Exploitation for Priv-Esc × Ivanti MobileIron Sentry

A publicly-reported instance of Exploitation for Priv-Esc bypassing Ivanti MobileIron Sentry, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Ivanti MobileIron Sentry

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2024-02-28

Config / version noted

Not stated

Provenance

businessinsights.bitdefender.com
disclosed 2024-02-28 · original source · via raw

Reported as

exploited CVE-2023-38035, an authentication bypass in Ivanti MobileIron Sentry leading to remote code execution as root

Mechanism

Attackers exploited CVE-2023-38035, an authentication bypass in Ivanti MobileIron Sentry leading to remote code execution as root, to gain initial access. They deployed web shells and remote access tools, moved laterally across networks, and coordinated ransomware deployment on workstations and virtualization infrastructure (ESXi/Hyper-V) within a five-minute window.

Detection & mitigation

Monitor /var/log/portal_access_log for status 200 requests to /mics/services/MICSLogService. Deploy endpoint detection rules for web shell creation and unusual process execution from web server processes. Ensure timely patching of internet-facing appliances.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Bitdefender Broadcom (Symantec)Comodo Security ConnectWise CrowdStrike Elastic ESET F5 Fortinet Google

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.