US-CERT- Threat Actors Exploiting Ivanti EPMM Vulnerabilities

[Netwörkheäd]

Threat Actors Exploiting Ivanti EPMM Vulnerabilities

[html]

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) are releasing this joint Cybersecurity Advisory (CSA) in response to active exploitation of CVE-2023-35078 and CVE-2023-35081. Advanced persistent threat (APT) actors exploited CVE-2023-35078 as a zero day from at least April 2023 through July 2023 to gather information from several Norwegian organizations, as well as to gain access to and compromise a Norwegian government agency's network.

Ivanti released a patch for CVE-2023-35078 on July 23, 2023. Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability CVE-2023-35081 and released a patch for the second vulnerability on July 28, 2023. NCSC-NO observed possible vulnerability chaining of CVE-2023-35081 and CVE-2023-35078.

CVE-2023-35078 is a critical vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) (formerly known as MobileIron Core). The vulnerability allows threat actors to access personally identifiable information (PII) and gain the ability to make configuration changes on compromised systems. CVE-2023-35081 enables actors with EPMM administrator privileges to write arbitrary files with the operating system privileges of the EPMM web application server. Threat actors can chain these vulnerabilities to gain initial, privileged access to EPMM systems and execute uploaded files, such as webshells.

Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability. Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks.

This CSA provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) obtained by NCSC-NO investigations. The CSA also includes a nuclei template to identify unpatched devices and detection guidance organizations can use to hunt for compromise. CISA and NCSC-NO encourage organizations to hunt for malicious activity using the detection guidance in this CSA. If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA. If no compromise is detected, organizations should still immediately apply patches released by Ivanti.

Download the PDF version of this report:

   

    https://www.cisa.gov/sites/default/files/2023-08/aa23-213a_joint_csa_threat_actors_exploiting_ivanti_eppm_vulnerabilities_1.pdf" class="c-file__link" target="_blank">AA23-213A PDF
    (PDF,       492.43 KB
  )
 

Download the .xml or .json file associated with this report:

   

    https://www.cisa.gov/sites/default/files/2023-08/AA23-213A.stix_.xml" class="c-file__link" target="_blank">AA23-213A STIX XML
    (XML,       277.43 KB
  )
 

   

    https://www.cisa.gov/sites/default/files/2023-08/AA23-213A%20Threat%20Actors%20Exploiting%20Ivanti%20EPMM%20Vulnerabilities.stix_.json" class="c-file__link" target="_blank">AA23-213A STIX JSON
    (JSON,       250.01 KB
  )
 

TECHNICAL DETAILS

Note: