It has been reported that Ivanti EPMM vulnerabilities such as CVE-2023-35078 and CVE-2023-356081 are exploited by threat actors to gain access to sensitive personal and business information. In fact, Advanced persistent threat actors exploited such vulnerabilities from April 2023 through July 2023 to gain information about Norwegian organisations and compromise the country’s agency network. Consequently, the Cybersecurity and Infrastructure Security Agency and the Norwegian National Cyber Security Centre have released a joint advisory.
On July 23, 2023, Ivanti issued a patch for CVE-2023-35078 and another on July 28, 2023, for the second vulnerability. CVE-2023-35078 happens to be a critical vulnerability that has affected Ivanti Endpoint Manager Mobile, and allows threat actors to access sensitive personal information and then configure the compromised systems. Malicious actors can use these vulnerabilities to gain access to EPMM systems and execute files, such as webshells.
Note: Additionally, you may read the vulnerability summary reports recorded by a string of regulatory agencies, such as the National Institute of Standards and Technology, and others.
According to Ravin Prasad, CEO of Cybernetic Global Intelligence, a globally accredited cybersecurity support service, these systems are targeted by malicious actors because they offer access to several mobile devices and APT actors. Hence, the Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC) are worried about the potential of such elements to exploit government and private sector networks.
The advisory offers indicators of compromise, techniques, tactics, and procedures that were obtained by NCSC investigations. It also includes a template to detect unpatched devices and detection guidance that organisations can utilise to identify compromised systems. Both CISA and NCSC encourage organisations to look for malicious activity using their detection guidance. And if organisations detect any compromise, then they should apply the patches offered by Ivanti.
What Is CVE-2023-35078 Vulnerability?
Formerly known as MobileIron Core, CVE-2023-35078 is a critical authentication bypass vulnerability that affects Ivanti Endpoint Manager Mobile (EPMM). It allows unauthorised and unauthenticated access to the application programming interface (API) paths. When malicious actors get access to such API paths, they are able to access personally identifiable information, such as names, mobile device details, and phone numbers of users. These pieces of information can enable threat actors to configure changes to vulnerable systems, access global positioning system data, and push new packages. As per Ivanti, CVE-2023-35078 can be attached to a second vulnerability, such as CVE-2023-35081, to enable threat actors with EPMM privileges to write arbitrary files, such as webshells.
Use Cases of APT Actors
To understand the severity of the problem, it is important to know the acts performed by APT actors. Since April 2023, these actors have exploited CVE-2023-35078 and compromised small office routers, such as ASUS routers, to target infrastructure. After exploiting CVE-2023-35078, the APT actors performed the following activities:
- Conducted arbitrary Lightweight Directory Access Protocol (LDAP) queries.
- Retrieved LDAP endpoints.
- Used the API path to list administrators and users on the EPMM device.
- Made EPMM configuration changes.
- Checked EPMM code audit logs regularly.
- Deleted log entries.
- Tunnelled traffic through Ivanti Sentry, an application gateway appliance supporting EPMM.
What Should Be Done If a Compromise Is Detected?
- Upon detection of a compromised system, organisations should do the following:
- Detach or quarantine the affected hosts from the overall system.
- Reimage compromised hosts.
- Get new account credentials.
- Review artefacts such as running services, processes, recent network connections, and unusual authentications.
- Report the incident to CISA using CISA’s operations centre or the NSCE-NO operations centre.
How to Mitigate Threat Actors from Exploiting the CVE-2023-35081 Vulnerability
- Both CISA and NCSC-NO recommend organisations do the following:
- Upgrade Ivanti EPMM to its latest version. Get patches to protect against vulnerabilities CVE-2023-35078 and CVE-2023-35081.
- Apply additional restrictions and monitoring to MDM systems and consider them high-value assets.
- Follow the best cybersecurity practices in enterprise environments and production. These include conducting ISO 27001 Audit & Risk Compliance and mandating phishing-resistant multifactor authentication for every service and staff member.
- Validate your security controls by testing your existing inventory.
- Test your security programme continuously in a production environment to achieve optimal performance against attacks like MITRE ATT&CK techniques.
To mitigate Ivanti EPMM vulnerabilities, your business should monitor and assess the cyber threat scenario continuously. In doing so, you may seek the help of globally accredited cybersecurity services, such as Cybernetic Global Intelligence. Go through the advisory given by cybersecurity agencies, such as the Cybersecurity and Infrastructure Security Agency and the Norwegian National Cyber Security Centre, and ramp up the security of your digital assets. To contact Cybernetic Global Intelligence, send an email to firstname.lastname@example.org or call 1300 292 376.