A suspected nation-state group has been actively exploiting three critical vulnerabilities in Ivanti Cloud Service Appliance (CSA), including a zero-day flaw, to infiltrate targeted networks, according to research from Fortinet FortiGuard Labs. These security flaws were weaponized to gain unauthorized access to the CSA, enumerate users, and attempt to steal their credentials.
Fortinet researchers Faisal Abdul Malik Qureshi, John Simmons, Jared Betts, Luca Pugliese, Trent Healy, Ken Evans, and Robert Reyes revealed that the attackers chained multiple zero-day vulnerabilities to establish a foothold in victim networks, using the compromised credentials to further exploit the system.
Vulnerabilities Being Exploited
The vulnerabilities being abused by the attackers are as follows:
- CVE-2024-8190 (CVSS score: 7.2) – A command injection flaw found in
/gsb/DateTimeTab.php
- CVE-2024-8963 (CVSS score: 9.4) – A path traversal vulnerability affecting
/client/index.php
- CVE-2024-9380 (CVSS score: 7.2) – An authenticated command injection vulnerability in
reports.php
Once the credentials of privileged users like gsbadmin
and admin
were compromised, the attackers leveraged a command injection vulnerability in /gsb/reports.php
to deploy a web shell (“help.php”), enabling deeper network access.
Attackers Patching Their Own Exploits
Interestingly, after exploiting the vulnerabilities, the attackers took the unusual step of “patching” the command injection flaws in /gsb/DateTimeTab.php
and /gsb/reports.php
to prevent other attackers from exploiting the same weaknesses and interfering with their operations.
Additional Exploits and Techniques
The attackers were also observed exploiting a separate critical vulnerability (CVE-2024-29824) in Ivanti Endpoint Manager (EPM) after compromising the CSA appliance. This allowed them to enable the xp_cmdshell
stored procedure and achieve remote code execution.
Further malicious activities included creating a new user (mssqlsvc
), running reconnaissance commands, exfiltrating data using DNS tunneling with PowerShell, and proxying traffic via the CSA appliance using an open-source tool called ReverseSocks5. In addition, the attackers deployed a rootkit (“sysinitd.ko”) on the CSA device to maintain persistent access even after potential system resets.
Ongoing Threat
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog as of early October 2024. With nation-state actors actively targeting Ivanti products, organizations are urged to apply patches and strengthen their network defenses to avoid potential compromise.
Fortinet researchers noted the sophistication of this campaign, underscoring the importance of staying vigilant as attackers continue to evolve their methods and exploit unpatched vulnerabilities in critical systems.