A suspected adversary nation-state has been observed exploiting three zero-day security flaws in the Ivanti Cloud Service Appliance (CSA) to perform a series of malicious actions.
This follows findings from Fortinet’s FortiGuard Labs, which said the vulnerabilities were used to gain unauthenticated access to the CSA, enumerate the users configured on the device, and attempt to gain access to those users’ credentials.
“Advanced adversaries have been observed exploiting and combining zero-day vulnerabilities to establish access to a foothold on a victim’s network,” security researchers Faisal Abdul Malik Qureshi, John Simmons, Jared Betts, Luca Pugliese, Trent Healy, Ken Evans, and Robert Reyes said.
The disadvantages considered are listed below –
- CVE-2024-8190 (CVSS Score: 7.2) – Error injecting command into resource /gsb/DateTimeTab.php
- CVE-2024-8963 (CVSS Score: 9.4) – Path traversal vulnerability in /client/index.php
- CVE-2024-9380 (CVSS Score: 7.2) – Authenticated command vulnerability affecting the reports.php resource
In the next step, the stolen credentials associated with gsbadmin and admin were used to authenticate exploit a command injection vulnerability affecting the /gsb/reports.php resource to delete the web shell (“help.php”).
“On September 10, 2024, when Ivanti published the advisory for CVE-2024-8190, a threat actor still active on the customer’s network ‘patched’ command injection vulnerabilities in the /gsb/DateTimeTab.php and /gsb/reports resources.” php, making them unusable.”
“In the past, threat actors have been seen patching vulnerabilities after they have exploited them and entrenched themselves in the victim’s network to prevent any other attacker from accessing the vulnerable assets and potentially interfering with their attack. “
 |
| Exploitation of SQLi vulnerability |
Unknown attackers were also found in the abuse CVE-2024-29824critical flaw affecting Ivanti Endpoint Manager (EPM) after a CSA appliance is compromised with Internet access. In particular, this included inclusion xp_cmdshell stored procedure to achieve remote code execution.
It should be noted that the US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Catalog of Known Vulnerabilities (KEV) in the first week of October 2024.
Some of the other actions included creating a new user called mssqlsvc, executing intelligence commands, and exfiltrating the results of those commands using a technique known as DNS tunneling using PowerShell code. Also of note is the deployment of a rootkit as a Linux kernel object (sysinitd.ko) on a compromised CSA device.
“This was likely motivated by the threat actor maintaining a kernel-level persistence on the CSA device that can survive even a factory reset,” the Fortinet researchers said.
