Norwegian Entities Targeted in Ongoing Attacks Exploiting Ivanti EPMM Vulnerability

Norwegian Entities Targeted in Ongoing Attacks Exploiting Ivanti EPMM Vulnerability

Advanced persistent threat (APT) actors exploited a recently disclosed critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) as a zero-day since at least April 2023 in attacks directed against Norwegian entities, including a government network.

“The APT actors have exploited CVE-2023-35078 since at least April 2023,” the authorities said. “The actors leveraged compromised small office/home office (SOHO) routers, including ASUS routers, to proxy to target infrastructure.’

CVE-2023-35078 refers to a severe flaw that allows threat actors to access personally identifiable information (PII) and gain the ability to make configuration changes on compromised systems. It can be chained with a second vulnerability, CVE-2023-35081, to cause unintended consequences on targeted devices.

Successful exploitation of the twin vulnerabilities makes it possible for adversaries with EPMM administrator privileges to write arbitrary files, such as web shells, with operating system privileges of the EPMM web application server.

The attackers have also been observed tunneling traffic from the internet through Ivanti Sentry, an application gateway appliance that supports EPMM, to at least one Exchange server that was not accessible from the internet, although it’s currently unknown how this was accomplished.

A majority of the 5,500 EPMM servers on the internet are located in Germany, followed by the U.S., the U.K., France, Switzerland, the Netherlands, Hong Kong, Austria, China, and Sweden, according to Palo Alto Networks Unit 42.

To mitigate against the ongoing threat, it’s recommended that organizations apply the latest patches as soon as possible, mandate phishing-resistant multi-factor authentication (MFA) for all staff and services, and validate security controls to test their effectiveness.