Prepare for plenty more pain from Ivanti's MDM flaws, warn cyber agencies

Intruders who exploited a critical Ivanti bug to compromise 12 Norwegian government agencies spent at least four months looking around the organizations' systems and stealing data before the intrusion was discovered and stopped.

In a joint advisory issued on Tuesday, the US government's Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre detailed the attack, and warned of the "potential for widespread exploitation" of Ivanti's software in both government and enterprise networks.

Essentially, either these systems have already been compromised via Ivanti's buggy code, or will be if IT staff aren't on top of patching.

The exploited security bug lied within Ivanti's Endpoint Manager Mobile or EPMM, formerly known as MobileIron Core. It's a mobile device management (MDM) product – a class of tool that's an extremely attractive target for snoops because finding one hole in the management code can potentially provide access to thousands of smartphones, tablets, and portable computers.

Chinese state-sponsored hackerspreviously exploited an older MobileIron bug.

Neither Ivanti nor Norway have said who was behind the recent exploitation nor speculated about their motivations. 

But what is known is that on July 24 Norway's national security officials revealed miscreants had exploited a zero-day to compromise a software platform used by almost all of the country's government agencies – with the exception of the prime minister's office, the Ministry of Defense, the Ministry of Justice and Emergency Preparedness, and the Ministry of Foreign Affairs.  

Initially, the Norwegians didn't name the vendor – which we now know is Ivanti – nor the particular product: Endpoint Manager Mobile. 

Later that day in July, Ivanti confirmed spies had exploited CVE-2023-35078 – a remote authentication bypass vulnerability within its device management suite – and said a patch for the vulnerability had been released a day earlier.

The flaw allows unauthenticated snoops to access specific API paths, allowing them to pull down personal information and screw around with people's devices.

"Threat actors with access to these API paths can access PII such as names, phone numbers, and other mobile device details of users on the vulnerable system; make configuration changes to vulnerable systems; push new packages to mobile endpoints; and access Global Positioning System (GPS) data if enabled," said CISA and its partners.

Shortly after Ivanti fessed to the security snafu on July 24, Norway confirmed that yes, unknown snoops had used the flaw.

But wait, there's more

Four days later, Ivanti released a patch for a second EPMM vulnerability – CVE-2023-35081. This is a flaw that could be used by logged-in administrators to upload arbitrary files to an EPMM web app server. Someone could use this to upload a webshell to a vulnerable deployment, run it, and remotely control the backdoored box.

By chaining the two flaws, criminals can bypass authentication, upload files as an administrator, and then run those files to hijack the management system itself as well as its connected mobile devices.

In the joint advisory, CISA said the nation-state backed intruders exploited CVE-2023-35078 in April, if not earlier. 

"The actors leveraged compromised small office/home office (SOHO) routers, including ASUS routers, to proxy to target infrastructure," the advisory, dated August 1, read.

Specific to the Norwegian government breach: the attackers exploited CVE-2023-35078, and then performed nefarious acts including accessing LDAP resources, listing users and administrators of the devices, making some EPMM configuration changes, and regularly checking the audit logs – probably to see if these activities had been detected.

They also uploaded mi[dot]war, a malicious Tomcat application that deletes log entries, and used that to delete those with the string Firefox/107.0.

• Ivanti plugs critical bug – but not before it was used against Norwegian government
• Millions of people's data stolen because web devs forget to check access perms
• Medical files of 8M-plus people fall into hands of Clop via MOVEit mega-bug
• Apple patches exploited bugs in iPhones plus other holes

While the government agencies could not confirm how the miscreants ran shell commands on EPMM infrastructure, NCSC-NO suspects they exploited CVE-2023-35081 to upload a webshell and used that to execute commands.

Additionally, the criminals "tunneled traffic from the internet through Ivanti Sentry, an application gateway appliance that supports EPMM, to at least one Exchange server that was not accessible from the internet," the agencies said.

In a separate analysis published on Friday, Palo Alto Networks' Unit 42 said it found 5,500 Ivanti Endpoint Manager Mobile servers on the internet, spread across 85 nations. 

"A dozen or so countries had a single server present at the time of our scan, but many countries had dozens each, if not hundreds," the researchers said, noting that both Germany and the US had more than 1,000 servers apiece. ®