Ethical Hacking News
A recent nation-state actor attack has exploited three zero-day vulnerabilities in Ivanti Cloud Service Appliance (CSA) to gain unauthorized access to a victim's network, highlighting the importance of prioritizing cybersecurity and keeping software up-to-date.
An unknown nation-state actor has exploited three zero-day vulnerabilities in Ivanti Cloud Service Appliance (CSA) for malicious purposes. The identified vulnerabilities are CVE-2024-9380, CVE-2024-8190, and CVE-2024-8963, each with distinct impacts on the appliance. These attacks can lead to remote code execution, command injection flaws, and path traversal vulnerabilities. The attackers chained these vulnerabilities together to gain initial access to the victim's network. Organizations must prioritize cybersecurity and keep software up-to-date to minimize the risk of exploitation.
In a disturbing development, Fortinet FortiGuard Labs researchers have warned that a suspected nation-state actor has been exploiting three zero-day vulnerabilities in Ivanti Cloud Service Appliance (CSA) for malicious purposes. This attack underscores the critical need for organizations to prioritize cybersecurity and maintain their software up-to-date.
The three vulnerabilities exploited by the threat actor are: CVE-2024-9380, CVE-2024-8190, and CVE-2024-8963. Each of these vulnerabilities has a distinct impact on the Ivanti CSA appliance, with CVE-2024-9380 being an OS command injection vulnerability in the admin web console before version 5.0.2. A remote authenticated attacker with admin privileges can exploit this vulnerability to achieve remote code execution.
The second vulnerability, CVE-2024-8190, is a command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before. This flaw allows a remote authenticated attacker to obtain remote code execution, with the requirement of having admin level privileges.
The third and most critical vulnerability, CVE-2024-8963, is a path traversal vulnerability in the Ivanti CSA before 4.6 Patch 519. A remote, unauthenticated attacker can exploit this vulnerability to access restricted functionality on the appliance.
According to Fortinet's advisory, threat actors exploited these zero-day flaws to gain unauthenticated access to the CSA, enumerate users configured in the CSA appliance, and attempt to access their credentials. Once they obtained the gsbadmin and admin credentials, attackers used them to exploit a command injection flaw in /gsb/reports.php and deploy a web shell (“help.php”).
The attack pattern employed by the threat actor is quite sophisticated, with each vulnerability being chained together to gain initial access to the victim's network. This highlights the need for organizations to stay vigilant and implement robust cybersecurity measures to prevent such attacks.
It is worth noting that two out of the three identified vulnerabilities were not publicly known at the time of the investigation by Fortinet. This underscores the importance of staying informed about the latest security threats and keeping software up-to-date to minimize the risk of exploitation.
In conclusion, this attack serves as a stark reminder of the importance of prioritizing cybersecurity and maintaining software up-to-date. Organizations must take proactive steps to protect themselves against such attacks by implementing robust cybersecurity measures and staying informed about the latest security threats.
Related Information:
https://securityaffairs.com/169778/apt/ivanti-cloud-service-appliance-three-zero.html
https://nvd.nist.gov/vuln/detail/CVE-2024-9380
https://www.cvedetails.com/cve/CVE-2024-9380/
https://nvd.nist.gov/vuln/detail/CVE-2024-8190
https://www.cvedetails.com/cve/CVE-2024-8190/
https://nvd.nist.gov/vuln/detail/CVE-2024-8963
https://www.cvedetails.com/cve/CVE-2024-8963/
Published: Mon Oct 14 13:24:26 2024 by llama3.2 3B Q4_K_M
