Norwegian Government IT Systems Breached Using Ivanti Zero-Day Vulnerability

July 25, 2023

The Norwegian National Security Authority (NSM) has confirmed that an unidentified group of hackers exploited a zero-day vulnerability in Ivanti's Endpoint Manager Mobile (EPMM) to infiltrate a software platform used by 12 government ministries in Norway. However, the Norwegian Security and Service Organization (DSS) clarified that the Prime Minister's Office, the Ministry of Defense, the Ministry of Justice, and the Ministry of Foreign Affairs were not affected by this cyberattack.

The Norwegian Data Protection Authority (DPA) was notified about the incident, suggesting the possibility of the hackers gaining access to and possibly exfiltrating sensitive data from the compromised systems, thereby leading to a data breach. The NSM stated, 'This vulnerability was unique, and was discovered for the very first time here in Norway. If we had released the information about the vulnerability too early, it could have contributed to it being misused elsewhere in Norway and in the rest of the world.'

The Norwegian National Cyber ​​Security Center (NCSC) alerted all known MobileIron Core customers in Norway about the existence of a security update to address this actively exploited zero-day bug, tracked as CVE-2023-35078. The NCSC recommended system owners to install these security updates as soon as possible to prevent any further attacks.

The CVE-2023-35078 security bug is an authentication bypass vulnerability that affects all supported versions of Ivanti's EPMM mobile device management software, as well as unsupported and end-of-life releases. Successful exploitation of this vulnerability allows remote threat actors to access specific API paths without requiring authentication. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned, 'An attacker with access to these API paths can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system. An attacker can also make other configuration changes, including creating an EPMM administrative account that can make further changes to a vulnerable system.'

Ivanti confirmed that the zero-day is being exploited in attacks and urged customers to take immediate action to ensure full protection. According to Shodan's Internet exposure scanning platform, more than 2,900 MobileIron user portals are currently exposed online, including around three dozen linked with U.S. local and state government agencies. Most of these exposed servers are located in the United States, with other significant locations being Germany, the United Kingdom, and Hong Kong. Therefore, it is critical for all network administrators to swiftly install the latest Ivanti Endpoint Manager Mobile (MobileIron) patches to safeguard their systems from attacks.

Latest News

• Critical Vulnerability in MikroTik Routers Exposes Up to 900K Devices to Potential Takeover
• VMware Patches Information Disclosure Bug in Tanzu Application Service for VMs
• Apple Issues Security Updates to Address Zero-Day Vulnerabilities
• Critical Zero-Day Vulnerabilities in Atera Windows Installers Expose Users to Privilege Escalation Attacks
• Over 15,000 Citrix Servers Susceptible to Attacks via CVE-2023-3519