Cyber attackers found vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), which allows corporations to manage mobile devices. The vulnerabilities allowed attackers to gain access and take control of the system.
The U.S. Cybersecurity Infrastructure and Security Agency (CISA) indicated the cyber attackers utilized malware kits - off-the-shelf hacking tools to easier access and hacking for the cyber criminals.
• Code injection - Attackers crafted malware to run any commands they wanted inside the system.
While Ivanti fixed these vulnerabilities in May, hackers exploited them before the fix was issued.
• A loader - places the malware onto the victim's system
• A listener - allows the hackers to send commands, steal data, and remain obfuscated in the background of the operating system
They were clever in choosing the file names such as ReflectUtil.class or WebAndroidAppInstaller.class, from which the files seem innocent, however, they acted as an entry point for intrusions.
The U.S. Cybersecurity Infrastructure and Security Agency (CISA) indicated the cyber attackers utilized malware kits - off-the-shelf hacking tools to easier access and hacking for the cyber criminals.
Security flaws: There were two significant vulnerabilities in Ivanti EPMM:
• Authentication bypass - Attackers gained access without legitimate authentication.• Code injection - Attackers crafted malware to run any commands they wanted inside the system.
While Ivanti fixed these vulnerabilities in May, hackers exploited them before the fix was issued.
The malware techniques
Hackers employed malware disguised as files titled "web-install.jar." The files contained:• A loader - places the malware onto the victim's system
• A listener - allows the hackers to send commands, steal data, and remain obfuscated in the background of the operating system
They were clever in choosing the file names such as ReflectUtil.class or WebAndroidAppInstaller.class, from which the files seem innocent, however, they acted as an entry point for intrusions.
Their Mode of Attack
The hackers sent the system fake requests that ultimately allowed them to:- Learn about the system
- View files and folders
- Investigate the network
- Intensify their malware
- Collect login data (e.g., LDAP credentials)
What CISA Recommends
For those who utilize Ivanti EPMM, these are the steps you should follow:- Go ahead and update your software now, instead of postponing this action.
- Scan for any malware. If any is found, take the system offline from the network.
- Record evidence by taking a forensic image of the system.
