A suspected nation-state actor has been detected exploiting three critical vulnerabilities in the Ivanti Cloud Service Appliance (CSA), leveraging these zero-day flaws to conduct a series of targeted cyberattacks. According to Fortinet’s FortiGuard Labs, these vulnerabilities allowed attackers to gain unauthorized access to the CSA, enumerate users, and access their credentials.

The security team, consisting of researchers Faisal Abdul Malik Qureshi, John Simmons, Jared Betts, Luca Pugliese, Trent Healy, Ken Evans, and Robert Reyes, indicated that these adversaries used a combination of zero-day vulnerabilities to facilitate their initial entry into the victim’s network. This sophisticated approach showcases the tactics commonly associated with advanced threat actors, particularly those operating at the behest of nation-states.

The vulnerabilities in question include high-severity flaws: CVE-2024-8190, which is a command injection vulnerability (CVSS score: 7.2) found in the resource /gsb/DateTimeTab.php; CVE-2024-8963, a path traversal vulnerability (CVSS score: 9.4) on /client/index.php; and CVE-2024-9380, which is another command injection vulnerability affecting /gsb/reports.php with the same CVSS score of 7.2. These exploits emphasize the targeted nature of the attacks, wherein stolen credentials associated with admin accounts were used to execute further exploits within the network.

Fortinet reported that the attackers managed to apply a form of ‘patch’ after their initial exploitation. On September 10, 2024, as an advisory about CVE-2024-8190 was published, the threat actors patched the vulnerabilities in the CSA, essentially locking out other potential intruders. This tactic has been observed in previous incidents, where attackers secure their access points to prevent interference from other malicious actors.

Following these exploits, attackers expanded their operations by also utilizing CVE-2024-29824, a critical flaw affecting Ivanti Endpoint Manager (EPM), which allowed them to enable the xp_cmdshell stored procedure for remote code execution. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since cataloged this vulnerability in its Known Exploited Vulnerabilities list, highlighting the urgency and seriousness of this ongoing threat.

The adversaries not only exploited these vulnerabilities but also engaged in additional nefarious activities, including creating new accounts, performing reconnaissance commands, and exfiltrating data using techniques such as DNS tunneling. Moreover, they set up traffic proxying through the compromised CSA appliance by deploying an open-source tool called ReverseSocks5. Notably, a Linux kernel rootkit, termed “sysinitd.ko,” was identified on the compromised device, indicating the attackers’ intent to maintain prolonged access and control.

This kernel-level persistence is particularly concerning as it could survive system resets, revealing a sophisticated understanding of system operations by the threat actors. Fortinet’s follow-up analysis elaborated on the rootkit’s functionality, which allows for silent monitoring of incoming TCP packets and execution of commands with elevated privileges, underscoring the severity of the breach.

In terms of the attack’s characteristics, the MITRE ATT&CK framework provides a useful lens for understanding the tactics employed. Initial access was achieved through exploiting known vulnerabilities. The attackers exhibited persistence through the deployment of the rootkit and further solidified their privilege escalation through credential abuse. Such tactics highlight a coordinated effort resembling operations typically undertaken by state-sponsored groups.

The involvement of advanced threat actors in these incidents is apparent, necessitating vigilance from organizations reliant on Ivanti products. As the cybersecurity landscape evolves, business owners must remain proactive in their defenses against such complex and persistent threats, ensuring they are equipped to respond to ongoing vulnerabilities in their infrastructure.