Ivanti CSA Flaws

A suspected nation-state adversary has been observed weaponizing three security flaws in Ivanti Cloud Service Appliance (CSA) as zero-days to perform a series of malicious actions.

That's according to findings from Fortinet FortiGuard Labs, which said the vulnerabilities were abused to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and attempt to access the credentials of those users.

"The advanced adversaries were observed exploiting and chaining zero-day vulnerabilities to establish beachhead access in the victim's network," security researchers Faisal Abdul Malik Qureshi, John Simmons, Jared Betts, Luca Pugliese, Trent Healy, Ken Evans, and Robert Reyes said.

Cybersecurity

The flaws in question are listed below -

  • CVE-2024-8190 (CVSS score: 7.2) - A command injection flaw in the resource /gsb/DateTimeTab.php
  • CVE-2024-8963 (CVSS score: 9.4) - A path traversal vulnerability on the resource /client/index.php
  • CVE-2024-9380 (CVSS score: 7.2) - An authenticated command injection vulnerability affecting the resource /gsb/reports.php

In the next stage, the stolen credentials associated with gsbadmin and admin were used to perform authenticated exploitation of the command injection vulnerability affecting the resource /gsb/reports.php in order to drop a web shell ("help.php").

"On September 10, 2024, when the advisory for CVE-2024-8190 was published by Ivanti, the threat actor, still active in the customer's network, 'patched' the command injection vulnerabilities in the resources /gsb/DateTimeTab.php, and /gsb/reports.php, making them unexploitable."

"In the past, threat actors have been observed to patch vulnerabilities after having exploited them, and gained foothold into the victim's network, to stop any other intruder from gaining access to the vulnerable asset(s), and potentially interfering with their attack operations."

Ivanti CSA Flaws
SQLi vulnerability exploitation

The unknown attackers have also been identified abusing CVE-2024-29824, a critical flaw impacting Ivanti Endpoint Manager (EPM), after compromising the internet-facing CSA appliance. Specifically, this involved enabling the xp_cmdshell stored procedure to achieve remote code execution.

It's worth noting that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog in the first week of October 2024.

Some of the other activities included creating a new user called mssqlsvc, running reconnaissance commands, exfiltrating the results of those commands via a technique known as DNS tunneling using PowerShell code, and proxying traffic through the CSA appliance by means of an open-source tool named ReverseSocks5.

Also of note is the deployment of a rootkit in the form of a Linux kernel object ("sysinitd.ko") on the compromised CSA device. The activity was detected on September 7, 2024.

Cybersecurity

"The likely motive behind this was for the threat actor to maintain kernel-level persistence on the CSA device, which may survive even a factory reset," Fortinet researchers said.

The Linux Rootkit Detailed

In a follow-up analysis published on January 13, 2025, Fortinet revealed that the Linux rootkit deployed following the exploitation of security flaws in Ivanti CSA takes the form of a kernel module, which leverages a Netfilter hook to monitor for attacker-issued TCP packets.

"Once the attack-init packet is verified, the kernel module records the source IP and Port and, in some global variables, the destination IP and Port," the company said. "This ensures that subsequent traffic meeting the conditions will be recognized as coming from the attacker and only processed within the Netfilter hook function."

The module is also responsible for issuing various kernel API calls, including one to execute a user-space program from the kernel space. This framework enables the attacker to communicate with the infected system, allowing the commands passed in the TCP packets to be passed to the user-space process for execution with root privileges.

The user-space process works by creating a child process using a fork() system call and uses the "/bin/sh" shell to process the Linux commands sent by the threat actor. The output of the user-space process is then sent back to the attacker.

(The story was updated after publication to include additional details of the Linux rootkit.)


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.