Urgent Security Alert: Malware Kits Actively Exploiting Critical Ivanti EPMM Vulnerability
Cybersecurity experts are issuing urgent warnings about a critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. Threat actors are now using easily accessible malware kits to exploit this flaw, dramatically increasing the risk for unpatched organizations worldwide.
This active campaign targets CVE-2023-35082, a severe vulnerability that allows remote, unauthenticated attackers to execute arbitrary code on vulnerable servers. The availability of these pre-packaged attack tools means that even less-sophisticated attackers can now compromise systems, steal sensitive data, and establish a persistent foothold within corporate and government networks.
The Mechanics of the Attack
The core of this threat lies in the vulnerability’s ability to be chained with another flaw, CVE-2023-35078. This combination allows attackers to bypass authentication controls and gain complete administrative access to the affected Ivanti EPMM server. Once inside, they deploy a malicious web shell to maintain control.
Security researchers have identified two specific web shell files being deployed by these malware kits:
may.jspperson.jsp
A web shell is a malicious script uploaded to a server that gives an attacker a command-and-control interface. From here, they can execute commands, upload or download files, and pivot to other systems within the compromised network. The presence of either of these files on your Ivanti EPMM server is a strong indicator of a successful breach.
This is not a theoretical threat. High-profile targets, including government agencies, have already been compromised by attackers leveraging this exact vulnerability, highlighting the immediate and severe danger it poses.
Essential Steps to Protect Your Network
Immediate action is required to mitigate this threat. If your organization uses Ivanti EPMM, you must treat this as a critical priority. Follow these security recommendations without delay.
1. Apply Patches Immediately
The most critical step is to update your Ivanti EPMM instance to a patched version. Ivanti has released security updates that address CVE-2023-35082. Delaying this patch leaves your organization exposed to a known and actively exploited attack vector.
2. Hunt for Indicators of Compromise (IOCs)
Even after patching, you must investigate whether your systems have already been compromised.
- Scan for Malicious Files: Thoroughly search your server’s file system for the presence of
may.jsp,person.jsp, or any other unrecognized or suspicious.jspfiles. - Review Server Logs: Carefully analyze web server logs for any unusual requests, especially those that appear to be testing for or exploiting path traversal vulnerabilities. Look for anomalous patterns or requests from unknown IP addresses.
- Monitor Network Traffic: Check for any outbound network connections from your EPMM server to suspicious or unknown destinations. This could indicate a web shell communicating with an attacker’s command-and-control server.
3. Isolate Potentially Compromised Systems
If you discover evidence of a compromise or cannot patch your system immediately, isolate the affected server from the network to prevent lateral movement and further damage. This will contain the threat while you conduct a full investigation and remediation.
4. Enhance Security Monitoring
Ensure your security information and event management (SIEM) systems and endpoint detection and response (EDR) tools are configured to monitor and alert on suspicious activity related to your Ivanti EPMM servers. Proactive monitoring is key to catching intrusions early.
The widespread availability of malware kits targeting this Ivanti EPMM vulnerability has significantly lowered the barrier to entry for attackers. Every organization using this platform must assume it is a target and take decisive action to secure its systems and data.
Source: https://www.bleepingcomputer.com/news/security/cisa-exposes-malware-kits-deployed-in-ivanti-epmm-attacks/
