Hackers exploited a zero-day flaw in Ivanti’s mobile endpoint management software to compromise a dozen Norwegian government agencies — and thousands of other organizations could also be at risk.
The Norwegian Security and Service Organization (DSS) said in a statement on Monday that a “data attack” had struck the IT platform used by 12 government ministries. The Norwegian government did not name the affected ministries, but the DSS confirmed several offices were unaffected, including Norway’s Prime Minister’s Office, the Ministry of Defense, the Ministry of Justice and the Ministry of Foreign Affairs.
The DSS said the attack was the result of a “previously unknown vulnerability in the software of one of our suppliers,” but didn’t share any further details. However, the Norwegian National Security Authority (NSM) later confirmed that hackers had leveraged the previously undiscovered flaw in Ivanti Endpoint Manager Mobile (EPMM; formerly MobileIron Core), to compromise Norwegian government agencies.
Sofie Nystrøm, director general of Norway’s NSM, said the government couldn’t initially disclose the vulnerability due to “security reasons,” noting that the security flaw was discovered for the “first time here in Norway.”
Ivanti’s EPMM allows authorized users and devices to access a corporate or government network. The vulnerability, tracked as CVE-2023-35078, is an authentication bypass flaw that affects all supported versions of Ivanti’s EPMM software, along with older and unsupported releases. If exploited, the vulnerability allows anyone over the internet to remotely access the software — without needing credentials — to access users’ personal information, such as names, phone numbers and other mobile device details for users on a vulnerable system, as well as make changes to the impacted server.
In an alert published on Monday, the U.S. cybersecurity agency CISA warned that attackers could create an EPMM administrative account, enabling them to make further changes to a vulnerable system.
In a statement to TechCrunch, Ivanti chief security officer Daniel Spicer said that after the company became aware of the vulnerability, it “immediately developed and released a patch and are actively engaging with customers to help them apply the fix,” adding that “we are upholding our commitment to deliver and maintain secure products, while practicing responsible disclosure protocols.”
However, Ivanti initially kept details of the flaw — which has been given a maximum vulnerability severity rating out 10 out of 10 — behind a paywall, and reportedly asked potentially impacted customers to accept non-disclosure terms before sharing details. At the time of writing, Ivanti’s Knowledge Base article about the vulnerability still requires users to login before viewing.
In a short public-facing alert, Ivanti confirmed that it is “aware of a very limited number of customers that have been impacted.” When asked by TechCrunch, the company declined to say exactly how many customers have been impacted or whether it has seen any evidence of data exfiltration as a result of the attacks.
Norway’s NSM confirmed that it had notified the Norwegian Data Protection Authority (DPA) about the attack targeting government ministries, suggesting that hackers may have exfiltrated sensitive data from compromised systems.
The full extent of the fallout from this zero-day remains to be seen, but many more organizations could be at risk if patches are not applied. According to Shodan, a search engine for publicly exposed devices, there are more than 2,900 MobileIron portals exposed to the internet, the majority of which are located in the United States.
As noted by cybersecurity researcher Kevin Beaumont, the vast majority of impacted organizations — a list which includes numerous U.S. and U.K. government departments — have not yet been patched.