APT Group Exploits Zero-Day Vulnerabilities in Ivanti’s EPMM Product, Compromises Norwegian Government Networks

In recent months, a zero-day vulnerability in Ivanti’s Endpoint Manager Mobile (EPMM) product has been extensively exploited by an advanced persistent threat (APT) group. Since April 2023, this APT group has been taking advantage of the vulnerability, compromising several Norwegian organizations and even gaining access to and compromising a Norwegian government agency’s network.

Discovery of Attacks

The cyberattacks involving the exploitation of the zero-day vulnerability, known as CVE-2023-35078, came to light on July 24, when Norwegian authorities announced that a dozen government ministries had fallen victim to a targeted cyberattack. During the investigation, Ivanti confirmed that CVE-2023-35078 could be paired with another vulnerability, tracked as CVE-2023-35081, to bypass authentication and access control list (ACL) restrictions.

APT group exploitation

According to an advisory published by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Centre – Norway (NCSC-NO), the APT group had been exploiting CVE-2023-35078 as a zero-day vulnerability since at least April 2023. Their primary objectives were to gather critical information from various Norwegian organizations and compromise the network of a government agency.

Chaining of vulnerabilities

The chaining of the two EPMM vulnerabilities allows hackers to gain privileged access to the system and execute uploaded files, including the deployment of malicious webshells. Moreover, the attacker employed compromised small office/home office (SOHO) routers, specifically highlighting Asus routers, as a proxy to obfuscate their activities and further enhance their access and control.

Concerns of widespread exploitation

CISA and NCSC-NO have expressed grave concerns about the potential for widespread exploitation of both vulnerabilities in government and private sector networks. This is because Mobile Device Management (MDM) systems, like EPMM, provide elevated access to thousands of mobile devices, making them an attractive target for malicious actors seeking to compromise sensitive data and gain unauthorized control.

Advisory and Mitigations

In response to these critical vulnerabilities, CISA and NCSC-NO have issued an advisory containing detailed information and resources to enable organizations to protect themselves. Their advisory includes indicators of compromise (IoCs), instructions for determining vulnerabilities, incident response steps, and recommended mitigations. It is essential for organizations to swiftly apply the provided mitigations and stay vigilant in monitoring their systems.

Future Exploitation Possibilities

Given the vast number of potentially vulnerable systems and the availability of proof-of-concept (PoC) code for the vulnerabilities, there is a heightened risk of further exploitation. The APT group’s success, combined with the increasing availability of PoC code, poses a significant threat to organizations that have not yet addressed the vulnerabilities in their EPMM installations. Urgent action must be taken to patch and secure all affected systems.

EPMM Overview

Endpoint Manager Mobile (formerly known as MobileIron Core) is a powerful mobile management software engine used by IT teams to set policies for mobile devices, applications, and content. It simplifies device management and enhances security. However, like any technology, vulnerabilities can emerge that require prompt attention to prevent exploitation and subsequent compromise.

The recent exploitation of these zero-day vulnerabilities in Ivanti’s EPMM product by an APT group serves as a stark reminder of the evolving threat landscape and the need for constant vigilance. Organizations must prioritize patch management, vulnerability identification, and robust security measures. By promptly addressing vulnerabilities, staying informed of emerging threats, and implementing recommended mitigations, organizations can significantly minimize the risk of falling victim to sophisticated cyber attacks.

Explore more

Ethereum Uses AI Swarms to Proactively Patch Network Flaws

The architectural integrity of global decentralized networks has reached a pivotal juncture where the speed of malicious exploitation often outpaces the traditional cadence of human-led security audits. To address this widening gap, The Ethereum Foundation has fundamentally transitioned its security strategy from a reactive model to an automated, proactive defense paradigm that leverages the power of machine learning. This shift

How Is ERP Modernization Driving DLA to Audit Readiness?

The Defense Logistics Agency currently manages an intricate global supply chain that serves as the backbone for the United States military, requiring an unprecedented level of financial precision and operational transparency to meet modern oversight requirements. This massive undertaking involves a transition from aging, siloed legacy systems to a unified Enterprise Resource Planning environment designed to provide real-time visibility into

What Makes Odyssey Infostealer a Global Threat to macOS?

The long-standing myth that macOS remains immune to sophisticated cyberattacks has been decisively shattered by the emergence of the Odyssey infostealer, a highly specialized malware variant engineered to bypass modern system integrity protections. This transition represents a fundamental shift in the threat landscape, where the historical security-by-obscurity advantage once enjoyed by Apple users has entirely vanished. As the adoption of

Can AI Secure Windows Without Compromising Stability?

The sheer scale of modern software development has reached a point where manual code review is no longer sufficient to protect the billions of devices running Windows across the globe. As lines of code multiply and interdependencies become more complex, traditional security measures are struggling to keep pace with the rapid evolution of sophisticated digital threats. In response to this

Xero Launches JAX to Redefine Accounting with Agentic AI

Small business owners have historically spent an exhausting amount of time tethered to spreadsheets and receipts, but the emergence of agentic AI is finally turning those static records into a living, breathing financial command center that operates with minimal human oversight. With more than five million global subscribers now integrated into its ecosystem, Xero is spearheading a movement toward Accountable