Executive Summary

In recent developments, a suspected nation-state adversary has been identified exploiting vulnerabilities in the Ivanti Cloud Services Appliance (CSA). This report delves into the technical intricacies of these vulnerabilities, the exploitation tactics employed, and the potential impact on organizations. The adversary's activities have been primarily observed targeting sectors in North America and Europe, emphasizing the critical need for robust cybersecurity measures. This report is based on the Fortinet blog post titled "Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA" and other credible sources.

Technical Information

The Ivanti CSA has been compromised through the exploitation of three significant vulnerabilities, including CVE-2024-8190 and two previously undisclosed vulnerabilities. These vulnerabilities have been leveraged to gain unauthorized access and control over affected systems, posing a severe threat to organizational security.

CVE-2024-8190 is an authenticated command injection vulnerability located in the DateTimeTab.php resource, affecting CSA version 4.6 and earlier. This vulnerability was publicly disclosed on September 10, 2024, and subsequently added to CISA’s Known Exploited Vulnerabilities list on September 13, 2024. A proof of concept exploit was made available by Horizon3.ai, highlighting the ease with which this vulnerability can be exploited.

The second vulnerability involves a path traversal attack on the resource /client/index.php, which allows unauthorized access to other resources such as users.php and reports.php. This vulnerability enables the adversary to enumerate users and potentially create rogue accounts, facilitating persistent access to the system.

The third vulnerability is a command injection flaw affecting the resource /gsb/reports.php. This vulnerability permits the execution of commands with elevated privileges, enabling the adversary to deploy a web shell and further exploit the compromised system.

The adversary's tactics align with several techniques outlined in the MITRE ATT&CK framework, including Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, and Command and Control. Specific techniques include Exploitation of Public-Facing Application (T1190), Command and Scripting Interpreter (T1059), Valid Accounts (T1078), and Web Shell (T1505.003).

Exploitation in the Wild

The adversary has been observed chaining these zero-day vulnerabilities to gain initial access and maintain persistence within the victim's network. The exploitation process involves creating rogue users, deploying web shells, and utilizing a rootkit for kernel-level persistence. Indicators of Compromise (IOCs) include malicious IPs and domains used for command and control (C2) activities, as well as file paths and hashes of malicious files and web shells deployed by the adversary.

APT Groups using this vulnerability

The exploitation of these vulnerabilities has been attributed to a suspected nation-state adversary, although specific APT groups have not been conclusively identified. The targeting of sectors in North America and Europe suggests a strategic intent to compromise critical infrastructure and sensitive data.

Affected Product Versions

The vulnerabilities affect Ivanti CSA version 4.6 and earlier. Organizations using these versions are at heightened risk and should prioritize remediation efforts to mitigate potential exploitation.

Workaround and Mitigation

To mitigate the risk posed by these vulnerabilities, organizations should apply patches and updates provided by Ivanti as a matter of urgency. Monitoring network traffic for IOCs and unusual activities is crucial in detecting potential exploitation attempts. Implementing robust access controls and authentication mechanisms can further enhance security posture. Regular security assessments and incident response exercises are recommended to ensure preparedness against similar threats.

References

For further details, please refer to the following resources: Fortinet Blog: Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA (https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa), Horizon3.ai: Details and PoC for CVE-2024-8190, and CISA Known Exploited Vulnerabilities List.

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex landscape of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to provide comprehensive threat intelligence and vulnerability management solutions. Should you have any questions regarding this report or any other cybersecurity concerns, please do not hesitate to contact us at ops@rescana.com. We are here to support you in safeguarding your organization's digital assets.