An identified nation-state actor has been seen exploiting three security vulnerabilities in the Ivanti Cloud Service Appliance (CSA), including a zero-day, to execute various malicious actions.
This information comes from Fortinet FortiGuard Labs, which reported that the vulnerabilities allowed unauthorized access to the CSA, the ability to list users set up on the appliance, and efforts to access those users’ credentials.
“The sophisticated adversaries were noted for utilizing and chaining zero-day vulnerabilities to secure an initial foothold in the victim’s network,” stated security researchers Faisal Abdul Malik Qureshi, John Simmons, Jared Betts, Luca Pugliese, Trent Healy, Ken Evans, and Robert Reyes.
The vulnerabilities identified are:
- CVE-2024-8190 (CVSS score: 7.2) – A command injection flaw in the resource /gsb/DateTimeTab.php
- CVE-2024-8963 (CVSS score: 9.4) – A path traversal vulnerability affecting the resource /client/index.php
- CVE-2024-9380 (CVSS score: 7.2) – An authenticated command injection vulnerability related to the resource reports.php
In subsequent actions, the credentials linked to gsbadmin and admin were exploited to take advantage of the command injection vulnerability associated with the resource /gsb/reports.php, enabling the installation of a web shell (“help.php”).
“On September 10, 2024, when Ivanti published the alert about CVE-2024-8190, the threat actor, still present in the customer’s network, ‘patched’ the command injection vulnerabilities in the resources /gsb/DateTimeTab.php and /gsb/reports.php, thus rendering them non-exploitable.”
“In previous incidents, threat actors have been observed to patch vulnerabilities after exploiting them to maintain their position in the victim’s network, preventing other intruders from accessing the vulnerable assets and interfering with their attack plans.”
The attackers were also found to be exploiting CVE-2024-29824, a critical vulnerability affecting the Ivanti Endpoint Manager (EPM), after compromising the internet-facing CSA appliance. This included enabling the xp_cmdshell stored procedure to facilitate remote code execution.
It is important to note that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog during the first week of October 2024.
Other malicious activities involved the creation of a new user named mssqlsvc, executing reconnaissance commands, and exfiltrating the results through a method known as DNS tunneling utilizing PowerShell code. Notably, a rootkit in the form of a Linux kernel object (sysinitd.ko) was deployed on the compromised CSA device.
“The likely intention behind this was for the threat actor to establish kernel-level persistence on the CSA device, potentially remaining effective even after a factory reset,” according to Fortinet researchers.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.