Thousands of government iPhones and iPads in Norway have been compromised by hackers exploiting a vulnerability in the remote management framework from MobileIron/Ivanti. The Norwegian Security and Service Organization (DSS) confirmed that a "data attack" had targeted the IT platform used by 12 government ministries. While the affected ministries were not named, it was revealed that several offices, including the Prime Minister's phone, the Ministry of Defense, the Ministry of Justice, and the Ministry of Foreign Affairs, remained unaffected.
The DSS stated that the attack was the result of a previously unknown vulnerability in the software of one of their suppliers. However, the Norwegian National Security Authority (NSM) later confirmed that hackers had exploited an undiscovered flaw in Ivanti Endpoint Manager Mobile (EPMM), which is used to manage the government's iPhones. Sofie Nystrøm, director general of Norway's NSM, explained that the vulnerability could not be disclosed initially due to security reasons and that it was the first time such a backdoor had been discovered in Norway.
Ivanti's EPMM allows authorized users and devices to access corporate or government networks. The vulnerability, known as CVE-2023-35078, is an authentication bypass backdoor that affects all supported versions of Ivanti's EPMM software, including older and unsupported releases. If exploited, this backdoor enables remote access to controlled devices over the internet without requiring credentials, allowing unauthorized individuals to access users' personal information and make changes to the affected devices.
The U.S. cybersecurity agency CISA issued an alert stating that attackers could create a phone management administrative account. Ivanti's chief security officer, Daniel Spicer, assured that a patch had been developed and released immediately after the backdoor was exposed. Ivanti is actively assisting customers in applying the fix and is committed to delivering and maintaining secure products while adhering to responsible disclosure protocols.
However, it was noted that Ivanti initially made details of the backdoor available behind a paywall and asked potentially affected customers to accept non-disclosure terms before sharing information. As of now, Ivanti's Knowledge Base article on the vulnerability still requires login credentials to access. In a brief public-facing alert, Ivanti acknowledged that only a limited number of customers had been impacted. The company declined to disclose the exact number of affected customers or whether any data exfiltration had occurred as a result of the attacks.
Norway's NSM reported the attack targeting iPhones in government ministries to the Norwegian Data Protection Authority (DPA), suggesting that sensitive data may have been extracted from compromised systems. The full extent of the consequences stemming from this zero-day backdoor is yet to be determined, but organizations that fail to apply patches could be at risk. According to Shodan, a search engine for publicly exposed devices, over 2,900 MobileIron portals, most of which are in the United States, are currently exposed on the internet. Many organizations, including various U.S. and U.K. government departments, remain unpatched, as highlighted by cybersecurity researcher Kevin Beaumont.