Nation-State Actors Exploiting Ivanti CSA 0-days To Compromise Victims’ Networks

Researchers have uncovered a sophisticated attack campaign targeting Ivanti Cloud Services Appliance (CSA) users.

Nation-state actors are exploiting multiple zero-day vulnerabilities in the CSA to gain unauthorized access to victims’ networks and establish a foothold for further malicious activities.

FortiGuard Labs, in a recent incident response engagement, discovered that attackers were chaining three vulnerabilities – CVE-2024-8190 and two previously unknown flaws – to compromise CSA installations.

The attack was first detected on September 9, 2024, when suspicious communications were observed between internal systems and a malicious IP address.

Analyse Any Suspicious Files With ANY.RUN: Intergarte With You Security Team -> Try for Free

The incident highlights the threat actors’ ability to chain zero-day vulnerabilities to establish a foothold in targeted networks.

Nation-State Hackers Exploiting Ivanti CSA Zero-days

1. CVE-2024-8190: An authenticated command injection vulnerability in the DateTimeTab.php resource, affecting CSA 4.6 with patch 518 and earlier versions.
2. CVE-2024-8963: A path traversal vulnerability on the resource /client/index.php, allowing unauthorized access to restricted resources.
3. CVE-2024-9380: An authenticated command injection vulnerability affecting the resource reports.php.

The attackers were observed “patching” some of the vulnerabilities they had exploited, likely to prevent other threat actors from compromising the same systems and interfering with their operations.

Ivanti has released security updates addressing these vulnerabilities and strongly urges all CSA users to upgrade to version 5.0.2 or later immediately.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-8190 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to patch affected systems promptly.

Organizations using Ivanti CSA are advised to:

1. Upgrade to the latest patched version immediately.
2. Review systems for signs of compromise, including unauthorized user accounts and suspicious files.
3. Monitor for unusual network activity and potential data exfiltration attempts.
4. Implement robust access controls and network segmentation
5. Deploy endpoint detection and response (EDR) tools for enhanced monitoring

As this campaign demonstrates the increasing sophistication of cyber threats, organizations must remain vigilant and prioritize timely patching and security best practices to protect their critical assets and data.

How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)