tactics, balancing dogged persistence and patience with sophisticated use of exploits, tools and emerging technologies,” said Spicer.
In a now-public knowledge base article, the company notes “we are only aware of a very limited number of customers that have been impacted,” suggesting the list of victims extends beyond the Norwegian government.
According to Shodan, a search engine for publicly exposed devices, there are still more than 2,200 MobileIron portals exposed to the internet, the majority of which are located in the United States.
Updated with comment from Ivanti.