Unknown hackers exploited a zero-day vulnerability in Ivanti’s software for central management of corporate mobile devices and successfully conducted a cyberattack on the assets of 12 Norwegian government agencies. The developer has fixed the bug, but the resources of several thousand other organizations could still be at risk.
The Norwegian Organization for Security and Services (DSS) said the attack hacked IT platforms used by 12 ministries – their names were not given, but the ministry added that the incident had no impact on the resources of the prime minister’s office, as well as the ministries of defence, justice and foreign affairs. DSS also reported that the cyber attack was possible due to “a previously unknown vulnerability in one of the vendors’ software.” The Norwegian National Security Agency (NSM) then added that the vulnerability was in Ivanti Endpoint Manager Mobile (EPMM, formerly known as MobileIron Core).
Ivanti EPMM enables authorized users and devices to access corporate and government networks. vulnerability CVE-2023-35078 allows bypassing the authentication procedure and affects all supported and unsupported versions of the program deployed before its detection. If the vulnerability is exploited, anyone can remotely access mobile device users’ personal information (names, phone numbers and other data) and make changes to the hacked server. The US Cybersecurity and Infrastructure Protection Agency (CISA) also clarified that the vulnerability allows attackers to create accounts with administrative privileges in compromised systems and make changes to the platform.
Ivanti security director Daniel Spicer said the company promptly released software updates to address the vulnerability and reached out to customers to help them install the update. He also assured that the company “Reaffirmed its commitment to providing and supporting safe products by implementing responsible disclosure protocols”. At the same time, Ivanti hid detailed information about the vulnerability, which was rated 10 out of 10, behind a “paywall” – access to the knowledge base requires a customer account, according to the given resource. TechCrunch.
The true extent of the incident is still unknown: According to the search service Shodan, more than 2,900 Ivanti MobileIron portals are now available on the Internet, most of them belonging to American customers.