Nation-State Threat Actors Exploit Ivanti CSA Zero-Day Vulnerabilities

October 14, 2024

A trio of zero-day vulnerabilities in Ivanti's Cloud Service Appliance (CSA) has been leveraged by a highly skilled cyberattacker to breach a target network and carry out malicious activities. Researchers, based on the sophistication of the attack, have deduced that the systems are being actively targeted by a nation-state actor.

Fortinet's FortiGuard Labs, which published its findings, cautioned that any organization using Ivanti's CSA version 4.6 or earlier without implementing necessary remediation measures is susceptible to this form of attack. The revelation of this attack chain coincides with the disclosure of several other security vulnerabilities in Ivanti's CSA that are also being actively exploited.

According to Fortinet's report, 'The advanced adversaries were observed exploiting and chaining zero-day vulnerabilities to establish beachhead access in the victim's network.' This incident underscores how threat actors exploit zero-day vulnerabilities in a chain to gain initial access to a victim’s network.

The three specific Ivanti CSA vulnerabilities used in the attack include a command injection flaw in the DateTimeTab.php resource (CVE-2024-8190), a critical path traversal vulnerability in the /client/index.php resource (CVE-2024-8963), and an unauthenticated command injection vulnerability (CVE-2024-9380) affecting reports.php.

After gaining initial access through the path traversal bug, the threat group exploited the command injection flaw in reports.php to drop a Web shell. They further exploited a separate SQL injection flaw on Ivanti's backend SQL database server (SQLS) (CVE-2024-29824) to execute remotely on the SQLS system, as noted by the researchers.

After Ivanti issued a patch for the command injection flaw, the attack group took measures to prevent other adversaries from exploiting the same vulnerabilities. 'On September 10, 2024, when the advisory for CVE-2024-8190 was published by Ivanti, the threat actor, still active in the customer's network, 'patched' the command injection vulnerabilities in the resources /gsb/DateTimeTab.php, and /gsb/reports.php, making them unexploitable,' the FortiGuard Labs team noted in the report.

In the past, threat actors have been observed patching vulnerabilities after exploiting them to prevent other intruders from accessing the vulnerable assets and potentially disrupting their attack operations. In this case, analysts suspect the group was employing advanced techniques to retain access, including initiating a DNS tunneling attack via PowerShell and dropping a Linux kernel object rootkit on the compromised CSA system. Researchers from Fortinet suggested that the likely motive behind this was for the threat actor to maintain kernel-level persistence on the CSA device, which could withstand even a factory reset.

Related News

• Ivanti Alerts on Three New Actively Exploited CSA Zero-Days
• Critical Ivanti Vulnerability Actively Exploited, CISA Issues Warning
• Ivanti Cloud Services Appliance Vulnerability Added to CISA's Known Exploited Vulnerabilities Catalog
• Critical CSA Vulnerability Exploited in Attacks: Ivanti Issues Warning
• Urgent Call to Patch: Exploit Code for Critical Ivanti RCE Vulnerability Released

Latest News

• Iran's APT34 Intensifies Cyberattacks Exploiting Windows Flaw
• Russian APT29 Group Targets Zimbra and JetBrains TeamCity Servers
• CISA Issues Warning on Threat Actors Exploiting F5 BIG-IP Cookies for Network Reconnaissance
• Ransomware Gangs Exploit Critical Veeam RCE Flaw: Akira and Fog Ransomware in Focus
• Casio Hit by Underground Ransomware Gang: Stolen Data Leaked