Nation-State Hackers Exploiting Ivanti CSA Vulnerabilities

Get Started Quickly!

A sophisticated nation-state hacking group has been observed exploiting multiple vulnerabilities in the Ivanti Cloud Service Appliance (CSA), including a dangerous zero-day flaw. These attacks are aimed at gaining unauthorised access to systems, stealing credentials, and conducting long-term infiltration activities within compromised networks.

What Are Nation-State Hackers?

Nation-state hackers are sophisticated, frequently state-sponsored cyberattack teams that target businesses, governmental institutions, or vital infrastructure. The objectives of these attackers are intellectual property theft, sabotage, and espionage. They employ sophisticated strategies to evade detection and gain sustained influence of the systems they are targeting.

How Are Ivanti CSA Vulnerabilities Being Exploited?

According to recent findings by Fortinet FortiGuard Labs, attackers have been leveraging several security flaws within Ivanti CSA to breach networks. By chaining multiple zero-day vulnerabilities, these hackers managed to establish a foothold, explore user configurations, and attempt to steal sensitive credentials.

The exploited vulnerabilities include:

  • CVE-2024-8190 (CVSS score: 7.2) – Command injection flaw in /gsb/DateTimeTab.php.
  • CVE-2024-8963 (CVSS score: 9.4) – Path traversal vulnerability in /client/index.php.
  • CVE-2024-9380 (CVSS score: 7.2) – Authenticated command injection in reports.php.

Using stolen credentials from gsbadmin and admin, the attackers launched an authenticated exploitation targeting the command injection vulnerability in reports.php. This allowed them to deploy a web shell named “help.php,” enabling long-term control over the compromised system.

Attackers Patching Vulnerabilities – An Unusual Move

In an unexpected twist, after Ivanti disclosed these vulnerabilities on September 10, 2024, the attackers, still active in the compromised networks, “patched” the vulnerabilities in /gsb/DateTimeTab.php and /gsb/reports.php. This is a rare but strategic move by advanced threat actors to ensure no other hacker group can exploit the same weaknesses and interfere with their ongoing attack.

Additional Exploit: SQL Injection in Ivanti Endpoint Manager (EPM)

The attackers also exploited CVE-2024-29824, a critical SQL injection vulnerability in Ivanti Endpoint Manager (EPM). This flaw enabled remote code execution by allowing the attackers to activate the xp_cmdshell stored procedure. Due to the severity of this vulnerability, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) list in October 2024.

Why Are These Attacks So Dangerous?

Nation-state attacks are extremely dangerous due to the high level of sophistication and the attackers’ ability to remain undetected for long periods. Their motivations, often political or economic, make them particularly persistent. Once they gain access, they can continue to exploit networks, steal data, and manipulate systems indefinitely unless detected and removed.

How Can You Protect Your Network?

Organisations must implement robust cybersecurity measures to defend against these advanced threats. This includes:

  • Regularly applying security patches and updates.
  • Monitoring network traffic for unusual activity.
  • Deploying advanced threat detection tools.
  • Ensuring strong identity and access management (IAM) practices.

ARANKISH Group specialises in providing expert cybersecurity solutions, including Cyber Threat Intelligence as a Service (CTIaaS), penetration testing, and vulnerability assessments. Our CTI service helps organisations stay ahead of evolving threats by offering real-time insights, early threat detection, and strategic intelligence on adversarial tactics.

Quick Links

Partner with the Expert Team Your Business Deserves.

Our dedicated professionals deliver tailored solutions to help your business thrive, ensuring you get the expertise and support you deserve every step of the way.

Talk To The ARANKISH Team

Feel free to reach out to us with your cyber security requirements or for a quotation. Our team will respond to you promptly.

What are you looking for?