Norwegian Government Targeted by Zero-Day Exploit

Published on

Dec 26, 2023

On Tuesday, the Norwegian National Security Authority (NSM) confirmed that a zero-day vulnerability, identified as CVE-2023-35078, was exploited to target the Norwegian government. The attack affected 12 Norwegian ministries and was executed through the ICT platform utilized by these ministries. Initially, the government did not disclose the name of the platform but later confirmed it to be Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. The platform is used by all Norwegian ministries except for the Office of the Prime Minister, the Ministry of Defence, the Ministry of Justice and Public Security, and the Ministry of Foreign Affairs.

Erik Hope, Director General of the Norwegian Government Security and Service Organisation (DSS), stated that the vulnerability in the supplier’s software was previously unknown and had been exploited by an unknown third party. However, the vulnerability has now been fixed. The attack was detected on July 12 after unusual traffic was observed on the vulnerable mobile endpoint management platform.

CVE-2023-35078 is an authentication bypass vulnerability that grants remote unauthenticated API access to specific paths within EPMM. Through this exploit, an attacker could access personally identifiable information (PII), such as names, phone numbers, and other mobile device details of users on the compromised system. Additionally, the attacker could make various configuration changes, including creating an EPMM administrative account with further privileges.

Ivanti received information from a credible source confirming the exploitation of this vulnerability but stated that the impact was limited, affecting only a few customers. Nevertheless, it is crucial for organizations to upgrade to the fixed versions (11.10.0.2, 11.9.1.1, and 11.8.1.1) to address the issue.

The severity of the flaw is indicated by its “perfect” 10.0 CVSS score, and security researcher Kevin Beaumont warns that it is straightforward to exploit. He advises administrators to upgrade to the patched version as soon as possible. Shodan, an IoT search engine, identified over 2,900 internet-facing EPMM user portals, primarily in the US and Europe, raising concerns about potentially vulnerable systems.

Although rumors about the zero-day exploit emerged before Ivanti’s official disclosure, the company delayed the release to prevent further misuse. Sofie Nystrøm, director of the National Security Agency, emphasized the importance of the timely update and urged users to apply the security fix promptly.

The Norwegian National Cyber Security Center has taken action by notifying known system owners (businesses) in Norway that have MobileIron Core accessible on the internet about the released security update. However, it’s yet to be publicly shared whether other entities beyond the Norwegian government were affected by this attack.

Other Articles

Exploring Leading Vendors’ Hardened OS in Firewalls

Research

Where Firewalls Run

Firewalls are essential security devices that protect networks from unauthorized access and malicious activities. These critical components operate on specialized operating systems (OS) designed to provide robust protection and optimize performance. In this article, we will delve into the world of firewalls and examine the hardened OS employed by some of the industry’s leading vendors. From well-established companies to innovative newcomers, let’s explore where firewalls run and the key characteristics of these operating systems.

GDPR, Google Analytics and Matamo

GDPR is the world’s strongest set of data protection rules, improving how people access information about themselves and limiting what organizations can do with personal data.

Cybersecurity Awareness

Smishing Triad: Exploiting Trust in Postal Services for Fraud Worldwide

Smishing, a variant of phishing, exploits text messaging to deceive recipients into divulging personal or financial details.

Sphere's Proactive Detection Shields Against CVE-2023-20198 Exploitation

Sphere's proprietary threat intelligence tool has detected active exploitation of CVE-2023-20198, highlighting its critical role in cybersecurity vigilance. This detection, alongside advisories from Cisco Talos, underscores the urgent need for users to apply recommended patches and enhance network monitoring to protect against sophisticated cyber threats.