Cybersecurity heads up! After a series of security holes in Pulse Connect Secure SSL VPN appliance affected multiple organizations back in 2021, a new critical zero-day has been recently revealed in Ivanti products. The novel security issue impacting Ivanti Endpoint Manager Mobile (EPMM) enables remote unauthenticated API access to specific paths. By exploiting the flaw, adversaries might obtain personally identifiable information (PII) and other sensitive data stored on exposed devices as well as introduce malicious changes to the affected systems. Ivanti’s advisory confirms that this critical zero-day has already been exploited in the wild against a limited number of customers, while news portals point to the Norwegian government as a potential victim of the CVE-20230-35078 attack.
CVE-2023-35078 Detection
To help cyber defenders proactively identify suspicious activity associated with CVE-2023-25078 exploitation and streamline threat-hunting activities, SOC Prime Platform for collective cyber defense aggregates a set of dedicated Sigma rules. All detections are compatible with 28 SIEM, EDR, and XDR technologies and aligned with MITRE ATT&CK framework v12 to smooth the deep dive into the critical threat.
To explore the full list of curated rules, hit the Explore Detections button below. Security professionals can reach extensive cyber threat context accompanied by ATT&CK references and CTI links, as well as obtain more relevant metadata matching current security needs and boosting threat investigation.
CVE-2023-35078 Analysis
On July 24, 2023, Ivanti published an advisory that details the critical zero-day and provides patches for the flaw. According to the vendor, the recently identified bug in Ivanti EPMM (with the highest CVSS score of 10.0) allows unauthorized threat actors to access the restricted functionality and resources of the app without proper authentication.
The remote unauthenticated API access vulnerability impacts all currently supported versions of the software (v11.10, 11.9, 11.8) alongside older releases that are no longer supported. In view that cyber defense experts consider the flaw extremely easy to exploit, all users are urged to patch ASAP by installing versions 11.10.0.2, 11.9.1.1., and 11.8.1.1.
Yet, researchers estimate that the majority of organizations remain unpatched, with 2,900 internet-facing EPMM portals being exposed, according to Shodan. Most of these servers were identified in the US, EU, UK, and Hong Kong. Notably, experts believe that UK and US governments might fall victim to the CVE-2023-35078 attacks. On Sunday, CISA issued a security alert prompting users to address the security gap immediately.
Optimize your cybersecurity defenses with the SOC Prime Platform, offering comprehensive detection content against all TTPs used in ongoing cyber-attacks. Stay up-to-date with the latest ready-to-deploy behavioral detection algorithms, ensuring your organization is well-prepared to counter evolving threats. Explore a wealth of contextual information on cyber attacks and threats, including zero-days, CTI, and ATT&CK references, as well as insights into Red Team tooling. Validate your detection stack effortlessly with an automatic read-only ATT&CK data audit, identifying blind spots and proactively addressing them to achieve complete threat visibility based on your organization’s specific logs. With the SOC Prime Platform, equip your team with the right tools and knowledge to defend against emerging threats effectively.
The post Detect CVE-2023-35078 Exploitation: Critical Authentication Bypass Zero-Day in Ivanti Endpoint Manager Mobile (EPMM) appeared first on SOC Prime.