A suspected nation-state adversary has been observed weaponizing three security flaws in Ivanti Cloud Service Appliance (CSA) as zero-day exploits to carry out malicious activities.
Recent research from Fortinet FortiGuard Labs has revealed that these vulnerabilities were exploited to gain unauthorized access to the CSA, identify configured users, and attempt to access their credentials.
“Advanced threat actors were seen utilizing and linking zero-day vulnerabilities to establish initial access in the target network,” noted security researchers Faisal Abdul Malik Qureshi, John Simmons, Jared Betts, Luca Pugliese, Trent Healy, Ken Evans, and Robert Reyes explained.
The vulnerabilities exploited include:
- CVE-2024-8190 (CVSS score: 7.2) – Command injection flaw in /gsb/DateTimeTab.php
- CVE-2024-8963 (CVSS score: 9.4) – Path traversal vulnerability in /client/index.php
- CVE-2024-9380 (CVSS score: 7.2) – Authenticated command injection vulnerability in reports.php
Furthermore, the attackers used stolen credentials to exploit the command injection vulnerability in /gsb/reports.php, leading to the deployment of a web shell (“help.php”).
Discussing the attacks, the researchers mentioned, “On September 10, 2024, after Ivanti released an advisory for CVE-2024-8190, the threat actor patched the vulnerabilities in /gsb/DateTimeTab.php and /gsb/reports.php while still active in the network, rendering them unexploitable.”
They added, “Historically, threat actors have been known to patch vulnerabilities post-exploitation to prevent other intruders from gaining access to the compromised asset(s) and disrupting their operations.”
 |
| SQLi vulnerability exploitation |
The attackers also exploited CVE-2024-29824, a critical vulnerability affecting Ivanti Endpoint Manager (EPM), after compromising the internet-facing CSA appliance to achieve remote code execution by enabling the xp_cmdshell stored procedure.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog in early October 2024.
Additional activities included creating a new user ‘mssqlsvc’, running reconnaissance commands, and exfiltrating data through DNS tunneling using PowerShell code. The attackers also deployed a rootkit in the form of a Linux kernel object (sysinitd.ko) on the compromised CSA device.
“The likely intent behind this action was to ensure kernel-level persistence on the CSA device, potentially surviving a factory reset,” as per Fortinet researchers.