One IP, Big Impact: Ivanti Endpoint Manager Mobile Exploited

The Ivanti Endpoint Manager Mobile is a security management platform for businesses and government agencies. As the name suggests, the management platform is used for mobile devices connected to the network infrastructure. From security, access control, and application management, the Ivanti Endpoint Manager Mobile enables institutions to handle mobile devices efficiently.

Because of its importance to IT infrastructure, Ivanti Endpoint Manager Mobile has been a target of attacks. Hackers look for vulnerabilities on the platform that enable different types of exploits.

Recently, GreyNoise published a threat signal targeting Ivanti Endpoint Manager Mobile. According to the threat report, GreyNoise “observed active exploitation of two critical Ivanti Endpoint Manager Mobile vulnerabilities…”

This type of attack is relatively unique in many ways because of its brazen action and purpose.

From a Single IP Address

Cyber attacks often use multiple IP addresses. In a DDoS attack, many IP addresses flood a website with traffic to shut it down. This is also similar to exploiting vulnerabilities because multiple IP addresses allow the hacker to evade blocking.

But the attack on Ivanti Endpoint Manager Mobile is unique because 83% of the attack came from a single IP address. The IP address used (193.24.123.42) is a Russian IP address located in Saint Petersburg. The name and actual actors behind the attack are unknown, but, curiously, a brazen attack comes from Russia.

Shouldn’t security companies flag it as suspicious if most attacks use a single IP address?

Not Listed in IOC

A single IP address running rogue and attacking Ivanti Endpoint Manager Mobile should have been flagged a long time ago. However, the IP address was not listed in an IOC (Indicator of Compromise). Many security agencies and institutions that beef up online security use IOC to prevent popular exploits.

Unfortunately, the IP address is not part of the list. No threat to Ivanti was also logged in an IOC, which means even security companies are not aware of threats to Ivanti.

Bulletproof Hosting Services - Hard But Not Impossible to Take Down

Besides being largely unknown, the IP address also uses “Bulletproof Hosting Services” (BHS) to avoid being taken down. It may seem like the IP address is untouchable, but in reality, it isn’t. BHS is used for cyberattacks because it is harder to shut down than with a simple takedown request.

An IP address on BHS means it will not comply with any request to be taken down or even with a legal demand to take down.

Companies targeted through BHS often work together with various government agencies and institutions to try to shut it down. Reducing their funding and technical resources are two of the most effective ways to deal with this problem.

Updating Security Parameters and More

Standard security protocols should block malicious IP addresses from attacking Ivanti Endpoint Manager Mobile vulnerabilities. Updating security features and firmware should also be in place to prevent future attacks. Fortunately, an IP address using BHS does not mean it’s unblockable - it just means it’s harder to take down.