Focus Mode
Threat Research

Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications

CISA
This advisory from CISA and FBI discusses the exploitation of multiple vulnerabilities in Ivanti Cloud Service Appliances (CSA) that occurred in September 2024. The vulnerabilities include administrative bypass, SQL injection, and remote code execution, which were exploited to gain unauthorized access, execute commands, and implant webshells. Network administrators are urged to upgrade to the latest supported version of Ivanti CSA to mitigate these risks. Affected: Ivanti Cloud Service Appliances (CSA)

Keypoints :

  • Joint Cybersecurity Advisory released by CISA and FBI.
  • Exploitation of vulnerabilities in Ivanti Cloud Service Appliances (CSA) in September 2024.
  • Vulnerabilities include CVE-2024-8963 (administrative bypass), CVE-2024-9379 (SQL injection), CVE-2024-8190 and CVE-2024-9380 (remote code execution).
  • Threat actors chained vulnerabilities to gain initial access and implant webshells.
  • Network administrators are advised to upgrade to the latest supported version of Ivanti CSA.

MITRE Techniques :

  • Active Scanning: Vulnerability Scanning (T1595.002) – Used Obelisk and GoGo to scan for vulnerabilities.
  • Exploit Public-Facing Application (T1190) – Exploited weaknesses in applications for SQL injections.
  • Command and Scripting Interpreter (T1059) – Executed commands through command interpreters.
  • Modify Authentication Process (T1556) – Bypassed authentication mechanisms to gain access.
  • Server Software Component: Web Shell (T1505.003) – Executed code to implant webshells.
  • Exploitation for Privilege Escalation (T1068) – Gained access via outdated server versions.
  • Hide Artifacts: Hidden Users (T1564.002) – Disguised presence on the system.
  • Unsecured Credentials: Credentials in Files (T1552.001) – Harvested encrypted admin credentials.
  • Exploitation of Remote Services (T1210) – Exploited CSAs via remote services for access.
  • Remote Access Software (T1219) – Attempted remote authentication and command execution.
  • Exfiltration (TA0010) – Exfiltrated encrypted admin credentials.

Indicator of Compromise :

  • [ip address] 142.171.217[.]195
  • [ip address] 154.64.226[.]166
  • [ip address] 216.131.75[.]53
  • [ip address] 23.236.66[.]97
  • [ip address] 38.207.159[.]76
  • Check the article for all found IoCs.

Full Research: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a

Tags: PHISHING, PATCH, BACKUP, CVE, HUNT, DEFENSE EVASION, PRIVILEGE, TOOL