Multiple Ivanti Zero-Day Vulnerabilities Combined in Minimum of Three Cyber Attacks, Officials Issue Alerts
In a series of coordinated attacks that occurred in September and October 2024, attackers exploited three chained zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) versions before 5.0. The attacks targeted critical sectors in France, including government, telecom, media, finance, and transport organisations.
The attack chain involved the exploitation of three previously unknown vulnerabilities: CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380. These zero-days were exploited in sequence to achieve initial remote code execution, obtain credentials, and establish persistence.
The initial intrusion enabled the attackers to deploy PHP web shells, modify PHP scripts to enhance web shell capabilities, and execute a base64-encoded Python script for credential theft. A significant persistence mechanism was the installation of a custom Linux kernel-mode rootkit module named `sysinitd.ko`, which hijacked inbound TCP traffic and allowed remote root command execution.
The cyber campaign is attributed to a China-linked hacking group called Houken, which overlaps with UNC5174 (tracked by Mandiant). The motives appear to be primarily intelligence gathering, with some financial motivations (e.g., cryptojacking) also observed. The attack uses a mix of state-level and criminal tradecraft, blending aggressive and stealthy techniques.
The attacks targeted end-of-life versions of Ivanti CSA, prior to version 5.0. Ivanti released patches in 2024, and version 5.0 is not affected by these vulnerabilities. The three vulnerabilities were patched respectively on September 10, 2024 (CVE-2024-8190), September 15, 2024 (CVE-2024-8963), and October 8, 2024 (CVE-2024-9380).
Ivanti strongly urges customers to upgrade to Ivanti CSA version 5.0 or later, which is not vulnerable. Immediate application of the official patches for the three CVEs is critical. Organisations should monitor for signs of compromise such as unusual web shell presence, kernel modules like `sysinitd.ko`, and anomalous TCP traffic. Detection and removal of persistence mechanisms (including rootkits) as well as restoring systems from clean backups is recommended.
Network segmentation and limiting access to Ivanti CSA devices can reduce exposure. Enhanced monitoring and threat hunting for behaviours associated with tools like Behinder, neo-reGeorg, and GOHEAVY is advised. It's worth noting that no new vulnerabilities were disclosed in the current paragraph.
In a separate incident in April, Ivanti disclosed another zero-day in multiple Ivanti products, including Ivanti Connect Secure. Credentials and data stored in affected Ivanti appliances should be considered compromised. The FBI and CISA advise collecting and analyzing logs for malicious activity in affected Ivanti appliances.
In light of these incidents, it's essential for organisations to prioritise patching and upgrading their Ivanti CSA deployments to ensure the security of their systems and data. The latest version of Ivanti CSA, 5.0, offers effective protection against these vulnerabilities.
- The cybersecurity issue in October 2024, linked to the exploitation of three zero-day vulnerabilities in Ivanti's Cloud Security Appliance, unfolded as a cloud security threat that primarily targeted critical French sectors, such as government, telecom, media, finance, and transport organisations.
- It's crucial for organisations to prioritize applying the official patches for the identified vulnerabilities, CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380, following the updates released by Ivanti in September and October 2024, to secure their systems and data against such intrusions.
- As the recent cyber campaign demonstrated, cybersecurity threats can have far-reaching implications in various sectors, underscoring the importance of vigilance and proactive steps, such as network segmentation, enhanced monitoring, threat hunting, and effective patch management, in safeguarding systems and data from cybercriminals.
