Cyberattackers Exploit Ivanti Vulnerabilities to Target Cloud Service Appliance (CSA)

News Brief

Cyberattackers are using a new threat vector involving several Ivanti vulnerabilities to subvert the company’s Cloud Service Appliance (CSA). According to the Cybersecurity and Infrastructure Security (CISA) and the FBI, these include:

• CVE-2024-8963: An admin bypass vulnerability
• CVE-2024-9379: A SQL injection vulnerability
• CVE-2024-8190: A remote code execution (RCE) vulnerability
• CVE-2024-9380: A remote code execution (RCE) vulnerability

Threat Actors’ Tactics

Using third-party incident-response data, CISA found that threat actors utilized the bugs by chaining them together to gain initial access, allowing them to conduct remote code execution (RCE), obtain credentials, and install Web shells on victim networks.

Vulnerability Affecting Ivanti CSA Versions

"All four vulnerabilities affect Ivanti CSA version 4.6x versions before 519, and two of the vulnerabilities (CVE-2024-9379 and CVE-2024-9380) affect CSA versions 5.0.1 and below; according to Ivanti, these CVEs have not been exploited in version 5.0," CISA stated in the advisory.

Mitigation and Response

To mitigate these threats, both organizations encourage network admins to upgrade to the latest supported version of Ivanti CSA and to use detection methods and the indicators of compromise (IoCs) provided in the CISA advisory to search for malicious activity on their networks.

Additional Recommendations

If organizations do detect compromise, it’s recommended to:

• Quarantine or take offline potentially affected hosts and reimage them
• Provide new account credentials
• Collect and review artifacts
• Report the compromise to CISA
• Exercise, test, and validate a security program against threat actors listed in the MITRE ATT&CK for Enterprise framework