Fortinet says an advanced threat actor is targeting a trio of Ivanti Cloud Services Appliance (CSA) vulnerabilities – with multiple victims confirmed – and then patching the vulnerabilities so other attackers can’t follow them into the victim’s systems once they have compromised them.
The attackers are chaining CVE-2024-8190 (CVSS 7.2 and disclosed on September 10) with CVE-2024-29824 (CVSS 9.6 and disclosed on May 21), and CVE-2024-8963 (CVSS 9.4 and disclosed on September 19, 2024) to pop end-of-life/unsupported CSA 4.6 appliances and earlier.
The vulnerabilities (which many organisations haven’t patched) give an attacker full remote unauthenticated access as SYSTEM; such “security” appliances are increasingly hot targets for attackers to breach and then establish a beachhead for further access into organisations’ networks.
FortiGuard Labs said on October 11: “At the time of our investigation, two out of the three identified vulnerabilities were not publicly known.”
It described the campaign, identified during incident response, as “a prime example of how threat actors chain zero-day vulnerabilities to gain initial access to a victim’s network” detailing attacker behaviour like efforts to deploy a rootkit in the form of a Linux kernel object module.
This was likely “to maintain kernel-level persistence on the CSA device, which may survive even a factory reset” it said, in line with other reports of separate Ivanti appliance exploitation by threat actors in February.
See also: The Big Interview with Eclypsium CEO Yuriy Bulygin
Florian Roth, a threat research veteran and creator of Sigma, THOR Scanner, LOKI, and other tools, had also been tracking the campaign.
He told The Stack that Fortinet’s blog had put victims at further risk by publishing uncensored details on attacker behaviour, including details of web shells on victim systems and attack paths when many remained unpatched. He said: “The web shells’ names published in the blog… can be used to access and used to exfiltrate data or drop more tools to compromise the whole network of the victims.
Roth added: “We know of at least 40 different organisations in Europe alone with active web shells on their Ivanti devices” – these include 16 organisations in France, 11 Germany and two in the UK he said; across sectors ranging from “small airports, software, health, manufacturing…”
As is so often the case for security researchers, contacting victims and alerting them to the fact that there are people with bad intentions squatting invisibly on their IT infrastructure is something of a fool’s errand: “It’s really hard to find someone at these organisations and companies that responds to contact attempts and understands the issues.”
A FortiGuard Labs spokesperson told The Stack that it had been responsible: "The FortiGuard Labs Incident Response team communicated and collaborated with Ivanti and followed their guidance on when to make this research publicly available. As part of our dedication to responsible threat research and disclosure, we also sent an advanced notification to our public and private threat sharing partners. By coordinating timing with Ivanti in advance, and sharing the IOCs and TTPs from this investigation, our aim is to help those that are potentially affected quickly identify and remediate issues in their environments” it said in an emailed statement.
