Serious Adversaries Circle Ivanti CSA Zero-Day Flaws

A deft chaining together of three separate zero-day flaws in Ivanti's Cloud Service Appliance allowed a particularly potent cyberattacker to infiltrate a target network and execute malicious actions, leading researchers to conclude a nation-state actor was actively targeting these vulnerable systems.

Fortinet's FortiGuard Labs published its findings, warning that any organization running Ivanti's CSA version 4.6 and prior without taking necessary remediation precautions is vulnerable to this method of attack.

The details of the newly uncovered attack chain come amid the announcement of a bevy of additional security flaws in Ivanti's CSA also under active exploit.

"The advanced adversaries were observed exploiting and chaining zero-day vulnerabilities to establish beachhead access in the victim's network," Fortinet's report said. "This incident is a prime example of how threat actors chain zero-day vulnerabilities to gain initial access to a victim’s network."

The three specific Ivanti CSA flaws used in the attack were a command injection flaw in the DateTimeTab.php resource tracked as CVE-2024-8190, a critical path traversal vulnerability in the /client/index.php resource tracked as CVE-2024-8963, and an unauthenticated command injection vuln tracked as CVE-2024-9380 affecting reports.php.

Once initial access was established using the path traversal bug, the threat group was able to exploit the command injection flaw in the resource reports.php to drop a Web shell. The group exploited a separate SQL injection flaw on Ivanti's backend SQL database server (SQLS) tracked as CVE-2024-29824 to gain remote execution on the SQLS system, the researchers noted.

After Ivanti released a patch for the command injection flaw, the attack group acted to ensure other adversaries do not follow them onto the compromised systems. "On September 10, 2024, when the advisory for CVE-2024-8190 was published by Ivanti, the threat actor, still active in the customer's network, 'patched' the command injection vulnerabilities in the resources /gsb/DateTimeTab.php, and /gsb/reports.php, making them unexploitable," the FortiGuard Labs team added in the report. "In the past, threat actors have been observed to patch vulnerabilities after having exploited them, and gained foothold into the victim's network, to stop any other intruder from gaining access to the vulnerable asset(s), and potentially interfering with their attack operations."

In this instance, analysts suspected the group was trying to use sophisticated techniques to maintain access, including launching a DNS tunneling attack via PowerShell, and dropping a Linux kernel object rootkit on the compromised CSA system.

"The likely motive behind this was for the threat actor to maintain kernel-level persistence on the CSA device, which may survive even a factory reset," Fortinet researchers said.