Introduction
In a recent cybersecurity alert, researchers have identified the exploitation of three security flaws within Ivanti's Cloud Service Appliance (CSA) by what is suspected to be a nation-state threat actor. These vulnerabilities, some of which were zero-day, have been used to gain unauthorized access to the CSA, allowing attackers to perform a range of malicious activities. This article explores how these flaws were exploited, the techniques used by the adversaries, and the broader implications for network security.
Exploiting Ivanti CSA Vulnerabilities
According to findings from Fortinet FortiGuard Labs, attackers have leveraged several security flaws within the Ivanti Cloud Service Appliance. The flaws provided unauthorized access to the system and enabled the attackers to enumerate users and attempt to capture credentials. The key vulnerabilities exploited include:
- CVE-2024-8190 (CVSS score: 7.2) - A command injection flaw within the
/gsb/DateTimeTab.phpresource. - CVE-2024-8963 (CVSS score: 9.4) - A path traversal vulnerability in the
/client/index.phpresource. - CVE-2024-9380 (CVSS score: 7.2) - An authenticated command injection vulnerability affecting
reports.php.
Using these vulnerabilities, the attackers were able to infiltrate the victim’s network and escalate their access. Once inside, they utilized stolen credentials to perform additional malicious activities, such as dropping a web shell named "help.php."
Patch and Persistence Tactics
One of the most concerning aspects of the attack was the attackers' ability to patch the very vulnerabilities they exploited. After gaining access to the system, the attackers "patched" the command injection vulnerabilities in order to make them unexploitable by others. This tactic effectively secured their access and prevented interference from other threat actors, allowing them to maintain control over the compromised network without disruption.
This technique has been observed in past attacks, where cybercriminals exploit and patch vulnerabilities to solidify their hold on the target’s systems, preventing others from exploiting the same vulnerabilities.
Exploitation of SQLi Vulnerability
The attackers also took advantage of CVE-2024-29824, a critical SQL injection flaw affecting Ivanti Endpoint Manager (EPM). After compromising the CSA appliance, the attackers enabled the xp_cmdshell stored procedure, granting them remote code execution capabilities. This vulnerability was recognized by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and added to their Known Exploited Vulnerabilities catalog in early October 2024.
Advanced Malicious Activities
In addition to exploiting vulnerabilities, the attackers engaged in other sophisticated actions. They created a new user called "mssqlsvc," executed reconnaissance commands, and exfiltrated data through DNS tunneling techniques using PowerShell code. The attackers also proxied traffic through the compromised CSA device using an open-source tool called ReverseSocks5.
Moreover, the adversaries deployed a rootkit in the form of a Linux kernel object (sysinitd.ko) on the compromised device. The rootkit provided the attackers with persistent access at the kernel level, potentially surviving even a factory reset. This level of persistence suggests a high level of sophistication and determination to maintain control over the targeted system.
Conclusion
The exploitation of vulnerabilities within Ivanti's Cloud Service Appliance highlights the growing sophistication of cyberattacks, especially those suspected to be nation-state-sponsored. The ability to exploit zero-day vulnerabilities, patch them to prevent interference, and maintain long-term persistence within compromised networks is a concerning development for cybersecurity professionals. As attackers continue to evolve their tactics, organizations must remain vigilant in patching vulnerabilities and monitoring for advanced threat activity to safeguard their networks.
0 Comments