One Article Review
| Source |  Cyble |
|---|---|
| Identifiant | 8642103 |
| Date de publication | 2025-01-24 13:53:11 (vue: 2025-01-24 16:05:21) |
| Titre | Anatomy of an Exploit Chain: CISA, FBI Detail Ivanti CSA Attacks |
| Texte | >
Threat actors chained together four vulnerabilities in Ivanti Cloud Service Appliances (CSA) in confirmed attacks on multiple organizations in September, according to an advisory released this week by the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The agencies urged users to upgrade to the latest supported version of Ivanti CSA, and to conduct threat hunting on networks using recommended detection techniques and Indicators of Compromise (IoCs).
The January 22 advisory builds on October 2024 advisories from CISA and Ivanti and offers new information on the ways threat actors can chain together vulnerabilities in an attack. The four vulnerabilities were exploited as zero days, leading some to suspect sophisticated nation-state threat actors, possibly linked to the People\'s Republic of China (PRC).
The Ivanti CSA Exploit Chains
CVE-2024-8963, a critical administrative bypass vulnerability, was used in both exploit chains, first in conjunction with the CVE-2024-8190 and CVE-2024-9380 remote code execution (RCE) vulnerabilities, and in the second chain with CVE-2024-9379, a SQL injection vulnerability.
The vulnerabilities were chained to gain initial access, conduct RCE attacks, obtain credentials, and implant web shells on victim networks. In one case, the threat actors (TAs) moved laterally to two servers.
The vulnerabilities affect Ivanti CSA 4.6x versions before 519, and two of the vulnerabilities (CVE-2024-9379 and CVE-2024-9380) affect CSA versions 5.0.1 and below. However, Ivanti says the CVEs have not been exploited in version 5.0.
The First Exploit Chain
In the RCE attacks, the threat actors sent a GET request to datetime.php to obtain session and cross-site request forgery (CSRF) tokens, followed by a POST request to the same endpoint using the TIMEZONE input field to manipulate the setSystemTimeZone |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | /client/index /gsb/reports 2024 519 8190 and cve 8963 9379 9380 ;insert able accelerate access accessed according account accounts activity actor actors add addition additional admin administrative administrator advisories advisory affect affected after agencies agency allowlisting also anatomy appliances application applications apply are attack attacks attacks attempts base64 baseline bash been before behavior below best better block body both box: builds built but bypass can case cases chain chain chain: chained chains chains china cisa cited clean cloud code command commands compromise conclusion conduct confirmed conjunction considering consisted contains controls cost create creation credentials critical cross csa csrf cve cves cybersecurity cyble database date datetime days deployment desktop detail detailed detect detected detecting detection disclosure download echo edr effective efficient encoded encrypted endpoint epp essential establish established evaluating execute executed executing execution exfiltrated exploit exploited exposure facing fbi field firmware first follow followed forgery four from fully function further gain generally generated get gives gogo good had handle handled hardware harvested have help hoping hours however hunting implant improperly incident indicators info information infrastructure initial injection input inserted insight install instead intelligence internet iocs its ivanti january joint just keep known lateral laterally latest leading leverage like likely limit linked lockout lockoutattempts log login logs machines maintain malicious management manipulate many may mechanisms minimize mitigate mitigation mitigations mitigations most moved movement multiple nation network networks new nonetheless not noted now obelisk observations obtain october offers one operating organization organizations other part patch patching people persistence php php/gsb/broker platform portion possibly post powered practical practices practices: prc prioritized prioritizing privileged process processed properly protection protocol python ran rapidly rated rce rdp recommendations recommended released remote repeated replaced republic request requests response rigorously risk said same says scanner script scripts second secure security sending sent september servers service services session setsystemtimezone shell shells should signs site software software some sophisticated sql state steps string successful such supported suspect suspicious systems system table take tas techniques themselves then third threat threats three timely timezone tnnhv1z1zem5b1pxehdmbk>> tnnhv1z1zem5b1pxehdmbk>>/ together tokens tools top traffic tried try two unlisted until updating upgrade urged use used user username users using valid validity values version versions victim virtual vulnerabilities vulnerability vulnerable ways web webshells week when which within with cve would zero “however “one “removing “the ” |
| Tags | Tool Vulnerability Threat Patching Cloud |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.