Hackers exploited Ivanti zero-day to breach Norway’s government

Hackers exploited a zero-day vulnerability in tech giant Ivanti’s software to compromise a dozen Norwegian government agencies.

Norwegian security officials said on Monday that the flaw was found in Ivanti’s mobile endpoint management software used by the impacted ministries.

“This vulnerability was unique, and was discovered for the very first time here in Norway,” said Sofie Nystrøm, director of Norway’s National Security Agency. “If we had released the information about the vulnerability too early, it could have contributed to it being misused elsewhere in Norway and in the rest of the world.”

The attack has caused some disruptions at the impacted ministries, but did not widely affect government operations. The government has alerted the Norwegian data protection agency about the incident, raising concerns that the hackers could have potentially accessed or extracted sensitive data from the compromised systems.

The government has also warned other Norwegian businesses using the same software about the zero-day.

Ivanti’s software is used by dozens of governments around the world. The company recently patched the vulnerability — tracked as CVE-2023-35078 — and is “actively engaging with customers to help them apply the fix,” an Ivanti spokesperson told Recorded Future News.

On Monday, the company issued an advisory stating that it’s currently aware of a "very limited number of customers" who have been impacted by the hack.

The vulnerability received the highest CVSS score — a 10 out of 10 — signifying that it is a critical bug that should be given immediate attention.

According to the U.S. Cybersecurity and Infrastructure Security Agency, the vulnerability could allow hackers to remotely access victims’ personally identifiable information, such as names, phone numbers, and other mobile device details. An attacker can also make other configuration changes, including creating an administrative account that can make further changes to a vulnerable system, CISA said Monday in a security alert.

Ivanti faced criticism for its handling of the bug disclosure as it initially restricted access to the flaw's details behind a paywall. The company reportedly asked potentially affected customers to sign a non-disclosure agreement before disclosing the information.