Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
Summary:
Fortinet FortiGuard Labs has uncovered a suspected nation-state actor exploiting a chain of three vulnerabilities impacting Ivanti Cloud Service Appliance to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and further attempt to access the credentials of those users. The aforementioned vulnerabilities are listed below:
Security Officer Comments:
On September 10, Ivanti published an advisory for CVE-2024-8190, disclosing that exploitation of the flaw had been observed in the wild, urging customers to apply the patches as soon as possible. During that same day, Fortinet notes that the actor was still active on the customer’s network and patched the command injection vulnerability making it unexploitable. This is a tactic that has been employed in the past where, actors will patch vulnerabilities they themselves have exploited to prevent other actors from doing the same and potentially interfering with their operations.
At the time of writing, the activity has yet to be attributed to a known threat actor. However, given that several zero-day flaws were identified and exploited well before patches could be released, this indicates that a nation-state actor is behind these attacks. Researchers note that the actor also deployed a rootkit capable of potentially surviving a factory reset, further cementing that the actor is highly sophisticated.
Suggested Corrections:
Organizations using Ivanti CSA are advised to:
https://www.fortinet.com/blog/threa...ted-nation-state-adversary-targets-ivanti-csa
Fortinet FortiGuard Labs has uncovered a suspected nation-state actor exploiting a chain of three vulnerabilities impacting Ivanti Cloud Service Appliance to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and further attempt to access the credentials of those users. The aforementioned vulnerabilities are listed below:
- CVE-2024-8190: An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution.
- CVE-2024-8963: Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.
- CVE-2024-9380: An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to obtain remote code execution.
Security Officer Comments:
On September 10, Ivanti published an advisory for CVE-2024-8190, disclosing that exploitation of the flaw had been observed in the wild, urging customers to apply the patches as soon as possible. During that same day, Fortinet notes that the actor was still active on the customer’s network and patched the command injection vulnerability making it unexploitable. This is a tactic that has been employed in the past where, actors will patch vulnerabilities they themselves have exploited to prevent other actors from doing the same and potentially interfering with their operations.
At the time of writing, the activity has yet to be attributed to a known threat actor. However, given that several zero-day flaws were identified and exploited well before patches could be released, this indicates that a nation-state actor is behind these attacks. Researchers note that the actor also deployed a rootkit capable of potentially surviving a factory reset, further cementing that the actor is highly sophisticated.
Suggested Corrections:
Organizations using Ivanti CSA are advised to:
- Upgrade to the latest patched version immediately.
- Review systems for signs of compromise, including unauthorized user accounts and suspicious files.
- Monitor for unusual network activity and potential data exfiltration attempts.
- Implement robust access controls and network segmentation
- Deploy endpoint detection and response (EDR) tools for enhanced monitoring
https://www.fortinet.com/blog/threa...ted-nation-state-adversary-targets-ivanti-csa