US and Norwegian security agencies have released a new security advisory warning that APT actors may be combining exploits for two Ivanti vulnerabilities in attacks.
Security vendor Ivanti was forced to patch zero-day vulnerability CVE-2023-35078 on July 23 after reports it had been used in a sophisticated attack on the Norwegian government that compromised 12 ministries.
Read more on the Ivanti flaw: Cyber-Attack Strikes Norwegian Government Ministries
However, the firm patched a second bug, CVE-2023-35081, on July 28 after the Norwegian National Cyber Security Centre (NCSC-NO) observed possible chaining of the two in attacks, explained the US Cybersecurity and Infrastructure Security Agency (CISA).
“CVE-2023-35078 is a critical vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) (formerly known as MobileIron Core). The vulnerability allows threat actors to access personally identifiable information (PII) and gain the ability to make configuration changes on compromised systems,” the new CISA advisory explained.
“CVE-2023-35081 enables actors with EPMM administrator privileges to write arbitrary files with the operating system privileges of the EPMM web application server. Threat actors can chain these vulnerabilities to gain initial, privileged access to EPMM systems and execute uploaded files, such as webshells.”
CISA has already listed both bugs in its Known Exploited Vulnerabilities Catalog, meaning civilian federal agencies have until August 15 to patch CVE-2023-35078 and August 21 to patch CVE-2023-35081.
There’s no clarity at this stage on whether the two were definitely used in the Norwegian attacks. CISA said only that CVE-2023-35078 was exploited from April to July by APT attackers to harvest information from the government in Oslo.
“Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability,” noted the advisory.
“Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks.”
Editorial image credit: Alexander Tolstykh / Shutterstock.com