Nation-State Threat Actors Exploit Ivanti Cloud Service Appliance Vulnerabilities
Date: October 14, 2024
Author: Ravie Lakshmanan
Category: Network Security / Vulnerability
In a concerning development for cybersecurity, a suspected nation-state adversary has been observed exploiting multiple vulnerabilities in the Ivanti Cloud Service Appliance (CSA). These vulnerabilities, including a zero-day flaw, have enabled the attackers to execute a series of malicious actions, raising alarms among security professionals and organizations relying on Ivanti’s services.
The Threat Landscape
According to a recent report from Fortinet FortiGuard Labs, the vulnerabilities in question have been weaponized to gain unauthorized access to the CSA, allowing attackers to enumerate users configured within the appliance and attempt to access their credentials. This sophisticated attack highlights the evolving tactics of advanced adversaries who are increasingly targeting critical infrastructure and enterprise applications.
Key Findings from Fortinet
The research team at Fortinet, comprising Faisal Abdul Malik Qureshi, John Simmons, Jared Betts, Luca Pugliese, Trent Healy, Ken Evans, and Robert Reyes, noted that these advanced adversaries were observed chaining zero-day vulnerabilities to establish a foothold within the victim’s network. This method of attack underscores the need for organizations to remain vigilant and proactive in their cybersecurity measures.
The Vulnerabilities Exploited
The vulnerabilities exploited in this attack are as follows:
- CVE-2024-8190 (CVSS score: 7.2) – A command injection flaw located in the resource
/gsb/DateTimeTab.php. - CVE-2024-8963 (CVSS score: 9.4) – A critical path traversal vulnerability affecting the resource
/client/index.php. - CVE-2024-9380 (CVSS score: 7.2) – An authenticated command injection vulnerability impacting the resource
/reports.php.
These vulnerabilities allowed the attackers to perform a series of actions, including stealing credentials associated with administrative accounts like gsbadmin and admin. With these credentials, the attackers exploited the command injection vulnerability in /gsb/reports.php to deploy a web shell, enabling further malicious activities.
The Attack Sequence
On September 10, 2024, shortly after the advisory for CVE-2024-8190 was published, the threat actor, still active within the victim’s network, took the unusual step of "patching" the command injection vulnerabilities they had already exploited. This tactic is not uncommon among threat actors, who may seek to eliminate the possibility of other intruders exploiting the same vulnerabilities, thereby securing their foothold in the compromised network.
Further Compromises: Ivanti Endpoint Manager
In addition to exploiting vulnerabilities in the CSA, the attackers were also found to be abusing CVE-2024-29824, a critical flaw in the Ivanti Endpoint Manager (EPM). After compromising the internet-facing CSA appliance, the attackers enabled the xp_cmdshell stored procedure, facilitating remote code execution. This escalation of privileges allowed them to conduct further reconnaissance and exfiltrate sensitive data.
CISA’s Response
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recognized the severity of these vulnerabilities, adding them to its Known Exploited Vulnerabilities (KEV) catalog in early October 2024. This inclusion serves as a critical alert for organizations to prioritize patching and securing their systems against these threats.
Attackers’ Techniques and Objectives
The attackers employed various techniques to maintain persistence and control over the compromised CSA device. They created a new user account named mssqlsvc, executed reconnaissance commands, and exfiltrated the results using DNS tunneling via PowerShell. Notably, they deployed a rootkit in the form of a Linux kernel object (sysinitd.ko), likely to ensure kernel-level persistence that could survive even a factory reset.
Fortinet researchers suggest that the attackers’ motive was to maintain a long-term presence on the CSA device, allowing them to execute further attacks or gather intelligence without detection.
Conclusion
The exploitation of vulnerabilities in the Ivanti Cloud Service Appliance serves as a stark reminder of the persistent threats posed by advanced adversaries, particularly nation-state actors. Organizations must remain vigilant, continuously monitor their systems, and apply timely patches to mitigate the risks associated with such vulnerabilities. As the cybersecurity landscape evolves, proactive measures and a robust security posture are essential to defend against these sophisticated attacks.
For more insights and updates on cybersecurity threats, follow us on Twitter and LinkedIn.