A suspected nation-state adversary has been noticed weaponizing three safety flaws in Ivanti Cloud Service Equipment (CSA) a zero-day to carry out a sequence of malicious actions.
That is based on findings from Fortinet FortiGuard Labs, which stated the vulnerabilities had been abused to realize unauthenticated entry to the CSA, enumerate customers configured within the equipment, and try to entry the credentials of these customers.
“The advanced adversaries were observed exploiting and chaining zero-day vulnerabilities to establish beachhead access in the victim’s network,” safety researchers Faisal Abdul Malik Qureshi, John Simmons, Jared Betts, Luca Pugliese, Trent Healy, Ken Evans, and Robert Reyes stated.
The issues in query are listed under –
- CVE-2024-8190 (CVSS rating: 7.2) – A command injection flaw within the useful resource /gsb/DateTimeTab.php
- CVE-2024-8963 (CVSS rating: 9.4) – A path traversal vulnerability on the useful resource /shopper/index.php
- CVE-2024-9380 (CVSS rating: 7.2) – An authenticated command injection vulnerability affecting the useful resource stories.php
Within the subsequent stage, the stolen credentials related to gsbadmin and admin had been used to carry out authenticated exploitation of the command injection vulnerability affecting the useful resource /gsb/stories.php with a purpose to drop an online shell (“help.php”).
“On September 10, 2024, when the advisory for CVE-2024-8190 was published by Ivanti, the threat actor, still active in the customer’s network, ‘patched’ the command injection vulnerabilities in the resources /gsb/DateTimeTab.php, and /gsb/reports.php, making them unexploitable.”
“In the past, threat actors have been observed to patch vulnerabilities after having exploited them, and gained foothold into the victim’s network, to stop any other intruder from gaining access to the vulnerable asset(s), and potentially interfering with their attack operations.”
 |
| SQLi vulnerability exploitation |
The unknown attackers have additionally been recognized abusing CVE-2024-29824, a important flaw impacting Ivanti Endpoint Supervisor (EPM), after compromising the internet-facing CSA equipment. Particularly, this concerned enabling the xp_cmdshell saved process to attain distant code execution.
It is price noting that the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added the vulnerability to its Recognized Exploited Vulnerabilities (KEV) catalog within the first week of October 2024.
A number of the different actions included creating a brand new person referred to as mssqlsvc, working reconnaissance instructions, and exfiltrating the outcomes of these instructions through a way generally known as DNS tunneling utilizing PowerShell code. Additionally of observe is the deployment of a rootkit within the type of a Linux kernel object (sysinitd.ko) on the compromised CSA system.
“The likely motive behind this was for the threat actor to maintain kernel-level persistence on the CSA device, which may survive even a factory reset,” Fortinet researchers stated.
