Ivanti Norway Hacks Began in April, Says US CISAMobile Device Management Are 'Attractive Targets,' Warns Joint Advisory With Norway
A hacking campaign that exploited the Ivanti mobile device manager to target the Norwegian government began in April or possibly earlier, say cybersecurity agencies from the U.S. and Norway.
Ivanti on July 23 patched a critically rated zero-day vulnerability in its Endpoint Manager Mobile platform - formerly known as MobileIron Core - after an unidentified threat actor used it to attack a dozen government ministries. Key agencies including the prime minister's office and the ministries of defense, justice and foreign affairs were unaffected by the hack. The company later found the zero-day can be chained with another zero-day flaw and released a second emergency patch on Friday.
In a Tuesday alert, the U.S. Cybersecurity and Infrastructure Security Agency and the Norwegian National Cyber Security Center said the hackers had initiated their campaign during springtime. This isn't the first time a threat actor has used the flaw in the Ivanti platform, the agencies said, and they warned that they're "concerned about the potential for widespread exploitation in government and private sector networks.”
Mobile device management "systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices," the alert says.
Shortly after senior officials in Oslo announced the attack, cybersecurity firm Palo Alto Networks said scans had revealed more than 5,500 Ivanti Endpoint Manager Mobile servers exposed to the internet, primarily in Germany, the United States and the United Kingdom.
The threat actors targeting Norway hid their identities partially by using compromised small office and home office routers - specifically, unspecified ASUS router models - as internet proxies. Once they had gained access to the Ivanti platform, the hackers made configuration changes, although the joint advisory says it is unclear what the changes were.
The Norwegian cybersecurity agency suspects the actors exploited CVE-2023-35081 to upload web shells and run commands.