In a concerning discovery, a sophisticated nation-state adversary has been found exploiting multiple security flaws in Ivanti Cloud Service Appliance (CSA), including a zero-day vulnerability. These vulnerabilities were weaponized to infiltrate networks and perform a series of damaging activities, including credential theft and system manipulation.
What is a Nation-State Attacker?
Nation-state attackers are highly organized groups, often sponsored by governments, that target other countries, corporations, or critical infrastructure for espionage, sabotage, or intellectual property theft. These advanced threat actors (ATAs) use state-of-the-art tools and techniques to remain undetected while they establish persistent access to a network. Their operations are usually motivated by political, economic, or military goals.
The Attack: How Did the Hackers Exploit Ivanti CSA?
According to cybersecurity experts at Fortinet FortiGuard Labs, the attackers exploited three distinct security vulnerabilities within Ivanti CSA. These vulnerabilities allowed them to breach the system, enumerate users, and attempt to capture sensitive credentials. By chaining these zero-day vulnerabilities, the attackers gained an initial foothold, enabling them to proceed with further network infiltration.
The exploited vulnerabilities are:
- CVE-2024-8190 (CVSS score: 7.2) – A command injection flaw within the
/gsb/DateTimeTab.php
resource. - CVE-2024-8963 (CVSS score: 9.4) – A path traversal vulnerability in
/client/index.php
. - CVE-2024-9380 (CVSS score: 7.2) – An authenticated command injection flaw affecting
reports.php
.
Once inside, the attackers obtained credentials for the gsbadmin
and admin
accounts. With these credentials, they carried out authenticated exploitation of the command injection vulnerability in reports.php
to deploy a malicious web shell (“help.php”), effectively granting them long-term control over the compromised system.
What is Network Infiltration?
Network infiltration occurs when an attacker gains unauthorized access to a network, often to extract sensitive information or manipulate systems. In the case of this Ivanti CSA attack, the adversaries leveraged their initial access to perform reconnaissance and maintain their foothold in the network. They continued to exploit these vulnerabilities undetected for an extended period, which is characteristic of many nation-state attacks.
Threat Actors Patch Vulnerabilities—An Uncommon Tactic
In an unusual twist, after Ivanti publicly disclosed the vulnerabilities on September 10, 2024, the attackers—still active within the compromised network—took steps to “patch” the vulnerabilities in the resources /gsb/DateTimeTab.php
and /gsb/reports.php
. This was likely done to prevent other threat actors from exploiting the same vulnerabilities and disrupting their operations.
This tactic of patching systems is not commonly seen in typical cyberattacks but has been used by highly advanced adversaries in previous incidents. By eliminating other potential attackers, they maintain exclusive control over the compromised systems.
Additional Exploitation: SQL Injection Vulnerability in Ivanti Endpoint Manager (EPM)
In addition to the CSA vulnerabilities, the attackers exploited a critical flaw, CVE-2024-29824, in Ivanti Endpoint Manager (EPM). This SQL injection vulnerability allowed them to enable the xp_cmdshell
stored procedure, leading to remote code execution. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) quickly added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalogue in October 2024.
What Else Did the Attackers Do?
Once they had control of the systems, the attackers executed various activities, including:
- Creating a new system user named
mssqlsvc
. - Running reconnaissance commands to understand the network environment better.
- Exfiltrating data using DNS tunnelling, a covert method of transmitting data outside the network using the DNS protocol.
- Installing a rootkit,
sysinitd.ko
, on the compromised CSA device. This rootkit grants the attackers kernel-level persistence, meaning they could survive a factory reset of the device, ensuring long-term control over the compromised systems.
Why Are Nation-State Attacks So Dangerous?
Nation-state attacks are particularly dangerous due to the level of sophistication and resources behind them. These attackers often target critical infrastructure, governmental agencies, or high-value corporations to gather intelligence or cause disruption. Their ability to remain hidden for extended periods makes them highly effective in gaining deep access to sensitive data or controlling vital systems.
How to Protect Against Advanced Persistent Threats (APT)
To mitigate the risk of nation-state attackers and other advanced persistent threats (APTs), it’s essential to implement strong cybersecurity defenses, including:
- Regularly patching known vulnerabilities.
- Deploying advanced threat detection systems.
- Monitoring for unusual network activity.
- Ensuring robust identity and access management (IAM) practices.
At Bluefire Redteam, we specialize in identifying and mitigating advanced threats through red teaming, vulnerability assessments, and penetration testing, helping organizations stay ahead of evolving cyber threats.