Ivanti Cloud Flaws were Exploited Together as Zero-Days for RCE, Credential Theft

• Several Ivanti Cloud Service Appliances critical vulnerabilities have been exploited together in a couple of attack chains.
• Hackers combined an administrative bypass flaw with an SQL injection one or two remote code execution vulnerabilities.
• The flaws included CVE-2024-8963, CVE-2024-9379, and two other remote code execution (RCE) vulnerabilities.

Hackers combined critical flaws in Ivanti Cloud Service Appliances (CSA) in September 2024, chaining them together to achieve initial access, execute remote code, and infiltrate victim networks. 

The vulnerabilities exploited were CVE-2024-8963 (administrative bypass), CVE-2024-9379 (SQL injection), and two remote code execution (RCE) vulnerabilities, CVE-2024-8190 and CVE-2024-9380.

These were addressed in a joint Cybersecurity Advisory released by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). 

This tactic was particularly evident through two key exploit chains – one that combined CVE-2024-8963 with CVE-2024-8190 and CVE-2024-9380, and one that combined CVE-2024-8963 with CVE-2024-9379.

Attackers deployed webshells for persistent access, stole credentials, and, in one particular instance, moved laterally to two internal servers. Additional follow-on activity was curtailed in some cases due to early detection of anomalous behavior and swift implementation of mitigating actions.

All four vulnerabilities affected Ivanti CSA 4.6x versions prior to 519. Notably, CSA version 4.6 is now classified as End-of-Life (EOL) and is no longer eligible for security patches or updates. Additionally, CVE-2024-9379 and CVE-2024-9380 impacted CSA versions 5.0.1 and below. 

According to Ivanti, these two vulnerabilities were not exploited in version 5.0. Ivanti released multiple advisories in response to the increasingly critical situation, and CISA added all four CVEs to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of their use as zero-day vulnerabilities.

Post-exploitation patterns in compromised organizations included credential theft and lateral movement, webshell implantation, and anomalous detection as a key defense.

This month, Ivanti attributed the exploitation of a newly patched VPN zero-day vulnerability to Chinese cyber spies.