CISA, Norwegian Cybersecurity Agency Issue Advisory on Ivanti Exploit

The Cybersecurity and Infrastructure Security Agency and the Norwegian National Cyber Security Centre have released guidance on an actively exploited vulnerability in Ivanti Endpoint Manager Mobile, a mobile device management solution formerly known as MobileIron Core.

According to the joint cybersecurity advisory, advanced persistent threat actors executed a zero-day attack on Ivanti’s software, compromising the network of a Norwegian government agency and collecting information from several businesses. Ivanti later patched the zero-day vulnerability and a second one that hackers could have chained.

The two organizations said in the CSA that MDM systems enable privileged access to large numbers of mobile devices, making them attractive hacking targets.

CISA and NCSC-NO prescribed the use of nuclei templates so unpatched devices can be identified. The NCSC-NO also created a checklist of signs of compromise, CISA said.

In 2021, Ivanti patched a similar zero-day vulnerability in the Pulse Connect Secure virtual private network software. CISA released an emergency directive when the exploit was discovered.