Ivanti CSA Flaws Used by Nation-State Hackers to Infiltrate Networks

October 14, 2024Ravie LakshmananNetwork Security / Vulnerability

A suspected group of attackers from a nation-state has been spotted exploiting three security vulnerabilities in Ivanti Cloud Service Appliance (CSA) as a zero-day to conduct a seri

October 14, 2024Ravie LakshmananNetwork Security / Vulnerability

Nation-State Attackers Exploiting Ivanti CSA Flaws for Network Infiltration

A suspected group of attackers from a nation-state has been spotted exploiting three security vulnerabilities in Ivanti Cloud Service Appliance (CSA) as a zero-day to conduct a series of malicious operations.

This information comes from the research by Fortinet FortiGuard Labs, which indicated that the flaws were misused to gain unauthorized entry to the CSA, list the users set up in the appliance, and try to retrieve the credentials of those users.

“Observers have seen advanced threats making use of and linking zero-day vulnerabilities to create initial access in the victim’s network,” mentioned security specialists Faisal Abdul Malik Qureshi, John Simmons, Jared Betts, Luca Pugliese, Trent Healy, Ken Evans, and Robert Reyes stated.

The identified weaknesses are as follows –

CVE-2024-8190 (CVSS score: 7.2) – An error in command injection in the file /gsb/DateTimeTab.php
CVE-2024-8963 (CVSS score: 9.4) – A weak spot for path traversal on the file /client/index.php
CVE-2024-9380 (CVSS score: 7.2) – An issue with authenticated command injection impacting the file reports.php

Subsequently, the login details linked to gsbadmin and admin were utilized to exploit the command injection flaw affecting the file /gsb/reports.php with authentication to insert a web shell (“help.php”).

“On September 10, 2024, when the alert for CVE-2024-8190 was shared by Ivanti, the malicious actor, still active within the customer’s network, ‘fixed’ the command injection flaws in the files /gsb/DateTimeTab.php and /gsb/reports.php, blocking further exploitation.”

“Historically, threat actors have been known to fix vulnerabilities after using them and gaining a foothold in the victim’s network to prevent any other intruder from reaching the vulnerable assets and potentially disrupting their attack operations,” the Fortinet researchers added.

SQLi vulnerability exploitation

The culprits were also caught misusing CVE-2024-29824, a severe vulnerability affecting Ivanti Endpoint Manager (EPM), following the compromise of the externally accessible CSA device. Specifically, this involved activating the xp_cmdshell stored procedure to execute remote code.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) included this vulnerability in its Known Exploited Vulnerabilities (KEV) database early in October 2024.

Among other activities, there was the creation of a new user named mssqlsvc, running intelligence commands, and transmitting the outcomes of those commands through a technique called DNS tunneling using PowerShell script. Noteworthy is the installation of a rootkit as a Linux kernel entity (sysinitd.ko) on the compromised CSA unit.

“The likely motivation behind this was for the attackers to secure kernel-level persistence on the CSA tool, which might persist even after a factory reset,” stated the Fortinet researchers.

Discovered this article intriguing? Follow us on Twitter and LinkedIn to read more exclusive content we publish.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts