Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
Affected Platforms: Ivanti Cloud Services Appliance version 4.6 and prior Impacted Users: Any organization Impact: Remote attackers gain control of the vulnerable systems Severity Level: Critical
Today FortiGuard Labs is releasing this blog post about a case where an advanced adversary was observed exploiting three vulnerabilities affecting the Ivanti Cloud Services Appliance (CSA). At the time of our investigation, two out of the three identified vulnerabilities were not publicly known. This incident is a prime example of how threat actors chain zero-day vulnerabilities to gain initial access to a victim’s network.
In a recent incident response engagement, FortiGuard Incident Response (FGIR) services were engaged by a customer to investigate malicious communication originating from their network. During the investigation, FGIR came across an adversary who had gained access to the customer’s network by exploiting the CVE-2024-8190 and two previously unknown vulnerabilities affecting the PHP front end of the Ivanti CSA appliance.
The incident was detected by the customer on September 9, 2024, when some of its internal systems were found to be communicating to a malicious IP address, 206[.]189[.]156[.]69. FGIR was engaged the next day.
