Exploiting Ivanti EPMM Vulnerabilities: Threat Actors on the Prowl
In response to ongoing cyber threats, the Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have jointly issued a significant Cybersecurity Advisory (CSA). They are addressing the exploitation of two vulnerabilities, namely CVE-2023-35078 and CVE-2023-35081. These vulnerabilities have been subject to attacks by advanced persistent threat (APT) actors, who exploited CVE-2023-35078 as a zero-day from April 2023 until July 2023. The APT actors used this vulnerability to gather sensitive information from various Norwegian organizations and successfully compromised a Norwegian government agency's network. To address the security risks, Ivanti, the software vendor, released patches for both vulnerabilities on July 23, 2023, and July 28, 2023, respectively. The NCSC-NO has also observed possible vulnerability chaining of CVE-2023-35081 and CVE-2023-35078, indicating a complex and potentially harmful cyber threat.
Table of Contents
What Lies Behind CVE-2023-35078 and CVE-2023-35081?
CVE-2023-35078 poses a critical risk to Ivanti Endpoint Manager Mobile (EPMM), previously known as MobileIron Core, as it allows threat actors to access personally identifiable information (PII) and make configuration changes on compromised systems. Meanwhile, CVE-2023-35081 grants actors with EPMM administrator privileges the ability to write arbitrary files with the operating system privileges of the EPMM web application server. Threat actors can gain initial, privileged access to EPMM systems and execute uploaded files like Web shells by chaining these vulnerabilities together. As Mobile Device Management (MDM) systems like EPMM provide elevated access to numerous mobile devices, they have become attractive targets for threatening actors, especially considering previous exploits of MobileIron vulnerabilities. Given the potential for widespread exploitation in government and private sector networks, CISA and NCSC-NO express grave concern over these security threats.
In this Cybersecurity Advisory (CSA), NCSC-NO shares indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs) discovered during their investigations. The CSA incorporates a nuclei template, aiding in identifying unpatched devices, and provides detection guidance for organizations to search for signs of compromise proactively. CISA and NCSC-NO strongly encourage organizations to use detection guidance to detect malicious activity. Should any potential compromise be detected, organizations should follow the incident response recommendations outlined in the CSA. Even in the absence of compromise, organizations must apply the patches Ivanti issued to ensure security promptly.
Exploits Active Since April 2023
CVE-2023-35078 has been a frequent subject of exploitation by APT actors since April 2023. They utilized compromised SOHO routers, including ASUS routers, as proxies to target infrastructure. NCSC-NO observed the actors leveraging this vulnerability to gain initial access to EPMM devices. Once inside, the actors performed various activities, such as performing arbitrary LDAP queries against Active Directory, retrieving LDAP endpoints, listing users and administrators using API paths, and making configuration changes on the EPMM device. The specific configuration changes made by the actors remain unknown.
The APT actors regularly checked EPMM Core audit logs to cover their tracks and deleted some of their entries in Apache httpd logs using the malicious Tomcat application "mi.war" based on keywords.txt. Log entries containing the "Firefox/107.0" were deleted.
For communication with EPMM, the actors used Linux and Windows user agents, primarily Firefox/107.0. Although other agents came into play, they did not leave traces in device logs. The exact method the threat actors employed to run shell commands on the EPMM device remains unconfirmed. NCSC-NO suspects that they exploited CVE-2023-35081 to upload Web shells and execute commands.
To tunnel traffic from the internet to at least one inaccessible Exchange server, the APT actors employed Ivanti Sentry, an application gateway appliance supporting EPMM. However, the exact technique used for this tunneling remains unknown.
Exploiting Ivanti EPMM Vulnerabilities: Threat Actors on the Prowl Screenshots
