Keypoints
- Affected: Ivanti Cloud Services Appliance (CSA) version 4.6 and earlier.
- Initial access chain: unauthenticated path traversal on /client/index.php, then command injection in /gsb/DateTimeTab.php (CVE-2024-8190) and /gsb/reports.php.
- Credential theft: scripts extracted gsbadmin and admin credentials from broker.conf, Postgres backups, and user_info table; root private key was exfiltrated from backups.
- Post-exploit actions: created rogue accounts (aiadmin, services), deployed multiple web shells (e.g., help.php, site.php, ZjmgmXsB.php), and attempted to install a kernel rootkit (sysinitd.ko) via install.sh.
- Lateral movement and escalation: exploited backend SQL server (CVE-2024-29824) to enable xp_cmdshell, achieved remote code execution, created mssqlsvc account, disabled host firewall.
- Exfiltration & C2: used DNS tunneling (PowerShell), external C2/IPs and domains, and a ReverseSocks5 proxy for scanning/brute force operations.
- Operational tradecraft: downloaded patched copies of vulnerable PHP files from temp[.]sh and overwrote them to make the flaws unexploitable by others.
MITRE Techniques
- [T1078] Valid Accounts – Used exploited vulnerabilities and dbtool to create and use rogue accounts for authenticated access (‘creating two users: aiadmin and services’).
- [T1203] Exploitation for Client Execution – Performed command injection in PHP endpoints to execute arbitrary commands (‘the malicious command injected by the threat actor…the POST variable TIMEZONE contained the malicious command’).
- [T1547] Boot or Logon Autostart Execution – Attempted kernel-level persistence by installing a malicious kernel object and adding it to rc.local (‘install.sh installs a persistence mechanism…adding an entry to install the malicious kernel object in the rc.local’).
- [T1068] Exploitation for Privilege Escalation – Leveraged vulnerabilities and sudo-enabled wrappers to execute commands with elevated privileges (‘the tripwire PHP wrapper runs with sudo privileges, the injected command also runs with elevated privileges’).
- [T1003] OS Credential Dumping – Extracted service and admin credentials from broker.conf, Postgres database, and backups (‘extracts the password of the user gsbadmin from the file /opt/landesk/broker/broker.conf’).
- [T1041] Exfiltration Over C2 Channel – Used DNS tunneling and encoded PowerShell to exfiltrate reconnaissance and sensitive data (‘This is a technique used to exfiltrate data over the DNS protocol’).
- [T1071] Application Layer Protocol – Used external servers and domains for command-and-control and callbacks (‘Threat actor’s C2’, ‘apiv5.serverbks[.]xyz’, ‘burpcollaborator.net’).
Indicators of Compromise
- [IP Address] C2 / threat actor infrastructure – 206[.]189[.]156[.]69, 156[.]234[.]193[.]18, and other IPs listed in the report
- [Domain / URL] Downloaded patches & C2 endpoints – http://temp[.]sh/khkzg/DateTimeTab.php, http://temp[.]sh/vQuoW/reports.php, apiv5[.]serverbks[.]xyz
- [File names / Paths] Web shells and malicious files on CSA – /gsb/help.php, /client/site.php, /usr/share/empty/init/sysinitd.ko
- [Binary / Executable] Brute-force tool and binaries – brokes (ELF binary) and broke (Linux brute force binary) used for credential spraying
- [Hashes] Host artifacts – install.sh SHA256 8d016d02f8fbe25dce76481a90dd0b48630ce9e74e8c31ba007cf133e48b8526, sysinitd.ko SHA256 6edd7b3123de985846a805931ca8ee5f6f7ed7b160144aa0e066967bc7c0423a
- [Files / Configs] Sensitive configuration and backup artifacts – /opt/landesk/broker/broker.conf, /backups (used to find latest backup and extract keys)
The attacker flow focused on exploiting an unauthenticated path traversal in /client/index.php to access internal PHP resources (for example /gsb/users.php), then used CVE-2024-8190 in /gsb/DateTimeTab.php by injecting a malicious payload in the TIMEZONE POST parameter. The injected base64 payload decoded to a Python script that set PGPASSWORD from gsbadmin credentials in broker.conf, connected to the Postgres database, extracted admin credentials from the user_info table, and parsed the latest backup to recover the root private key; it also searched backups for filenames matching the phpw{6} pattern to locate and make webshells executable. With stolen creds and the root key, the operator performed authenticated command injections against /gsb/reports.php by passing unsanitized POST TW_ID values to a sudo-enabled /sbin/tripwire PHP wrapper, producing web shells (help.php, site.php, ZjmgmXsB.php) in the webroot and elevating access.
Afterward, the actor exploited a SQL injection (CVE-2024-29824) on the backend SQL server to enable xp_cmdshell and execute commands remotely, created an mssqlsvc account, and disabled the host firewall to facilitate lateral movement. They used encoded PowerShell invoking DNS tunneling to exfiltrate reconnaissance output, deployed a ReverseSocks5 proxy to pivot and run scanning/brute-force tooling (brokes) against internal assets, and executed dictionary attacks using harvested username lists and passdic.txt. Multiple web shells and a downloaded brute-force tarball (u) supported continued credential harvesting and internal reconnaissance.
Finally, the intruder staged persistence and operational hygiene: they attempted to install a kernel rootkit via install.sh (insmod of sysinitd.ko and rc.local persistence), and — to deny access to other attackers — downloaded patched PHP files from temp[.]sh and overwrote reports.php and DateTimeTab.php (replacing semicolons with underscores in POST parameters) to make the command-injection vectors unexploitable. Defenders should prioritize patching, verify integrity and timestamps of PHP resources, audit broker.conf and Postgres user_info access, hunt for listed IOCs (web shells, downloaded tools, C2 IPs), and check for kernel modules or rc.local modifications indicative of sysinitd-style rootkit attempts. Read more: https://feeds.fortinet.com/~/906062789/0/fortinet/blog/threat-research~Burning-Zero-Days-Suspected-NationState-Adversary-Targets-Ivanti-CSA