Ivanti Cloud Services Targeted by Nation-State Exploit Chains

2025-01-23

Understand the critical vulnerabilities in cloud service applications and emphasize the importance of proactive security measures to protect against nation-state attacks.

The U.S. government agencies CISA and FBI have provided technical details on two exploit chains used by nation-state hackers to compromise Ivanti's cloud service applications. These exploits, identified in September 2024, involve vulnerabilities that allow administrative bypass, SQL injection, and remote code execution. The exploit chains enable attackers to gain initial access, execute remote code, obtain credentials, and attempt to implant web shells on target networks. The vulnerabilities have been used to conduct lateral movements and compromise sensitive data stored within Ivanti appliances.

Key Facts

Risks:

Sensitive Data, Patch Management, Web App/Website Vulnerability, Weak or Compromised Credentials

Keywords:

Ivanti, Nation-State Attack, Cloud Vulnerabilities, Remote Code Execution, CISA, FBI

CVE:

CVE-2024-8963; CVE-2024-9379; CVE-2024-8190; CVE-2024-9380

Affected:

Ivanti

Article Body

Overview of Ivanti Exploit Chains

In September 2024, cybersecurity and law enforcement agencies in the U.S., namely the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), released detailed insights into two sophisticated exploit chains. These exploit chains were weaponized by nation-state hackers to target Ivanti's cloud service applications, highlighting critical security vulnerabilities.

Key Vulnerabilities

The vulnerabilities exploited in these attacks include:

CVE-2024-8963: An administrative bypass vulnerability that allows attackers to gain unauthorized access to systems.
CVE-2024-9379: A SQL injection vulnerability, which can be used to manipulate databases and extract sensitive information.
CVE-2024-8190 and CVE-2024-9380: Both are remote code execution vulnerabilities, enabling attackers to execute malicious code remotely on the target system.

Attack Sequences

First Exploit Chain

The first exploit chain, disclosed by Fortinet FortiGuard Labs in October 2024, involved the combined abuse of CVE-2024-8963 with CVE-2024-8190 and CVE-2024-9380. This sequence allowed attackers to gain an initial foothold in the system. Once inside, they could conduct lateral movements, spreading further within the network.

Second Exploit Chain

The second attack chain leveraged CVE-2024-8963 alongside CVE-2024-9379. This combination granted access to the target network, with subsequent attempts to implant web shells for persistent access. However, these attempts were reportedly unsuccessful.

Implications for Ivanti Users

The exploitation of these vulnerabilities enables threat actors to gain initial access, execute remote code, and obtain credentials. Moreover, sensitive data stored within the affected Ivanti appliances should be considered compromised, indicating a severe risk to data integrity and confidentiality.

Summary

This incident underscores the critical importance of understanding and addressing vulnerabilities in cloud service applications. Organizations using Ivanti products must prioritize patch management and implement robust security measures to defend against such sophisticated nation-state attacks.

https://thehackernews.com/2025/01/cisco-fixes-critical-privilege.html?m=1#cisa-and-fbi-detail-ivanti-exploit-chains