Malware & Threats: Ivanti Zero-Day Exploited by APT Since at Least April in Norwegian Government Attack
Summary
A recently patched zero-day vulnerability in Ivanti‘s Endpoint Manager Mobile (EPMM) product has been exploited by an advanced persistent threat (APT) group since at least April 2023, targeting the Norwegian government. The vulnerability, tracked as CVE-2023-35078, allows an unauthenticated hacker to obtain personally identifiable information and make changes to impacted systems. The APT actors have also exploited a second vulnerability, tracked as CVE-2023-35081, which can bypass authentication and access control list restrictions. The APT group used compromised SOHO routers, including Asus routers, as a proxy to upload webshells on the EPMM devices. The US Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have issued a joint advisory with indicators of compromise (IoCs), system vulnerability checks, incident response steps, and mitigations.
Background
Ivanti‘s EPMM, formerly known as MobileIron Core, is a mobile management software engine used by IT teams to set policies for mobile devices, applications, and content. The recent attacks on the Norwegian government highlight the potential risks associated with mobile device management (MDM) systems that have elevated access to thousands of mobile devices. The exploitation of zero-day vulnerabilities like CVE-2023-35078 and CVE-2023-35081 can lead to breaches of sensitive information, device compromise, and unauthorized access to government and private sector networks.
APT Exploitation and Proxy Attacks
The APT group targeted Norwegian organizations by exploiting CVE-2023-35078 as a zero-day vulnerability from April to July 2023. The goal was to gather information and compromise a Norwegian government agency’s network. By chaining the two EPMM vulnerabilities, the attackers were able to gain privileged access to the system and execute uploaded files, including webshells. According to the advisory from NCSC-NO, the APT group likely exploited CVE-2023-35081 to upload webshells and run commands on the compromised devices. The use of compromised SOHO routers, especially Asus routers, as a proxy allowed the attackers to obfuscate their activities and further hide their identity.
Concerns and Recommendations
CISA and NCSC-NO have expressed concerns regarding the potential for widespread exploitation of the Ivanti vulnerabilities in government and private sector networks. The elevated access provided by MDM systems to thousands of mobile devices makes them attractive targets for adversaries. Organizations using Ivanti‘s EPMM or similar MDM systems should take immediate action to mitigate the risks. Steps to consider include:
– Applying the relevant patches and updates provided by Ivanti to address the vulnerabilities.
– Conducting vulnerability assessments to identify any potential weaknesses in MDM systems and their configurations.
– Implementing strong access control measures, including multi-factor authentication, to protect against unauthorized access.
– Monitoring network traffic and system logs for any suspicious activities or indicators of compromise.
– Providing employees with cybersecurity awareness training to recognize and report phishing attempts or other social engineering tactics.
Editorial: Strengthening Defense Against Advanced Threats
The recent cyberattack on the Norwegian government, exploiting zero-day vulnerabilities and using compromised routers as proxies, underscores the evolving sophistication of advanced persistent threat (APT) actors. These attackers go to great lengths to exploit vulnerabilities, penetrate networks, and maintain persistent access for extended periods. Their targeting of government agencies raises concerns about the potential impact on national security and citizen privacy.
To combat this rising threat landscape, governments and organizations must prioritize investments in cybersecurity defenses, information sharing, and targeted intelligence analysis. The collaboration between CISA and NCSC-NO in publishing the joint advisory serves as a model for effective international cooperation in addressing cyber threats. Such partnerships enhance our collective ability to prevent and respond to attacks, as well as share best practices and insights.
In addition to proactive defense measures, it is crucial for organizations to address the root causes of vulnerabilities. Software vendors should prioritize secure coding practices, rigorous vulnerability testing, and timely patch management to minimize the risk of zero-day exploits. Meanwhile, organizations should adopt a holistic approach to cybersecurity that encompasses risk assessment, employee training, network segmentation, incident response planning, and ongoing monitoring. Cybersecurity should be an ongoing effort, evolving along with the threat landscape to stay one step ahead of adversaries.
Philosophical Discussion: The Vulnerability Dilemma
The discovery and exploitation of zero-day vulnerabilities pose a complex ethical and philosophical dilemma. On one hand, these vulnerabilities can be exploited by malicious actors to cause significant harm, as demonstrated in the Norwegian government attack. On the other hand, their discovery and disclosure can lead to the development of patches and preventive measures that enhance overall cybersecurity.
The debate centers around the responsible disclosure of vulnerabilities. Security researchers face the challenge of balancing the need to report vulnerabilities promptly with the potential risk of enabling malicious actors. In many cases, responsible researchers provide vendors with a grace period to develop and release patches before disclosing the vulnerability publicly. However, not all vulnerabilities are promptly addressed, leaving organizations at risk.
To address this dilemma, there is a need for increased coordination and collaboration between security researchers, vendors, and government agencies. Timely patching, responsible disclosure policies, and bug bounty programs can incentivize security researchers to report vulnerabilities to vendors, helping organizations improve their security posture. Additionally, increased investment in cybersecurity research and training can contribute to the discovery and mitigation of vulnerabilities before they are exploited.
Internet Security: Addressing the Evolving Threat Landscape
The incident involving Ivanti‘s zero-day exploits and the Norwegian government highlights the need for organizations to continually adapt and strengthen their internet security measures. As technology evolves and adversaries become more advanced, traditional security measures alone are no longer sufficient.
To protect against advanced threats, organizations should consider the following internet security best practices:
1. Patch Management:
Regularly apply vendor-provided patches and updates to address known vulnerabilities. Establish a patch management process that includes testing and timely deployment to minimize the window of exposure.
2. Network Segmentation:
Implement network segmentation to limit lateral movement within the network. By separating critical systems and data from general network traffic, organizations can contain the impact of a potential breach.
3. Multifactor Authentication:
Implement multifactor authentication (MFA) across all systems and applications. MFA adds an extra layer of security by requiring users to provide additional verification, such as a unique code sent to their mobile device, in addition to a traditional password.
4. Employee Education and Awareness:
Train employees on cybersecurity best practices, including identifying phishing attempts, practicing good password hygiene, and reporting suspicious activities. Regularly communicate updates on emerging threats and educate employees on the potential risks associated with their actions.
5. Incident Response Planning:
Develop and test an incident response plan to ensure that the organization is prepared to effectively respond to and contain a cyber incident. Regularly review and update the plan based on lessons learned from previous incidents or exercises.
6. Ongoing Monitoring and Threat Intelligence:
Leverage threat intelligence feeds and monitoring tools to identify and respond to potential threats in real-time. Implement regular security assessments, penetration testing, and vulnerability scans to identify any weaknesses in the organization’s defenses.
By adopting a comprehensive and proactive approach to internet security, organizations can mitigate the risks posed by advanced threats and better protect their sensitive data and systems.
Overall, the incident involving Ivanti‘s zero-day exploits and the Norwegian government serves as a stark reminder of the importance of internet security in an increasingly digital world. Addressing vulnerabilities, investing in cybersecurity defenses, and fostering collaboration are essential to staying ahead of sophisticated adversaries and safeguarding our critical systems and information.
<< photo by Sigmund >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Ivanti EPMM Vulnerability: Norwegian Entities Under Attack in Ongoing Exploits
- “Unleashing the Power of Devo and Cybermindz: Revolutionizing Mental Health Support for Front-Line Cybersecurity Workers in the US”
- The Quest for Cyber Workforce: Overcoming the Skills Shortage Challenge
- CISA Exposes Barracuda Email Security’s “Submarine” Backdoor Vulnerability
- Mozilla’s Movement Towards Secure Browsing: Firefox Addresses Multiple Vulnerabilities in Recent Update
- “Global APT Attacks: China, North Korea, and Iran Implicated, While Russia Targets Ukraine and EU, According to ESET Report”
- The Rising Threat of Zero-Day Exploits: Analyzing the Norwegian Government Attack
- SpyNote Android Trojan Campaign: European Bank Customers Face Targeted Attacks
- The Hidden Threat: Targeted Malware Breaches Air-Gapped ICS Systems
