Government Websites Under Attack After Ivanti Bug

An attack on several Norwegian government ministries forced US federal agencies to correct an Ivanti software error.

The bug in question is a flaw related to an authentication bypass in Ivanti's Endpoint Manager Mobile (EPMM) device management software, formerly known as MobileIron Core. The US company has issued patches for this vulnerability, and the Norwegian government revealed that the flaw had been exploited in an attack that affected 12 of its ministries.
In this context, the US Cybersecurity and Infrastructure Security Agency (CISA) has added this bug to its catalog of Known Exploited Vulnerabilities (KEV). In an alert issued, CISA stated that "these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise".

Identified as CVE-2023-35078, the authentication bypass bug received the maximum possible CVSS rating of 10, with Ivanti warning its customers that it was essential that they patch their software immediately. According to Ivanti, this bug allowed unauthorized access to the solution's restricted functionality or resources, allowing threat actors to "potentially access users' personally identifiable information and make limited changes to the server". CISA also learned that this software bug allowed unauthenticated access to specific API paths - "An attacker with access to these API paths can access personally identifiable information (PII), such as names, phone numbers and other mobile device details for users on a vulnerable system".

The Norwegian authorities did not say whether the data had been exfiltrated during the attack on their ministries, however, they claim that the country's Data Protection Authority had been notified, which indicates that there may be concerns that the information was stolen: "This vulnerability was unique and was first discovered here in Norway," said Sofie Nystrøm, Director General of Norway's National Security Authority. "If we had published information about the vulnerability too early, it could have contributed to its abuse elsewhere in Norway and the rest of the world. The update is now widely available and it is prudent to announce what kind of vulnerability it is," she added.

The continuation of the original article via SC Magazine can be read here.