![]() Note: This advisory uses the MITRE ATT&CK ® for Enterprise framework, version 13. If no compromise is detected, organizations should still immediately apply patches released by Ivanti. If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA. CISA and NCSC-NO encourage organizations to hunt for malicious activity using the detection guidance in this CSA. The CSA also includes a nuclei template to identify unpatched devices and detection guidance organizations can use to hunt for compromise. ![]() This CSA provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) obtained by NCSC-NO investigations. Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks. Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability. Threat actors can chain these vulnerabilities to gain initial, privileged access to EPMM systems and execute uploaded files, such as webshells. CVE-2023-35081 enables actors with EPMM administrator privileges to write arbitrary files with the operating system privileges of the EPMM web application server. The vulnerability allows threat actors to access personally identifiable information (PII) and gain the ability to make configuration changes on compromised systems. NCSC-NO observed possible vulnerability chaining of CVE-2023-35081 and CVE-2023-35078.ĬVE-2023-35078 is a critical vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) (formerly known as MobileIron Core). Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability CVE-2023-35081 and released a patch for the second vulnerability on July 28, 2023. Ivanti released a patch for CVE-2023-35078 on July 23, 2023. Advanced persistent threat (APT) actors exploited CVE-2023-35078 as a zero day from at least April 2023 through July 2023 to gather information from several Norwegian organizations, as well as to gain access to and compromise a Norwegian government agency’s network. The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) are releasing this joint Cybersecurity Advisory (CSA) in response to active exploitation of CVE-2023-35078 and CVE-2023-35081.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |