Threat actors exploited four vulnerabilities in Ivanti Cloud Service Appliances (CSA) to conduct attacks on multiple organizations in September. The FBI and CISA have issued an advisory urging users to upgrade their systems and implement threat hunting techniques. The vulnerabilities, suspected to be linked to sophisticated nation-state actors, were used to gain access, execute code, and implant web shells. Affected: Ivanti Cloud Service Appliances
Keypoints :
- Four vulnerabilities in Ivanti CSA were exploited in confirmed attacks.
- Advisory issued by the FBI and CISA encourages users to upgrade to the latest version.
- The vulnerabilities were exploited as zero days, indicating potential nation-state involvement.
- Initial access was gained through a critical administrative bypass vulnerability.
- Remote code execution (RCE) and SQL injection vulnerabilities were chained together in attacks.
- Victims detected malicious activity and replaced affected virtual machines.
- Mitigation recommendations include installing EDR and maintaining detailed logs.
- Organizations are advised to patch vulnerabilities within 24 to 48 hours of disclosure.
MITRE Techniques :
- TA0001 – Initial Access: Exploited CVE-2024-8963 for administrative bypass.
- TA0002 – Execution: Used CVE-2024-9380 for remote code execution via manipulated GET and POST requests.
- TA0003 – Persistence: Implemented web shells for maintaining access.
- TA0004 – Credential Access: Harvested admin credentials through base64-encoded scripts.
- TA0005 – Lateral Movement: Attempted lateral movement to two servers after initial access.
Indicator of Compromise :
- [url] datetime.php
- [url] /gsb/reports[.]php
- [url] /client/index.php%3f.php/gsb/broker.php
- [others ioc] Obelisk
- [others ioc] GoGo Scanner
- Check the article for all found IoCs.
Full Research: https://cyble.com/blog/ivanti-csa-attacks-cisa-fbi-expose-exploit-chain/