A sophisticated nation-state adversary has been exploiting a series of vulnerabilities in Ivanti's Cloud Service Appliance (CSA) to gain unauthorized access to networks and steal sensitive data. The attack, uncovered by Fortinet FortiGuard Labs, leverages three zero-day vulnerabilities, including a command injection flaw, a path traversal vulnerability, and an authenticated command injection vulnerability.
The attack begins with the exploitation of CVE-2024-8190, a command injection flaw found in the /gsb/DateTimeTab.php resource. This vulnerability allows attackers to gain unauthenticated access to the CSA and enumerate users configured within the appliance.
Next, the adversary exploits CVE-2024-8963, a path traversal vulnerability in the /client/index.php resource, to further their access. This vulnerability allows attackers to bypass security measures and access sensitive data stored on the CSA.
Finally, the attackers utilize CVE-2024-9380, an authenticated command injection vulnerability in the reports.php resource. This vulnerability allows attackers to inject malicious commands into the CSA, ultimately enabling them to gain complete control over the device.
Once control is established, the attackers leverage stolen credentials associated with the gsbadmin and admin accounts to exploit the authenticated command injection vulnerability in the /gsb/reports.php resource. This allows them to drop a web shell, named "help.php," giving them persistent access to the CSA.
"On September 10, 2024, when the advisory for CVE-2024-8190 was published by Ivanti, the threat actor, still active in the customer's network, 'patched' the command injection vulnerabilities in the resources /gsb/DateTimeTab.php, and /gsb/reports.php, making them unexploitable." This action, though seemingly defensive, demonstrates the attacker's intent to maintain control over the compromised network, potentially aiming to prevent further intrusion attempts.
In a further escalation of the attack, the attackers leverage CVE-2024-29824, a critical flaw impacting Ivanti Endpoint Manager (EPM), after compromising the internet-facing CSA appliance. This vulnerability allows attackers to enable the xp_cmdshell stored procedure, enabling remote code execution. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recognized the severity of this vulnerability, adding it to its Known Exploited Vulnerabilities (KEV) catalog in the first week of October 2024.
Further activities observed by Fortinet researchers include the creation of a new user named mssqlsvc, reconnaissance commands, and the exfiltration of data through DNS tunneling using PowerShell code. This sophisticated attack also demonstrates the use of a rootkit, disguised as a Linux kernel object (sysinitd.ko), deployed on the compromised CSA device. This action provides the attacker with kernel-level persistence, potentially surviving even a factory reset of the device.
The complexity of this multi-stage attack highlights the sophistication of the adversary, possibly linked to a nation-state actor. The attackers' meticulous actions, including patching vulnerabilities after exploitation to maintain control of the compromised network and employing persistent methods like rootkit deployment, underscore their intent to establish a long-term foothold and potentially exfiltrate sensitive information.
0 comments:
Post a Comment