A nation-state cyber group (not disclosed) is reportedly exploiting multiple vulnerabilities in Ivanti Cloud Service Appliance (CSA), including a zero-day flaw, to infiltrate networks and carry out malicious activities. These sophisticated attackers are leveraging three distinct security weaknesses in Ivanti CSA, aiming to establish unauthorized access and expand their control within compromised systems.
According to a report from Fortinet FortiGuard Labs, the cybercriminals utilized these flaws to gain unauthorized access to CSA, identify users within the appliance, and target their credentials. The attackers used chained vulnerabilities to penetrate networks, further complicating efforts to detect and mitigate their activity.
Key Ivanti CSA Vulnerabilities
The vulnerabilities being actively exploited include:
- CVE-2024-8190: A command injection flaw affecting the resource
/gsb/DateTimeTab.php
(CVSS score: 7.2). - CVE-2024-8963: A high-severity path traversal vulnerability targeting
/client/index.php
(CVSS score: 9.4). - CVE-2024-9380: An authenticated command injection flaw affecting the resource
/gsb/reports.php
(CVSS score: 7.2).
These vulnerabilities allow the attackers to achieve unauthorized control over critical components of the Ivanti CSA system. After exploiting these flaws, they accessed sensitive user credentials, specifically targeting admin-level accounts like gsbadmin
and admin
.
Exploitation Process and Web Shell Installation
In the next phase of their attack, the cyber adversaries leveraged the compromised credentials to launch an authenticated attack against the command injection flaw in /gsb/reports.php
, deploying a web shell known as “help.php” on the victim’s network. This web shell granted them persistent remote access and the ability to run additional malicious code, further entrenching their position within the network.
Notably, on September 10, 2024, when Ivanti publicly disclosed the CVE-2024-8190 vulnerability, the threat actors were still active in the compromised network. In an unusual move, they “patched” the exploited vulnerabilities themselves, making them unexploitable for other attackers. This tactic, while rare, is sometimes used by hackers to lock out competing intruders from the same compromised systems, ensuring they retain control without interference from other malicious actors.
This behavior highlights a concerning trend in the world of cyber espionage, where attackers take proactive steps to secure their foothold and prevent disruption to their operations.
Exploiting Additional Flaws: Ivanti EPM Vulnerability
The attackers were also found to be exploiting CVE-2024-29824, a critical vulnerability in Ivanti Endpoint Manager (EPM), following their breach of the Ivanti CSA appliance. This particular flaw enables attackers to remotely execute arbitrary commands by abusing the xp_cmdshell
stored procedure.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog in early October 2024, recognizing its active use in cyberattacks.
Advanced Tactics: DNS Tunneling and Rootkit Deployment
Once inside the compromised systems, the threat actors took additional steps to maintain long-term access and exfiltrate data. They created a new user account, mssqlsvc
, and executed various reconnaissance commands to gather sensitive information from the target environment. The data was exfiltrated using DNS tunneling, a covert technique that hides data within DNS requests, making detection more difficult.
Additionally, the attackers deployed a rootkit in the form of a Linux kernel object, named sysinitd.ko
, on the affected Ivanti CSA device. This rootkit provided kernel-level persistence, allowing the attackers to maintain control over the system even if the device was reset to factory settings. This level of persistence is highly concerning, as it suggests the attackers were preparing for long-term exploitation of the compromised systems.
Protecting Against Ivanti CSA Exploitation
Organizations using Ivanti CSA or EPM should immediately apply available security patches to mitigate the risks posed by these vulnerabilities. Given the sophistication of the attack, it’s also advisable to conduct thorough security audits, focusing on any unusual user activity, unauthorized network traffic, and potential indicators of DNS tunneling or rootkit deployment.
Security experts recommend that organizations implement robust intrusion detection systems (IDS), alongside enhanced monitoring of administrative accounts, to catch any signs of compromise early. By keeping systems up to date and employing layered security measures, businesses can significantly reduce the risk of falling victim to such advanced nation-state attacks.
Conclusion
This wave of attacks targeting Ivanti CSA underscores the evolving tactics of nation-state actors, who are becoming increasingly adept at exploiting vulnerabilities to gain deep access into corporate networks. The ability of these attackers to not only compromise critical infrastructure but also patch vulnerabilities to retain control highlights the need for proactive cybersecurity defenses.
As vulnerabilities like CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380 continue to be exploited, organizations must remain vigilant and ensure they are following best practices for patch management, network monitoring, and user authentication. The battle between defenders and adversaries continues, with advanced attackers constantly adapting their strategies to exploit new weaknesses in the digital landscape.
Follow us on (Twitter) for real time updates and exclusive content.
Interesting Article : CISA Warns of Cyberattacks Targeting Unencrypted F5 BIG-IP Cookies