Ivanti CSA bugs leveraged in suspected nation-state attack

Active exploitation of a trio of Ivanti Cloud Service Appliance zero-days has been conducted by a suspected state-sponsored threat operation in a bid to infiltrate targeted networks and conduct various malicious schemes, The Hacker News reports.

After establishing network access by chaining the critical severity path traversal bug, tracked as CVE-2024-8963, with the high severity command injection vulnerability, tracked as CVE-2024-8190, and high-severity authenticated command injection issue, tracked as CVE-2024-9380, attackers proceeded with configured user enumeration and the attempted theft of their credentials, according to an analysis from Fortinet FortiGuard Labs. Threat actors also exploited the critical Ivanti Endpoint Manager vulnerability, tracked as CVE-2024-29824, before establishing a new user and executing reconnaissance commands, the results of which have been exfiltrated through DNS tunneling. "The likely motive behind this was for the threat actor to maintain kernel-level persistence on the CSA device, which may survive even a factory reset," said Fortinet researchers.