In assaults targeting Norwegian targets, especially a government network, which consists of almost 12 Norwegian Government Ministries, as mentioned in our last Newsletter, dated July 25, 2023, with the title A Massive Cyberattack Targets Government Ministries in Norway, Advanced Persistent Threat (APT) actors have used a recently reported significant vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) as a zero-day since at least April 2023.
The information was included in a brand-new joint advisory that the Norwegian National Cyber Security Centre (NCSC-NO) and the Cybersecurity and Infrastructure Security Agency (CISA) published on Tuesday. Uncertainty surrounds the threat actor’s precise identity or place of origin.
The government ministries stated that “the APT actors took advantage of CVE-2023-35078 since at least April 2023.” In order to proxy to the intended facilities, the actors used hacked small office/home office (SOHO) routers, particularly routers from ASUS.
A serious weakness known as CVE-2023-35078 enables threat attackers to obtain personally identifiable information (PII) and acquire control over vulnerable systems’ configurations. It can be used with another flaw, CVE-2023-35081, to affect targeted devices in an unexpected way.
If both of the vulnerabilities are successfully exploited, attackers with administrator access to EPMM will be able to write arbitrary files, such as web shells, with operating system privileges on the EPMM web application server.
Although it still remains uncertain how they did so, the intruders have also been seen tunneling traffic from the internet to at least one Exchange server that was inaccessible from the internet through Ivanti Sentry, an application gateway appliance that supports EPMM.
The existence of a WAR file called “mi.war” on Ivanti Sentry has been discovered after additional investigation. This file was discovered as a rogue Tomcat application that eliminates log records depending on the string “Firefox/107.0” found in a text file.
According to the organizations, “the APT actors used Firefox/107.0 with Linux and Windows user agents to communicate with EPMM.” Threat actors find mobile device management (MDM) systems to be appealing targets because they give them exclusive access to a large number of mobile devices.
According to Palo Alto Networks Unit 42, the bulk of the 5,500 EPMM servers on the internet are situated in Germany, followed by the United States, the UK, France, Switzerland, the Netherlands, Hong Kong, Austria, China, and Sweden.
Organizations are advised to implement the most recent updates as soon as they become available, to require phishing-resistant multi-factor authentication (MFA) for all employees and offerings, and to verify their safety procedures to assess their effectiveness.
About The Author:
Yogesh Naager is a content marketer that specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.
Read More Article Here: