Fortinet believes a state-sponsored threat actor is behind the recent attacks involving exploitation of several zero-day vulnerabilities impacting Ivanti’s Cloud Services Application (CSA) product.
Over the past month, Ivanti has informed customers about several CSA zero-days that have been chained to compromise the systems of a “limited number” of customers.
The main flaw is CVE-2024-8190, which allows remote code execution. However, exploitation of this vulnerability requires elevated privileges, and attackers have been chaining it with other CSA bugs such as CVE-2024-8963, CVE-2024-9379 and CVE-2024-9380 to achieve the authentication requirement.
Fortinet began investigating an attack detected in a customer environment when the existence of only CVE-2024-8190 was publicly known.
According to the cybersecurity firm’s analysis, the attackers compromised systems using the CSA zero-days, and then conducted lateral movement, deployed web shells, collected information, conducted scanning and brute-force attacks, and abused the hacked Ivanti appliance for proxying traffic.
The hackers were also observed attempting to deploy a rootkit on the CSA appliance, likely in an effort to maintain persistence even if the device was reset to factory settings.
Another noteworthy aspect is that the threat actor patched the CSA vulnerabilities it exploited, likely in an effort to prevent other hackers from exploiting them and potentially interfering in their operation.
Fortinet mentioned that a nation-state adversary is likely behind the attack, but it has not identified the threat group. However, a researcher noted that one of the IPs released by the cybersecurity firm as an indicator of compromise (IoC) was previously attributed to UNC4841, a China-linked threat group that in late 2023 was observed exploiting a Barracuda product zero-day.
Indeed, Chinese nation-state hackers are known for exploiting Ivanti product zero-days in their operations. It’s also worth noting that Fortinet’s new report mentions that some of the observed activity is similar to the previous Ivanti attacks linked to China.
Related: China’s Volt Typhoon Hackers Caught Exploiting Zero-Day in Servers Used by ISPs, MSPs
Related: Cisco Patches NX-OS Zero-Day Exploited by Chinese Cyberspies
Related: Organizations Warned of Exploited Fortinet FortiOS Vulnerability
