Cyble-Blogs-Ivanti-Vulnerabilities

Threat Actors orchestrate cyber-attacks on vulnerable Ivanti products

Cyble observes active Ivanti exploitation attempts in the United States and Germany

In a press briefing on July 24, 2023, The Norwegian Security and Service Organization (DSS) reported that 12 Government Agencies were targeted by previously unknown vulnerabilities in the software of one of their suppliers.

The Norwegian National Security Authority (NSM) subsequently verified that cyber attackers were launched via exploitation of CVE-2023-35078 to breach the security.

Ivanti quickly fixed the vulnerability by releasing a patch for CVE-2023-35078, but shortly on July 28 2023, a new patch was released for path traversal vulnerability in Ivanti EPMM – CVE-2023-35081.

The vendor stated that “we are only aware of the same limited number of customers impacted by CVE-2023-35078 as being impacted by CVE-2023-35081”, emphasizing that the vulnerability can be exploited in conjunction with

CVE-2023-35078 making Ivanti products even more vulnerable to potential exploitation.

As per the security alert released by Cybersecurity and Infrastructure Security Agency (CISA) –

The APT actors have exploited CVE-2023-35078 since at least April 2023. The actors leveraged compromised small office/home office (SOHO) routers, including ASUS routers, to proxy to target infrastructure.

Timeline and Vulnerability Details

It was observed that multiple vulnerabilities were addressed by the vendor short and as of September 01, 2023. Given below is the timeline of these vulnerabilities, along with their details.

Timeline-of-recent-IVANTI-vulnerabilities
Figure 1 – Timeline of recent IVANTI vulnerabilities

Grasping the potential harm from the exploitation of the vulnerabilities discussed above, CRIL has been vigilant towards any discussion concerning vulnerabilities, exploits, and zero-days. This led to the observation of a Threat Actor allegedly selling zero-day exploits for CVE-2023-35081 on one of the prominent cybercrime forums, as shown in the figure below.

Threat-Actor-selling-0day-for-CVE-2023-35081-over-Darkweb.png
Figure 2- Threat Actor selling 0day for CVE-2023-35081 over cybercrime forum

The Threat Actor previously offered the exploit on August 5, 2023, and reposted it on August 9, 2023. Currently, the same TA received a temporary ban on the forum; therefore, the claims remain unsubstantiated.

Cyble Global Sensor Intelligence

Cyble Global Sensor Intelligence (CGSI) network started picking up individual exploitation attempts of Ivanti EPMM (CVE-2023-35078) and Ivanti Sentry (CVE-2023-38035) on August 25, 2023 as shown in figure 3.

It was observed that the attackers were attempting CVE-2023-35078 by sending GET requests to the /mifs/aad/api/v2/admins/users endpoint with the motive of fetching sensitive information such as Personally Identifiable Information (PII) of users.

While for CVE-2023-38035, a POST request to the mics/services/MICSLogService endpoint was observed, indicating that the attacker was trying to interact with the target.

The attack observed in CGSI sensor suggests that the attackers were trying to target vulnerable Ivanti assets from the United States and Germany.

Figure 3 – The attacks captured for Ivanti EPMM and Ivanti Sentry from CGSI Network

As the United States & Germany have high exposure of the Ivanti Assets, the attacks observed by CGSI networks coincide with the exposure count observed by online scanners as shown below. Therefore, we foresee a rise in cyber-attacks on Ivanti’s vulnerable assets in these two countries.

 Internet Exposure of Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core

Nearly 2k internet users were exposed to Ivanti EPMM, with the majority of exposure from the United States and Germany. The chart below shows exposure details from the top 5 countries.

Figure 4- Internet exposure of IVANTI EPMM from the Top 5 countries

Internet Exposure of Ivanti MobileIron Sentry

 Over 1.5k internet-exposed Ivanti Sentry Instances were observed globally via one of the online scanners. The chart below shows exposure details from the top 5 countries.

Figure 5- Internet exposure of IVANTI Sentry from Top 5 countries

CRIL’s observations indicate that several state and private organizations are still not immune to these specific vulnerabilities, as outlined below.

Figure 6 – Internet Exposed IVANTI EPMM & Ivanti Sentry

Conclusion

Threat Actors are increasingly exploiting vulnerable Internet-exposed assets to attack them. Notable examples of this include the MoveIT and PaperCut vulnerabilities, which were weaponized to successfully compromise big corporations. Depending on the utilization of these applications/software in an organization, the attackers employ strategies ranging from ransomware attacks to data exfiltration and web shell installations.
Attackers are targeting Ivanti Endpoint Manager Mobile (EPMM) and Ivanti Sentry due to their association with Mobile Device Management (MDM) and unified endpoint management (UEM) capabilities. These vulnerable applications have become lucrative targets of Threat Actors for stealing data, which might be further distributed over the dark web and cybercrime forums.

Recommendations

  • Keeping software, firmware, and applications updated with the recent patches and mitigations released by the official vendor is necessary to prevent attackers from exploiting vulnerabilities.
  • Implement proper network segmentation to prevent attackers from performing lateral movement and minimize exposure of critical assets over the internet.
  • Investigate logs in centralized logging solutions or forwarded syslogs from EPMM devices for any occurrences of /mifs/aad/api/v2/.
  • Regular Audits, Vulnerability, and Pentesting exercises are key in finding security loopholes that attackers may exploit.
  • Organizations should have visibility into discussions and access pertaining to them that are being sold over the darkweb and cybercrime forums.
  • Keep track of advisories and alerts issued by vendors and state authorities.

MITRE ATT&CK® Techniques

Tactic  Technique ID  Technique Name 
Initial Access T1190 Exploit Public-Facing Application
Execution T1059 Command and Scripting
Discovery T1087.002 Account Discovery: Domain Account
Discovery T1018 Remote System Discovery
Defence Evasion T1036.005 Masquerading: Match Legitimate Name or Location
Persistence T1505.003 Server Software Component: Web Shell
Defence Evasion T1070.001 Indicator Removal: Clear Windows Event Logs
Collection T1005 Data from Local System
Command and Control T1572 Protocol Tunnelling
Command and Control T1090 Proxy
Command and Control T1090.001 Proxy: Internal Proxy

Indicators of Compromise (IoCs):

 

Indicators Indicator’s type Description
31[.]42[.]185[.]129  Malicious IP IP observed in Exploitation attempt

Reference:

https://www.dss.dep.no/aktuelle-saker/

https://nsm.no/aktuelt/nulldagssarbarhet-i-ivanti-endpoint-manager-mobileiron-core

https://forums.ivanti.com/s/article/KB-Remote-unauthenticated-API-access-vulnerability-CVE-2023-35078?language=en_US

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-213a

https://cyble.com/blog/print-management-software-papercut-actively-exploited-in-the-wild/

https://cyble.com/blog/moveit-transfer-vulnerability-actively-exploited/

Scroll to Top