Nation-state attackers chained zero-days to target Ivanti Cloud Services Appliance

Once inside the network, attackers used the stolen credentials to carry out further attacks

A sophisticated cyberattack, believed to be orchestrated by a nation-state adversary, has exploited critical vulnerabilities in Ivanti's Cloud Service Appliance (CSA) to gain unauthorised access to sensitive systems.

According to a new report from Fortinet, the attackers leveraged three vulnerabilities, including two previously undisclosed zero-day flaws, to compromise the CSA and execute a series of malicious activities.

The vulnerabilities, identified as CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380, allowed the attackers to gain unauthenticated access, enumerate users, and steal credentials.

"The advanced adversaries were observed exploiting and chaining zero-day vulnerabilities to establish beachhead access in the victim's network," security researchers said.

Once inside, the attackers used the stolen credentials to carry out further attacks, including dropping a web shell and compromising the backend SQL database server.

In addition to the three vulnerabilities targeting the CSA, the attackers also exploited CVE-2024-29824, a critical vulnerability in Ivanti Endpoint Manager (EPM). By enabling the xp_cmdshell stored procedure, the attackers achieved remote code execution on the compromised system.

Earlier this month, the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-29824 to its Known Exploited Vulnerabilities (KEV) catalogue.

FortiGuard says attackers were observed performing several malicious actions, such as creating a new user, executing reconnaissance commands, exfiltrating the results using DNS tunnelling, and deploying a rootkit as a Linux kernel object on the compromised CSA device.

A particularly concerning element of the attack was the attacker's attempt to "patch" the vulnerabilities they exploited after gaining access. This tactic is used to prevent other attackers from gaining access and potentially disrupting their ongoing operations.

Organisations using Ivanti CSA and EPM are strongly advised to apply the latest security patches to mitigate these vulnerabilities.

Ivanti warns of three new zero-days

Last week, Ivanti issued urgent security updates to address three new zero-days affecting its CSA, warning that these vulnerabilities are being actively exploited by attackers.

The vulnerabilities, identified as CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381, can be chained with CVE-2024-8963 to allow attackers to execute arbitrary code, run SQL statements, and bypass security restrictions.

"We are aware of a limited number of customers running CSA 4.6 patch 518 and prior who have been exploited when CVE-2024-9379, CVE-2024-9380 or CVE-2024-9381 are chained with CVE-2024-8963," Ivanti warned.

CVE-2024-9379 is a SQL injection vulnerability that allows attackers to execute arbitrary SQL statements.

CVE-2024-9380 is a command injection vulnerability that allows attackers to execute arbitrary code.

CVE-2024-9381 is a path traversal vulnerability that allows attackers to bypass security restrictions and access unauthorised files.

Successful exploitation of these vulnerabilities can lead to significant security breaches, including data theft and disruption of services.

Ivanti recommends that customers running CSA 5.0.1 and earlier versions immediately upgrade to 5.0.2 to mitigate these risks.

Users who suspect their systems have been compromised should rebuild their CSA appliances.

Additionally, admins are advised to review alerts from endpoint detection and response (EDR) software and to check for new or modified admin users.