Analysis Summary

A zero-day exploit in the Ivanti Cloud Service Appliance (CSA) has been used by a suspected nation-state adversary to carry out several malevolent operations.

The researchers’ results support this, stating that the vulnerabilities were exploited to obtain unauthenticated access to the CSA, list all of the users that were set up in the appliance, and try to obtain the login credentials of those users. It was found that the sophisticated attackers were utilizing zero-day vulnerabilities and chaining them together to gain a beachhead in the victim's network. The aforementioned vulnerabilities are as follows:

• CVE-2024-8190 (CVSS score: 7.2) - A command injection vulnerability in the resource /gsb/DateTimeTab.php
• CVE-2024-8963 (CVSS score: 9.4) - A flaw in the route traversal of the resource /client/index.php
• CVE-2024-9380 (CVSS score: 7.2) - A vulnerability related to authenticated command injection that affects the reports.php resource

The following step involved the authenticated exploitation of the command injection vulnerability affecting the resource /gsb/reports.php using the stolen credentials linked to gsbadmin and admin. This allowed the drop of a web shell ("help.php"). When Ivanti released their warning for CVE-2024-8190 on September 10, 2024, the threat actor—who was still operating within the customer's network—'patched' the command injection vulnerabilities in the resources /gsb/DateTimeTab.php and /gsb/reports.php, rendering them unusable.

Once they have penetrated the victim's network and exploited a vulnerability, threat actors have been known to patch the vulnerability to prevent future intruders from accessing the compromised asset or assets and possibly disrupting their attack operations. After breaking into the internet-facing CSA appliance, the unidentified attackers have also been found to be abusing CVE-2024-29824, a significant vulnerability affecting the Ivanti Endpoint Manager (EPM). To accomplish remote code execution, this specifically required turning on the xp_cmdshell stored procedure.

It is noteworthy that during the first week of October 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed the vulnerability to its list of Known Exploited Vulnerabilities (KEV). Other tasks included making a new user called mssqlsvc, executing commands for reconnaissance, using PowerShell code to exfiltrate the results of those commands, and using an open-source program called ReverseSocks5 to proxy traffic through the CSA appliance.

The installation of a rootkit on the infected CSA device in the guise of a Linux kernel object ("sysinitd.ko") is also noteworthy. It was discovered on September 7, 2024. The threat actor most likely did this to keep kernel-level persistence on the CSA device, which might even survive a factory reset.

Impact

• Unauthorized Access
• Credential Theft
• Code Execution

Indicators of Compromise

Domain Name

• 189f31ed7d.ipv6.bypass.eu.org
• c67f045c2f.ipv6.1433.eu.org

IP

• 74.62.81.162
• 206.189.156.69
• 51.91.79.17
• 156.234.193.18
• 208.105.190.170
• 216.131.75.52
• 24.166.100.255
• 67.217.228.92
• 69.49.88.235
• 45.61.136.189
• 38.207.159.76
• 193.189.100.197
• 23.236.66.97

URL

• http://temp.sh/khkzg/DateTimeTab.php
• http://temp.sh/vQuoW/reports.php
• http://l8u6aolk4ejfsl9zeq6321zvwm2eq3.burpcollaborator.net/

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement a robust vulnerability management program to regularly scan and identify any potential vulnerabilities in your environment. Prioritize patching and remediation based on criticality and impact.
• Implement network segmentation to isolate critical systems from other less critical systems. This can help contain the impact of a potential compromise and limit lateral movement within the network.
• Follow the principle of least privilege for user accounts and ensure that only authorized personnel have administrative access. Regularly review and revoke unnecessary privileges to minimize the attack surface.
• Deploy robust security monitoring and intrusion detection systems to detect any suspicious activities or indicators of compromise. Implement real-time log analysis and alerting mechanisms to identify potential unauthorized access attempts.
• Educate users and system administrators about the latest threats, phishing techniques, and social engineering tactics employed by APT groups. Encourage a culture of security awareness and promote safe computing practices.
• Conduct periodic security audits and assessments of your infrastructure to identify any misconfigurations or vulnerabilities. Engage third-party security experts if necessary to perform thorough assessments.
• Continuously monitor the security posture of your environment. Implement hardening measures and security best practices to minimize the attack surface and strengthen defenses.