Norway's Government Agencies Breached by Zero-Day Attack (CVE-2023-35078)

Brenda Gratas July 26, 2023
- 4 min read

In a recent cyber attack that sent shockwaves through the security community, a group of hackers exploited a zero-day vulnerability, CVE-2023-35078, in Ivanti's Mobile Endpoint Management software (EPMM), compromising several Norwegian government agencies. 

The breach, which targeted twelve government ministries, has raised concerns about the potential risks faced by thousands of other organizations that might be vulnerable to similar attacks. 

Keep reading to understand the extent of the exploit.

About CVE-2023-35078

CVE-2023-35078 is an authentication bypass vulnerability discovered in Ivanti’s Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. The flaw allows remote, unauthenticated access to specific paths within the software, granting attackers the ability to exploit sensitive data and make unauthorized changes to vulnerable systems.

Attackers who gain access to the affected API paths can retrieve personally identifiable information (PII) such as names, phone numbers, and other mobile device details of users on the vulnerable system. 

Moreover, the attackers can manipulate the system's configuration, including creating an EPMM administrative account, thereby granting them further control over the compromised environment.

CVE-2023-35078 affects all supported versions of Ivanti's EPMM, including:

  • v11.10
  • v11.9
  • Older unsupported releases

The flaw has been assigned a maximum Common Vulnerability Scoring System (CVSS) score of 10.0, denoting its severity and ease of exploitation. Exploiting this vulnerability is relatively straightforward, so administrators should upgrade to patched versions without delay. 

Ivanti has released patches for versions:

  • 11.10.0.2
  • 11.9.1.1
  • 11.8.1.1

For organizations that are unable to upgrade from end-of-life (EOL) versions, it is advised to disable the vulnerable appliance to mitigate the risk.

Consequences of CVE-2023-35078

The Norwegian Security and Service Organization (DSS) issued a statement confirming that a "data attack" had occurred on the IT platform used by the government ministries. The compromised ministries were not explicitly identified, but fortunately, key government offices such as the Prime Minister's Office, the Ministry of Defense, the Ministry of Justice, and the Ministry of Foreign Affairs remained unaffected. 

The breach has been traced back to the critical authentication bypass flaw CVE-2023-35078 in Ivanti's EPMM, which allowed unauthorized remote access to users' personal data without requiring valid credentials.

While the company claimed that only a limited number of customers were impacted, the exact extent of the breach's fallout is still unknown. The Norwegian National Security Authority (NSM) notified the Norwegian Data Protection Authority (DPA), hinting at potential data exfiltration from the compromised systems. Furthermore, cybersecurity researcher Kevin Beaumont's findings indicated that numerous U.S. and U.K. government departments, among others, were yet to apply the necessary patches.

CVE-2023-35078’s global reach

The widespread adoption of the compromised tool across various organizations makes the potential impact of this vulnerability significant. IoT search engine Shodan has identified over 2,800 internet-facing EPMM user portals, with a considerable concentration located in the United States and Europe. This raises concerns about the exposure of numerous organizations to potential attacks if they do not apply the necessary patches promptly.

Proactive cybersecurity measures

In the face of growing cyber threats, the government and public sector, one of the 5 industries most vulnerable to cyber attacks in 2023, is taking proactive measures to mitigate risks and enhance overall cybersecurity. Notably, the Cybersecurity and Infrastructure Security Agency (CISA) issued the Binding Operational Directive (BOD) 23-02, providing guidelines for federal civilian agencies to fortify their cybersecurity defenses. 

Furthermore, the White House mandated U.S. agencies to create a comprehensive inventory of all third-party software used for IT security reasons within 90 days. These actions exemplify the collective effort to address vulnerabilities and safeguard critical systems.

The bottom line

CVE-2023-35078 poses a grave risk to organizations utilizing Ivanti's EPMM. The vulnerability's potential to compromise sensitive data and take unauthorized control of systems requires immediate action. Responsible and proactive measures are essential to safeguarding sensitive information and maintaining the integrity of critical systems in the face of evolving cyber threats. 

To bolster your organization's Endpoint Management and fortify cybersecurity defenses, consider leveraging InvGate Asset Management. This powerful solution offers an efficient way to identify and prioritize devices needing immediate attention. With it, you can streamline your Patch Management processes, ensuring timely updates and a robust defense against potential cyber-attacks. Request our 30-day free trial and ensure a robust defense against the ever-growing list of known vulnerabilities exploited in 2023. Safeguard your organization's assets and information with InvGate Asset Management.