If you have an Ivanti Endpoint Management, patch immediately!
Let me start off with: Always keep patches up-to-date! While this article is about one specific tool, it is important to understand that all tools can have vulnerabilities and this is not disparaging to Ivanti.
There are a couple vulnerabilities in the Ivanti system that you should be aware of. CVE-2023-35078 and CVE-2023-35081. CVE-2023-35078 is a severe flaw in Ivanti Endpoint Manager Mobile (EPMM), previously called MobileIron Core. This flaw lets cyber attackers view personal data and also lets them alter settings on the systems they’ve breached.
Background:
The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have released a joint advisory about cyber threats. They found that certain bad actors were taking advantage of vulnerabilities in Ivanti’s software, specifically CVE-2023-35078 and CVE-2023-35081. These vulnerabilities were used to gather information from Norwegian organizations and even compromise a Norwegian government agency’s network.
Details:
- Vulnerabilities:
- CVE-2023-35078: This is a major flaw in Ivanti Endpoint Manager Mobile (EPMM). It lets attackers access personal data and make changes to the systems they compromise.
- CVE-2023-35081: This flaw allows those with EPMM admin rights to upload and run files on the EPMM system.
- Why It’s a Big Deal: Mobile device management (MDM) systems, like EPMM, are tempting targets for attackers. They can get access to thousands of mobile devices. Given that these vulnerabilities have been exploited before, there’s a real concern about more widespread attacks on both government and private networks.
- What’s Being Done: The advisory gives signs to look for if you’ve been compromised and steps to take if you think you have been. They strongly suggest that organizations look for any malicious activity using their guidelines. If no issues are found, they still recommend updating with patches Ivanti has released.
- Technical Insights: In July 2023, it was discovered that attackers were exploiting a vulnerability in Ivanti Endpoint Manager to target a Norwegian government network. They could access personal data like names, phone numbers, and even GPS data if it was turned on. CISA added these vulnerabilities to its list of known exploited vulnerabilities in late July 2023.
- APT Actor Activity: Advanced Persistent Threat (APT) actors have been exploiting one of the vulnerabilities since April 2023. They used compromised routers to target infrastructure. They accessed data, made changes to configurations, and even deleted some of their tracks.
- Response: If an organization finds evidence of a compromise, they should isolate affected systems, recreate compromised systems, change account details, and collect evidence. They should also report the compromise to CISA or NCSC-NO.
- Protection Measures:
- Update Ivanti EPMM to the latest version.
- Check for vulnerabilities using the provided tools.
- Treat MDM systems as high-value assets and monitor them closely.
- Implement best cybersecurity practices, including multi-factor authentication.
- Test and validate security measures against known threat behaviors.
Conclusion:
This advisory is a warning about serious vulnerabilities in Ivanti’s software that have been exploited by cyber attackers. Organizations are urged to take immediate action and patch software. As always, ensure you have strong cybersecurity measures in place!
References:
Threat Actors Exploiting Ivanti EPMM Vulnerabilities | CISA
Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.
- The Imperative for Cyber Talent on Corporate Boards - March 29, 2024
- Talking CMMC preparation - March 12, 2024
- Protecting Your Business: Strategies to Combat DNS Attacks - February 20, 2024
