Nation-State Attackers Exploiting Ivanti CSA Flaws for Network Infiltration

Avatar
A suspected nation-state adversary has been observed weaponizing three security flaws in Ivanti Cloud Service Appliance (CSA) a zero-day to perform a series of malicious actions. That’s according to findings from Fortinet FortiGuard Labs, which said the vulnerabilities were abused to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and attempt to access the
[[{“value”:”

A suspected nation-state adversary has been observed weaponizing three security flaws in Ivanti Cloud Service Appliance (CSA) a zero-day to perform a series of malicious actions.

That’s according to findings from Fortinet FortiGuard Labs, which said the vulnerabilities were abused to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and attempt to access the credentials of those users.

“The advanced adversaries were observed exploiting and chaining zero-day vulnerabilities to establish beachhead access in the victim’s network,” security researchers Faisal Abdul Malik Qureshi, John Simmons, Jared Betts, Luca Pugliese, Trent Healy, Ken Evans, and Robert Reyes said.

The flaws in question are listed below –

CVE-2024-8190 (CVSS score: 7.2) – A command injection flaw in the resource /gsb/DateTimeTab.php
CVE-2024-8963 (CVSS score: 9.4) – A path traversal vulnerability on the resource /client/index.php
CVE-2024-9380 (CVSS score: 7.2) – An authenticated command injection vulnerability affecting the resource reports.php

In the next stage, the stolen credentials associated with gsbadmin and admin were used to perform authenticated exploitation of the command injection vulnerability affecting the resource /gsb/reports.php in order to drop a web shell (“help.php”).

“On September 10, 2024, when the advisory for CVE-2024-8190 was published by Ivanti, the threat actor, still active in the customer’s network, ‘patched’ the command injection vulnerabilities in the resources /gsb/DateTimeTab.php, and /gsb/reports.php, making them unexploitable.”

“In the past, threat actors have been observed to patch vulnerabilities after having exploited them, and gained foothold into the victim’s network, to stop any other intruder from gaining access to the vulnerable asset(s), and potentially interfering with their attack operations.”

SQLi vulnerability exploitation

The unknown attackers have also been identified abusing CVE-2024-29824, a critical flaw impacting Ivanti Endpoint Manager (EPM), after compromising the internet-facing CSA appliance. Specifically, this involved enabling the xp_cmdshell stored procedure to achieve remote code execution.

It’s worth noting that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog in the first week of October 2024.

Some of the other activities included creating a new user called mssqlsvc, running reconnaissance commands, and exfiltrating the results of those commands via a technique known as DNS tunneling using PowerShell code. Also of note is the deployment of a rootkit in the form of a Linux kernel object (sysinitd.ko) on the compromised CSA device.

“The likely motive behind this was for the threat actor to maintain kernel-level persistence on the CSA device, which may survive even a factory reset,” Fortinet researchers said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Previous Post

5 Steps to Boost Detection and Response in a Multi-Layered Cloud

Next Post

Iran-linked hackers increasingly spy on governments in Gulf region, researchers say

Related Posts

AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services

The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware. "This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a
Avatar
Read More