Norwegian institutions, including government networks, have been the target of ongoing attacks that have exploited a critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM) as a zero-day since April 2023, at the very least.
This revelation is part of a joint advisory issued on Tuesday by the Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO). The identity or origin of the threatening entity remains undefined.
“The threat actors exploited CVE-2023-35078 from April 2023 onward,” the authorities noted. “The attackers exploited compromised small office/home office (SOHO) routers, including ASUS routers, as a proxy to target infrastructures.”
CVE-2023-35078 is a critical vulnerability that grants threat actors access to personally identifiable information (PII) and allows them to make configuration changes on the compromised systems. This can be combined with a second vulnerability, CVE-2023-35081, to trigger unintended effects on the targeted devices.
Successful exploitation of these vulnerabilities enables adversaries with EPMM administrator rights to write arbitrary files, such as web shells, with the operating system privileges of the EPMM web application server.
The attackers were also observed channeling traffic from the internet through Ivanti Sentry, an application gateway device that supports EPMM, to an Exchange server not directly accessible from the internet, although the specifics of how this was achieved remain unknown.
Further investigations uncovered a malicious WAR file called “mi.war” on Ivanti Sentry, identified as a harmful Tomcat application that erases log entries based on a specific string – “Firefox/107.0” – located in a text file.
“The threat actors used Linux and Windows user agents with Firefox/107.0 to communicate with EPMM,” the agencies mentioned. “Mobile device management (MDM) systems are lucrative targets for threat actors as they provide elevated access to thousands of mobile devices.”
Palo Alto Networks Unit 42 reports that the majority of the 5,500 EPMM servers on the internet are located in Germany, followed by the U.S., the U.K., France, Switzerland, the Netherlands, Hong Kong, Austria, China, and Sweden.”