Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications
The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory regarding the exploitation of vulnerabilities in Ivanti Cloud Service Appliances (CSA). The vulnerabilities, including CVE-2024-8963, CVE-2024-8190, CVE-2024-9379, and CVE-2024-9380, were exploited in September 2024, allowing threat actors to gain initial access, conduct remote code execution, obtain credentials, and implant webshells on victim networks. The actors chained the vulnerabilities to gain access, with two primary exploit paths: one leveraging CVE-2024-8963 with CVE-2024-8190 and CVE-2024-9380, and the other exploiting CVE-2024-8963 with CVE-2024-9379. The vulnerabilities affect Ivanti CSA version 4.6x versions before 519, and two of the vulnerabilities also affect CSA versions 5.0.1 and below. Ivanti CSA 4.6 is End-of-Life and no longer receives patches or third-party libraries, and CISA and FBI strongly encourage network administrators to upgrade to the latest supported version. Network defenders are encouraged to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within the advisory. Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised, and organizations should collect and analyze logs and artifacts for malicious activity. The advisory provides technical details on the vulnerabilities, including the MITRE ATT&CK tactics and techniques used by the threat actors. The actors' activity was detected by three victim organizations, which were able to remediate the incidents by replacing virtual machines with clean and upgraded versions.