A dozen Norwegian government ministries suffered a cyber attack exploiting a zero-day vulnerability in Ivanti Endpoint Manager Mobile (EPMM), the Norwegian National Security Authority (NSM) has disclosed.
Discovered in Norway and awaiting further analysis, CVE-2023-35078 is an authentication bypass vulnerability allowing remote unauthenticated API access by an attacker with knowledge of API paths.
Ivanti’s zero-day vulnerability impacted a dozen government ministries
The Norwegian National Security Authority confirmed that 12 Norwegian government ministries suffered a cyber attack stemming from the Ivanti EPMM zero-day vulnerability. The agency has not divulged the threat actor’s identity or the government ministries impacted.
Nevertheless, it disrupted service delivery operations within the impacted government ministries after severing email communications and mobile services.
The Norwegian Data Protection Authority was notified of the cyber attack, and police have begun investigating, suggesting that potential data exfiltration occurred.
In addition to the undisclosed government ministries, a “very limited number of customers that have been impacted” by the Ivanti cyber attack, the company disclosed.
According to Ted Miracco, CEO of Approov, the successful cyber attack on government ministries demonstrated that public sector organizations still need to keep up with the attackers’ tactics.
“This MobileIron exploitation demonstrates how governments are struggling to stay ahead of sophisticated hackers,” noted Miracco.
Norway averted a worse Ivanti cyber attack
Norwegian authorities said the delay in disclosing the Ivanti zero-day vulnerability reduced the cyber attack’s impact in Norway and other countries.
“This vulnerability was unique, and was discovered for the very first time here in Norway. If we had released the information about the vulnerability too early, it could have contributed to it being misused elsewhere in Norway and in the rest of the world,” said Sofie Nystrøm, director general of the Norwegian National Security Authority.
“Upon learning of the vulnerability, we immediately mobilized resources to fix the problem and have a patch available now for supported versions of the product. For customers on an earlier version, we have an RPM script to assist in remediation,” said Ivanti.
However, cybersecurity researcher Kevin Beaumont said most organizations impacted by the Ivanti zero-day are yet to apply patches, leaving them vulnerable to exploitation.
Shodan probes discovered over 2,900 internet-exposed user portals, mainly in Germany, the United States, and the United Kingdom, with over two dozen linked to U.S. State, local, tribal, and territorial (SLTT) entities.
Critical zero-day vulnerability CVE-2023-35078 could leak PII
While the zero-day vulnerability awaits further analysis, HackerOne has categorized it as a critical bug with a perfect CVSS score of 10.0.
Additionally, it impacts all Ivanti Endpoint management devices software (formerly MobileIron Core), including end-of-life versions.
According to a U.S. Cybersecurity and Infrastructure Security Agency (CISA) alert, an attacker could leverage the bug to access personal information such as names, phone numbers, and other mobile device details for users on a vulnerable system without authentication.
Additionally, they could configure EPMM user and administrative accounts to further exploit a vulnerable system.