Ethical Hacking News
Nation-state attackers have exploited three security flaws in Ivanti Cloud Service Appliance (CSA) to gain unauthorized access to networks. The vulnerabilities, which were identified by Fortinet's FortiGuard Labs, are considered critical and can be chained together to establish a foothold within the victim's network. Learn more about this attack and how organizations can prevent similar attacks in the future.
Nation-state attackers have exploited three critical security flaws in Ivanti Cloud Service Appliance (CSA) to gain unauthorized access to networks.The vulnerabilities, identified by Fortinet's FortiGuard Labs, include a command injection flaw (CVE-2024-8190), path traversal vulnerability (CVE-2024-8963), and authenticated command injection vulnerability (CVE-2024-9380).The attackers used stolen credentials to perform further exploitation and deployed a rootkit on the compromised CSA device.The motive for exploiting these vulnerabilities was likely to maintain kernel-level persistence, allowing continued malicious attacks and evasion of security detection.
Nation-state attackers have been observed exploiting three security flaws in Ivanti Cloud Service Appliance (CSA) to gain unauthorized access to networks. The vulnerabilities, which were identified by Fortinet's FortiGuard Labs, are considered critical and can be chained together to establish a foothold within the victim's network.
The first vulnerability, CVE-2024-8190, is a command injection flaw in the resource /gsb/DateTimeTab.php. This flaw allows an attacker to inject malicious commands, potentially leading to unauthorized access or further exploitation of the system. The second vulnerability, CVE-2024-8963, is a path traversal vulnerability on the resource /client/index.php. This flaw enables an attacker to traverse the file system and potentially gain access to sensitive data.
The third and final vulnerability, CVE-2024-9380, is an authenticated command injection vulnerability affecting the resource reports.php. This flaw allows an attacker to inject malicious commands even if they do not have administrative privileges.
In a recent attack, the attackers exploited these three vulnerabilities to gain unauthorized access to the Ivanti CSA appliance. Once inside, they used stolen credentials associated with gsbadmin and admin to perform authenticated exploitation of the command injection vulnerability affecting the resource /gsb/reports.php. This allowed them to drop a web shell ("help.php"), which can be used to further compromise the system.
The attackers also exploited CVE-2024-29824, a critical flaw impacting Ivanti Endpoint Manager (EPM), after compromising the internet-facing CSA appliance. They enabled the xp_cmdshell stored procedure to achieve remote code execution, potentially allowing them to execute malicious commands on the victim's network.
In addition to exploiting these vulnerabilities, the attackers also created a new user called mssqlsvc, ran reconnaissance commands, and exfiltrated the results of those commands via a technique known as DNS tunneling using PowerShell code. They also deployed a rootkit in the form of a Linux kernel object (sysinitd.ko) on the compromised CSA device.
The attackers' likely motive for exploiting these vulnerabilities was to maintain kernel-level persistence on the CSA device, which may survive even a factory reset. This would allow them to continue launching malicious attacks and evading detection by security systems.
The discovery of this vulnerability highlights the importance of keeping software up-to-date and patched. It also emphasizes the need for organizations to monitor their networks regularly for signs of suspicious activity and to implement robust security measures to prevent unauthorized access.
In conclusion, nation-state attackers have been observed exploiting three security flaws in Ivanti CSA to gain network infiltration. The vulnerabilities were identified by Fortinet's FortiGuard Labs and are considered critical. Organizations must take immediate action to patch these vulnerabilities and implement robust security measures to prevent future attacks.
Related Information:
https://thehackernews.com/2024/10/nation-state-attackers-exploiting.html
https://nvd.nist.gov/vuln/detail/CVE-2024-8190
https://www.cvedetails.com/cve/CVE-2024-8190/
https://nvd.nist.gov/vuln/detail/CVE-2024-8963
https://www.cvedetails.com/cve/CVE-2024-8963/
https://nvd.nist.gov/vuln/detail/CVE-2024-9380
https://www.cvedetails.com/cve/CVE-2024-9380/
https://nvd.nist.gov/vuln/detail/CVE-2024-29824
https://www.cvedetails.com/cve/CVE-2024-29824/
https://www.cisa.gov/news-events/alerts/2024/09/19/ivanti-releases-admin-bypass-security-update-cloud-services-appliance
https://www.tenable.com/cve/CVE-2024-9380
https://www.bleepingcomputer.com/news/security/critical-ivanti-rce-flaw-with-public-exploit-now-used-in-attacks/
Published: Mon Oct 14 07:49:23 2024 by llama3.2 3B Q4_K_M
