NEWS BRIEF
Cyberattackers are using a new threat vector involving several Ivanti vulnerabilities in order to subvert the company’s Cloud Service Appliance (CSA).
According to the Cybersecurity and Infrastructure Security (CISA) and the FBI, these include CVE-2024-8963, an admin bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, both remote code execution (RCE) vulnerabilities.
Using third-party incident-response data, CISA found that threat actors utilized the bugs by chaining them together to gain initial access, allowing them to conduct remote code execution (RCE), obtain credentials, and install Web shells on victim networks.
“All four vulnerabilities affect Ivanti CSA version 4.6x versions before 519, and two of the vulnerabilities (CVE-2024-9379 and CVE-2024-9380) affect CSA versions 5.0.1 and below; according to Ivanti, these CVEs have not been exploited in version 5.0,” CISA stated in the advisory.
In order to mitigate these threats, both organizations encourage network admins to upgrade to the latest supported version of Ivanti CSA and to use detection methods and the indicators of compromise (IoCs) provided in the CISA advisory to search for malicious activity on their networks.
If organizations do detect compromise, it’s recommended to quarantine or take offline potentially affected hosts and reimage them. Admins should also provide new account credentials, collect and review artifacts, and report the compromise to CISA. In addition to this, it’s recommended to exercise, test, and validate a security program against threat actors listed in the MITRE ATT&CK for Enterprise framework.
