This report analyzes widespread exploitation of Ivanti Cloud Service Appliance (CSA) vulnerabilities, particularly CVE-2024-8963, identified between October 2024 and January 2025. The vulnerabilities resulted in the deployment of webshells on many affected devices, with insights into the operational tactics of the threat actors. The report delves into the root causes of these vulnerabilities, the exploitation methods, and the implications for defenders responding to such attacks. Affected: Ivanti Cloud Service Appliance, various sectors including manufacturing, government, healthcare, finance, IT services.
Keypoints :
- Public reports detailed the exploitation of Ivanti CSA vulnerabilities beginning in Q4 2024.
- Deployment of webshells occurred by September and October 2024 due to exploited vulnerabilities.
- CVE-2024-8963 is a path traversal vulnerability discovered in Ivanti CSA, allowing unauthorized access to restricted functionalities.
- Multiple security advisories issued by Ivanti, with Patch 519 addressing critical vulnerabilities.
- Threat actors utilized various exploitation techniques that highlighted a significant attack surface in Ivanti CSAβs architecture.
- A total of 1,130 Ivanti CSA devices were identified as online, with about 20% being vulnerable.
- Geographical distribution of affected devices showed a concentration in the U.S., France, and Germany.
- Different variants of webshells were noted, indicating varied capabilities for attackers.
- Indicators of compromise linked to this campaign include hashes and IP addresses associated with deployed implants and C2 servers.
MITRE Techniques :
- TA0011: Initial Access β Exploitation of Public-Facing Application (CVE-2024-8963)
- TA0040: Impact β Data Encrypted for Impact (deployment of webshells for persistence)
- TA0020: Credential Access β Valid Accounts (exploitation to retrieve Ivanti CSA credentials)
- TA0008: Lateral Movement β Lateral Tool Transfer (usage of uploaded binaries for continued access)
- TA0009: Command and Control β Application Layer Protocol (using HTTP/TLS for C2 communications)
Indicator of Compromise :
- [SHA-256] 32fd630be301090883ef0369e419f993562fbfa7af1449c0bf2c5e52403adbcd
- [SHA-256] af3f4ece0d98999077cef265c1af9610b96cb7cf3264c115cc6c210cdd9636fe
- [SHA-256] c64bd109100aac96eba627ca94c1161c8329378e3e8c75a1763c26b70c921891
- [IP Address] 195.133.52[.]87
- [Domain] www.vip8025[.]mom
Full Story: https://harfanglab.io/insidethelab/insights-ivanti-csa-exploitation/