Recent intelligence reports have revealed that advanced persistent threat (APT) actors have been actively exploiting a critical vulnerability in the Ivanti Endpoint Manager Mobile (EPMM) since at least April 2023. These attacks have specifically targeted entities in Norway, including governmental networks, prompting urgent advisories from cybersecurity authorities.
This information was highlighted in a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO). While details on the identity and origin of the threat actors remain elusive, the nature of the attack underscores significant risks to organizations relying on mobile device management systems.
The vulnerability, designated CVE-2023-35078, allows malicious actors to obtain personally identifiable information (PII) and make unauthorized changes to system configurations. CISA emphasized that threat actors have utilized compromised small office/home office (SOHO) routers, notably ASUS devices, as proxies to reach their targets, indicating a methodical approach to system infiltration.
Additionally, CISA and NCSC-NO noted a second vulnerability, CVE-2023-35081, which can be exploited in conjunction with the first, leading to severe consequences for victimized devices. By leveraging these dual vulnerabilities, adversaries gain significant control and can execute arbitrary file modifications, including deploying web shells under the privileges of the EPMM web application server.
Analysis has revealed that these attackers have been funneling internet traffic through the Ivanti Sentry, an application gateway that supports EPMM, to access at least one Exchange server that was previously inaccessible from the internet. The precise mechanisms behind this evasion tactic are still under investigation.
Furthermore, a malicious WAR file identified as “mi.war” was discovered on Ivanti Sentry, designed to delete log entries that contain a specific string related to user-agent configurations. This indicates an attempt to obscure the attack trail, complicating incident response efforts.
