Hackers exploited Ivanti zero-day to breach Norway’s authorities

Hackers exploited a zero-day vulnerability in tech big Ivanti’s software program to compromise a dozen Norwegian authorities companies.

Norwegian safety officers mentioned on Monday that the flaw was present in Ivanti’s cellular endpoint administration software program utilized by the impacted ministries.

“This vulnerability was distinctive, and was found for the very first time right here in Norway,” mentioned Sofie Nystrøm, director of Norway’s Nationwide Safety Company. “If we had launched the details about the vulnerability too early, it might have contributed to it being misused elsewhere in Norway and in the remainder of the world.”

The assault has triggered some disruptions on the impacted ministries, however didn’t extensively have an effect on authorities operations. The federal government has alerted the Norwegian knowledge safety company in regards to the incident, elevating considerations that the hackers might have probably accessed or extracted delicate knowledge from the compromised methods.

The federal government has additionally warned different Norwegian companies utilizing the identical software program in regards to the zero-day.

Ivanti’s software program is utilized by dozens of governments around the globe. The corporate lately patched the vulnerability — tracked as CVE-2023-35078 — and is “actively partaking with prospects to assist them apply the repair,” an Ivanti spokesperson instructed Recorded Future Information.

On Monday, the corporate issued an advisory stating that it’s presently conscious of a “very restricted variety of prospects” who’ve been impacted by the hack.

The vulnerability obtained the very best CVSS rating — a ten out of 10 — signifying that it’s a essential bug that needs to be given rapid consideration.

In line with the U.S. Cybersecurity and Infrastructure Safety Company, the vulnerability might enable hackers to remotely entry victims’ personally identifiable data, akin to names, telephone numbers, and different cellular system particulars. An attacker may make different configuration modifications, together with creating an administrative account that may make additional modifications to a weak system, CISA mentioned Monday in a safety alert.

Ivanti confronted criticism for its dealing with of the bug disclosure because it initially restricted entry to the flaw’s particulars behind a paywall. The corporate reportedly requested probably affected prospects to signal a non-disclosure settlement earlier than disclosing the data.