Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Chinese threat actors used two advanced exploit chains to hack Ivanti CSA

US agencies revealed Chinese threat actors used two advanced exploit chains to breach Ivanti Cloud Service Appliances (CSA). The US government’s cybersecurity and law enforcement revealed that Chinese threat actors used at least two sophisticated exploit chains to compromise Ivanti Cloud Service Appliances (CSA). A CISA and FBI published a joint advisory warning that Chinese hackers […]

ivanti Endpoint Manager

US agencies revealed Chinese threat actors used two advanced exploit chains to breach Ivanti Cloud Service Appliances (CSA).

The US government’s cybersecurity and law enforcement revealed that Chinese threat actors used at least two sophisticated exploit chains to compromise Ivanti Cloud Service Appliances (CSA).

A CISA and FBI published a joint advisory warning that Chinese hackers exploited four Ivanti flaws (CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, CVE-2024-9380) to achieve remote code execution, steal credentials, and deploy webshells.

The agencies also published indicators of compromise (IOCs) associated with these malicious activities.

Threat actors exploited two vulnerability chains (CVE-2024-8963/-8190/-9380 and CVE-2024-8963/-9379) in attacks against outdated Ivanti CSA versions, enabling lateral server movement.

“According to CISA and trusted third-party incident response data, threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks. The actors’ primary exploit paths were two vulnerability chains.” ” reads the joint advisory. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380 and the other exploited CVE-2024-8963 and CVE-2024-9379. In one confirmed compromise, the actors moved laterally to two servers.”

The vulnerabilities affect Ivanti CSA 4.6x versions before 519, with CVE-2024-9379 and CVE-2024-9380 also impacting versions 5.0.1 and below. 

The advisory pointed out that Ivanti CSA version 4.6 is end-of-life and no longer receives security updates, for this reason, these instances are exposed to hack.

The advisory details hacking activities exploiting the mentioned vulnerabilities.

Threat actors exploited CVE-2024-8963 with RCE vulnerabilities CVE-2024-8190 and CVE-2024-9380 to gain access, exfiltrate credentials, and implant webshells to maintain persistence. Then the attackers used encoded scripts to harvest and decrypt admin credentials, then escalated privileges to execute commands and establish reverse C2 channels. Government experts collected evidence of lateral movement included attempts to access Jenkins servers and scan for vulnerabilities. They used sudo commands to hide exploitation traces and maintain persistence.

In another attack instance, threat actors exploited CVE-2024-8963 and CVE-2024-9379 to attempt SQL injection and webshell creation. Victims detected and remediated activities promptly, preventing success.

The advisory also includes mitigations for this campaign.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)