• Vulnerable U
  • Posts
  • FBI and CISA Detail How Attackers Are Exploiting Ivanti CSA Flaws

FBI and CISA Detail How Attackers Are Exploiting Ivanti CSA Flaws

The four vulnerabilities that Ivanti disclosed in the fall include two bugs that can be used to gain remote code execution, a path traversal bug, and a SQL injection vulnerability.

The FBI and CISA have released a detailed advisory about the exploitation activity that has targeted a series of zero day vulnerabilities in Ivanti Cloud Service Appliances that were disclosed in September and October of last year. The attacks described in the advisory chained together several of the bugs to gain access to the target appliances and then move laterally to other servers on the network. 

Why It Matters: The four vulnerabilities that Ivanti disclosed in the fall include two bugs that can be used to gain remote code execution, a path traversal bug, and a SQL injection vulnerability. The Ivanti CSA boxes are widely deployed in enterprises and make for attractive targets for both cybercrime groups and APTs looking for a privileged foothold on corporate networks. The vulnerabilities were exploited as zero days and CISA and private security companies have seen continued exploitation of these flaws in the months since they were disclosed. “According to CISA and trusted third-party incident response data, threat actors chained the above listed vulnerabilities to gain initial access, conduct RCE, obtain credentials, and implant webshells on victim networks. The primary exploit paths included two vulnerability chains. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380. The other chain exploited CVE-2024-8963 and CVE-2024-9379,” the advisory says. 

CVEs: CVE-2024-8190, CVE-2024-8963, CVE-2024-9379, and CVE-2024-9380

Key Details

  • Ivanti disclosed two of the vulnerabilities in September (CVE-2024-8190 and CVE-2024-8963) and two more in October (CVE-2024-9379 and CVE-2024-9380) in October after Fortinet IR personnel observed attackers exploiting the latter two bugs in an incident response engagement. 

  • CISA identified two separate exploit chains that combined two or more of the vulnerabilities in order to gain initial access and then take further actions, including exfiltrating admin credentials and dropping webshells on the compromised machines. 

  • “In one case, there was evidence of lateral movement after the threat actors gained access and established a foothold through this exploit chain. It is suspected that the threat actors gained access into a Jenkins server running a vulnerable, outdated version. Logs on the Jenkins machine showed that a command in the bash history contained credentials to the postgres server. The threat actors then attempted to log into the Virtual Private Network (VPN) server but were unsuccessful,” the advisory says. 

  • CISA described intrusions at three separate organizations that involved the exploitation of these vulnerabilities, and all thre organizations were able to detect the malicious activity before the attackers were able to move laterally or take other actions. 

“Network defenders are encouraged to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory. Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised. Organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory,” the advisory says.