Twelve Departments of The Norwegian Government Hacked

[CoolAEW]

Summary

The 24th of July 2023 the news broke that hackers had gained access to twelve departments of the Norwegian government.

The hackers gained access trough compromised SOHO routers and were able to exploit vulnerabilities of Ivanti Endpoint Manager Mobile (EPMM) to gain access to personal information including GPS position of mobile devices.

These vulnerabilities also allowed the hackers to upload and execute files on the EPMM with privileged access.

Hackers were able to roam undetected for at least 2 months before being detected. The hackers were able to compromise Ivani Sentry, an application gateway appliance that supports EPMM, to gain access to an Exchange server which was not reachable from the internet and likely installed webshells on pages related to login and outlook.

 

 

Quotes

Quote

It is early in the analysis, but this is obviously an actor with strong resources. It is not about boys' room hacking, says Sofie Nystrøm in NSM (Norwegian National Security Authority)

- Quote from NRK

Quote

CVE-2023-35078 is a critical vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) (formerly known as MobileIron Core). The vulnerability allows threat actors to access personally identifiable information (PII) and gain the ability to make configuration changes on compromised systems. CVE2023-35081 enables actors with EPMM administrator privileges to write arbitrary files with the operating system privileges of the EPMM web application server. Threat actors can chain these vulnerabilities to gain initial, privileged access to EPMM systems and execute uploaded files, such as webshells.

- Quote from CISA / NCSC-NO

Quote

The APT actors have exploited CVE-2023-35078 since at least April 2023. The actors leveraged compromised small office/home office (SOHO) routers, including ASUS routers, to proxy [T1090] to target infrastructure, and NCSC-NO observed the actors exploiting CVE-2023-35078 to obtain initial access to EPMM devices [T1190] and:

• Perform arbitrary Lightweight Directory Access Protocol (LDAP) queries against the Active Directory (AD).

• Retrieve LDAP endpoints [T1018].

• Use API path /mifs/aad/api/v2/authorized/users to list users and administrators [T1087.002] on the EPMM device.

• Make EPMM configuration changes (Note: It is unknown what configuration changes the actors made).

• Regularly check EPMM Core audit logs [T1005]. 

- Quote from CISA / NCSC-NO

My thoughts

I find this deeply disturbing, that hackers gained so much access for so long in the Norwegian Government without being detected. Who knows what they might have got access to, probably a lot.

With privileged access to all mobile devices they could have done literally anything and no one knows for sure. I do believe that we are going to see a lot more cases like this, but I hope that the government is more prepared next time.

 

Sources

https://www.nrk.no/norge/tolv-departementer-utsatt-for-dataangrep-1.16492816

https://www.nrk.no/norge/12-departementer-angrepet_-hackerne-kan-fortsatt-vaere-inne-i-regjeringens-systemer-1.16493620

https://www.digi.no/artikler/rapport-om-dataangrep-i-minst-to-maneder-har-hackere-beveget-seg-uoppdaget/534707

https://www.bleepingcomputer.com/news/security/norwegian-government-it-systems-hacked-using-zero-day-flaw/

 

aa23-213a_joint_csa_threat_actors_exploiting_ivanti_eppm_vulnerabilities.pdf

[Senzelian]

whatever. business as ususal. who's next?

[Mihle]

Oh, that's much deeper and worse than I thought it were when it first was announced. F***

[Quackers101]

I guess the gov will brush this under the rug too? like ffs, also old hardware or lack of updates galore in some areas.

[HarryNyquist]

"sir, we could be hacked due to CVEs that have been known for many many months"
"ok, but upgrading hardware costs money :("

-time passes-

"sir, we are hacked"

"why did you not upgrade this hardware, you are fired"

[suicidalfranco]

2 hours ago, HarryNyquist said:

"ok, but upgrading hardware costs money :("

Since when do governments check how much they spend?

[EllieCat]

Did anybody outside the government know about this? Did they have to change passwords and upgrade software?

[Monkey Dust]

14 hours ago, suicidalfranco said:

Since when do governments check how much they spend?

When the money isn't being spent on stuff that benefits their friends or party donors?

[suicidalfranco]

2 hours ago, Monkey Dust said:

When the money isn't being spent on stuff that benefits their friends or party donors?

Forgot about that

[Mihle]

On 8/2/2023 at 8:08 PM, Quackers101 said:

I guess the gov will brush this under the rug too? like ffs, also old hardware or lack of updates galore in some areas.

Brush under the rug in what way? They are officially sharing information about it did do things to limit damage when it was noticed.

[Mihle]

On 8/2/2023 at 9:23 PM, HarryNyquist said:

"sir, we could be hacked due to CVEs that have been known for many many months"
"ok, but upgrading hardware costs money :("

-time passes-

"sir, we are hacked"

"why did you not upgrade this hardware, you are fired"

Actually, if you look up the CVEs mentioned, at least in public databases show up when you search for them, one were added 24. July and 31. July. This news broke out 24. July and was known by government since 12. July.

Aka they were not mentioned in those databases before same day/after this went public.

EDIT:

And looking them up, the offical fixes for them was released on 23. and 28. July.

Links in addition to the PDF in OP:

https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US
https://forums.ivanti.com/s/article/CVE-2023-35081-Arbitrary-File-Write?language=en_US

So its not a case of "Known issues that they got affected by because they did run old software". Its a case of new issues that wasn't, at least publicly, known before this hack.

 

Didn't find info about the Asus router mentioned so might still be the case there but its not the case with the CVE issues mentioned in the OP.

 

EDIT: Fixed duplicate link instead of the two different ones.

[Mihle]

On 8/2/2023 at 11:52 PM, EllieCat said:

Did anybody outside the government know about this? Did they have to change passwords and upgrade software?

Outside of government know about it? In what way, you mean know about this hack? As far as I know only the Norwegian government and attackers knew about it happened before the government detected it.

 

Dont know about passwords, but as far as I understand they had to do their own temporary fixes/workarounds and solutions until the developers recently pushed fixes for the issues. They delayed publicly mentioning the issues for 12 days to let them do that. One of the temporary workarounds was to not let the government workers have email on their mobile devices.

[ToboRobot]

Which one did it?

https://en.wikipedia.org/wiki/Advanced_persistent_threat#APT_groups

[Quackers101]

4 hours ago, Mihle said:

They are officially sharing information about it did do things to limit damage when it was noticed.

but how will they handle those that are personally affected by it?

[Mihle]

2 hours ago, Quackers101 said:

but how will they handle those that are personally affected by it?

I do not know.

[LloydLynx]

On 8/2/2023 at 6:34 AM, CoolAEW said:

With privileged access to all mobile devices

What do you mean and where did you hear it from?