3rd Party Risk Management , Governance & Risk Management , Patch Management

Ivanti Zero-Day Used in Norway Government Breach

Flaw in Ivanti Endpoint Manager Mobile Rated 10 on CVSS Scale
Ivanti Zero-Day Used in Norway Government Breach
Image: Shutterstock

A mobile security vendor patched a critically rated zero-day vulnerability in its endpoint management platform that had been used by unknown hackers to attack the Norwegian government.

See Also: Live Webinar | Cyber Resilience: Recovering from a Ransomware Attack

Oslo senior officials disclosed the hack Monday and later disclosed that the zero-day had originated in the Ivanti Endpoint Manager Mobile (see: 12 Norwegian Ministries Impacted in ICT Platform Hack).

Tracked as CVE-2023-35078 and assigned a 10 on the CVSS scale, the vulnerability is a remote unauthenticated API access flaw, Ivanti's security advisory states.

"An attacker with access to these API paths can access personally identifiable information such as names, phone numbers, and other mobile device details for users on a vulnerable system," the U.S. Cybersecurity and Infrastructure Security Agency said in a Monday alert.

CISA added that an attacker can also use the bug to make configuration changes and create an administrative account.

The zero-day affects all supported and unsupported versions of the product. Ivanti said only a limited number of customers had been affected.

British cybersecurity expert Kevin Beaumont tracked the worldwide deployment of the internet-facing MobileIron instances and found that many U.S. government agencies and European organizations - including those at the 10 Downing Street in London - use the Ivanti platform.

A search on Shodan, an internet of things scanning platform, showed that more than 2,900 MobileIron user portals are presently exposed online, of which nearly two dozen are linked to the U.S. local and state government agencies.

"This one is completely nuts btw, I set up a honeypot and it's already being probed via the API - which allows admin access and is completely unauthenticated, apparently nobody ever pentested one of the most widely used MDM solutions," Beaumont said.

Security agencies around the globe, including the Australian Cyber Security Center, have urged users to review their networks for use of vulnerable instances of the platform and to patch immediately.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.