Anatomy of an Exploit Chain: CISA, FBI Detail Ivanti CSA Attacks 

Anatomy of an Exploit Chain: CISA, FBI Detail Ivanti CSA Attacks 

/in

Ivanti CSA Attacks 

Threat actors chained together four vulnerabilities in Ivanti Cloud Service Appliances (CSA) in confirmed attacks on multiple organizations in September, according to an advisory released this week by the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA). 

The agencies urged users to upgrade to the latest supported version of Ivanti CSA, and to conduct threat hunting on networks using recommended detection techniques and Indicators of Compromise (IoCs). 

The January 22 advisory builds on October 2024 advisories from CISA and Ivanti and offers new information on the ways threat actors can chain together vulnerabilities in an attack. The four vulnerabilities were exploited as zero days, leading some to suspect sophisticated nation-state threat actors, possibly linked to the People’s Republic of China (PRC). 

The Ivanti CSA Exploit Chains 

CVE-2024-8963, a critical administrative bypass vulnerability, was used in both exploit chains, first in conjunction with the CVE-2024-8190 and CVE-2024-9380 remote code execution (RCE) vulnerabilities, and in the second chain with CVE-2024-9379, a SQL injection vulnerability. 

The vulnerabilities were chained to gain initial access, conduct RCE attacks, obtain credentials, and implant web shells on victim networks. In one case, the threat actors (TAs) moved laterally to two servers. 

The vulnerabilities affect Ivanti CSA 4.6x versions before 519, and two of the vulnerabilities (CVE-2024-9379 and CVE-2024-9380) affect CSA versions 5.0.1 and below. However, Ivanti says the CVEs have not been exploited in version 5.0. 

The First Exploit Chain 

In the RCE attacks, the threat actors sent a GET request to datetime.php to obtain session and cross-site request forgery (CSRF) tokens, followed by a POST request to the same endpoint using the TIMEZONE input field to manipulate the setSystemTimeZone function and execute code, which in some of the attacks consisted of base64-encoded Python scripts that harvested encrypted admin credentials from the database. 

The TAs used the credentials to log in and leverage CVE-2024-9380 to execute commands from a privileged account, using a GET request sent to /gsb/reports[.]php and a POST request using the TW_ID input field to implant web shells for persistence. 

The Second Exploit Chain 

The agencies cited just one confirmed compromise using the CVE-2024-9379 SQL injection vulnerability. 

The TAs used GET /client/index.php%3f.php/gsb/broker.php for initial access, then used CVE-2024-9379 to try to create a web shell by sending GET and POST requests to /client/index.php%3F.php/gsb/broker.php. 

The POST body used this string in the lockout attempts input box: 

LOCKOUTATTEMPTS = 1 ;INSERT INTO user_info(username, accessed, attempts) VALUES (”’echo -n TnNhV1Z1ZEM5b1pXeHdMbk>>/.k”’, NOW(), 10) 

The LOCKOUTATTEMPTS command was handled properly by the application, but the SQL injection portion was not. Nonetheless, the application processed both commands, and the TAs were able to add a user to the user_info table. 

After they inserted valid bash code into the user_info table, the threat actors tried to log in as the user, possibly hoping the application would handle the bash code improperly. Instead of evaluating the validity of the login, the application ran echo -n TnNhV1Z1ZEM5b1pXeHdMbk>>./k as code. 

“The threat actors repeated the process of echo commands until they built a valid web shell,” FBI and CISA said. “However, there were no observations that the threat actors were successful.” 

Detecting Ivanti CSA Attacks 

Three of the victim organizations were able to rapidly detect the malicious activity and replaced affected virtual machines with clean versions. 

In one of the cases, an admin detected creation of suspicious accounts. Admin credentials were likely exfiltrated in that case, but there were no signs of lateral movement. 

A second organization had an endpoint protection platform (EPP) that detected when the TAs executed base64 encoded script to create webshells. 

A third organization used IoCs from the first two to detect malicious activity such as the download and deployment of Obelisk and GoGo Scanner, which generated logs that were used to further detect malicious activity. 

Ivanti CSA Mitigations 

The CISA and FBI advisory also contains IoCs and incident response and mitigation recommendations. The agencies noted that “Removing malicious administrator accounts may not fully mitigate risk considering threat actors may have established additional persistence mechanisms.” 

In addition to updating to the latest supported version of CSA, the mitigations generally follow security best practices: 

  • Install endpoint detection and response (EDR) on the system 

  • Establish a baseline and maintain detailed logs of network traffic, account behavior, and software 

  • Keep operating systems, software, and firmware up to date with timely patching, which the advisory said is “one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.” Organizations should patch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure, and known exploited vulnerabilities in internet-facing systems should be prioritized. 

  • Properly secure remote access tools with application controls and allowlisting to block unlisted applications from executing 

  • Limit the use of remote desktop protocol (RDP) and other remote desktop services, and rigorously apply best practices if the services are essential 

Conclusion 

Like many joint advisories from CISA and the FBI, the Ivanti CSA advisory offers good insight into threat actor behavior and IoCs and gives organizations practical, cost-effective steps organizations can take to better secure themselves. 

Cyble’s vulnerability management service can help organizations accelerate the critical process of detecting and prioritizing internet-facing vulnerabilities as part of its top-rated, AI-powered threat intelligence platform

The post Anatomy of an Exploit Chain: CISA, FBI Detail Ivanti CSA Attacks  appeared first on Cyble.

Blog – Cyble – ​Read More