Since April 2023, Norwegian organizations have been continuously targeted by attackers through vulnerabilities in ivanti Endpoint Manager, resulting in a recent attack on 12 ministries in the country. The culprits behind these attacks have yet to be identified.
ivanti Endpoint Manager Mobile (EPMM) is a widely used solution for managing mobile devices. According to a joint statement from the American cybersecurity agency CISA and the Norwegian Cybersecurity Center, its vulnerabilities make it an easy target for compromising systems.
The analysis of the attacks revealed that hackers exploited compromised home routers, specifically ASUS routers, to gain proxy access to the victims’ infrastructure. Additionally, malicious software was discovered in the EPMM components, which masked the hackers’ actions by deleting log records based on a specific algorithm.
The criminals also bypassed network protection to gain access to internal systems, including Exchange, by tunnelling their traffic.
Further investigation uncovered a malicious Tomcat application called “Mi.war” on the Ivanti Sentry Application Supplies Supporting, which also deleted log records based on a specific line – “Firefox/107.0”. This application was found to have facilitated traffic tunnelling to at least one Exchange server, which was otherwise inaccessible from the internet.
The vulnerability in ivanti Endpoint Manager allows hackers to access confidential data and control the settings of the targeted services. When combined with another vulnerability, the potential for damage increases. The management mechanisms for mobile devices make them particularly susceptible to attacks due to the large number of possible targets.
To protect against these attacks, it is recommended to install security patches, implement multifactor authentication, and enhance monitoring for suspicious activities.