Further insights into Ivanti CSA 4.6 vulnerabilities exploitation

Feb. 11, 2025, 9:05 a.m.

Description

This analysis examines the exploitation of critical vulnerabilities in Ivanti Cloud Service Appliance (CSA) 4.6 between October 2024 and January 2025. It confirms widespread exploitation leading to webshell deployments in September and October 2024. The report provides details on malicious activities conducted within a targeted organization in September 2024 after compromising an Ivanti CSA device. A cluster of associated implants and infrastructure is identified. A root cause analysis of CVE-2024-8963 reveals it stems from URL parsing issues in Ivanti's proprietary web server and PHP CGI configuration. The vulnerability allowed unauthenticated remote code execution. Various webshell variants deployed by attackers are described. Over 1,100 vulnerable Ivanti CSA devices were found online, with webshells on nearly half of them.

External References

https://harfanglab.io/insidethelab/insights-ivanti-csa-exploitation/
https://otx.alienvault.com/pulse/67aad6551764d380d0f060a8
Tags
vulnerability
ivanti
exploitation
webshell
infrastructure
remote code execution
CVE-2024-8190
CVE-2024-8963
CVE-2024-9379
CVE-2024-9381
2025-02-11
reversessh
nhas reverse_ssh
csa

Date

  • Created: Feb. 11, 2025, 4:47 a.m.
  • Published: Feb. 11, 2025, 4:47 a.m.
  • Modified: Feb. 11, 2025, 9:05 a.m.

Indicators

  • cae96b72244855a3d98a42bb3f65daab1cd06e9be638553e2ebf1f8a66b5cc8a
  • c64bd109100aac96eba627ca94c1161c8329378e3e8c75a1763c26b70c921891
  • af3f4ece0d98999077cef265c1af9610b96cb7cf3264c115cc6c210cdd9636fe
  • ae21cccc9cef126d164449370d5401f3e738d9e94ee4481dc198302718d37f01
  • 9f97997581f513166aae47b3664ca23c4f4ea90c24916874ff82891e2cd6e01e
  • 7798b45ffc488356f7253805dc9c8d2210552bee39db9082f772185430360574
  • 4c86e8c21451074a52cc8d60a262c683aaf4cb6b2634fea8efdd866ea2dbd3aa
  • 32fd630be301090883ef0369e419f993562fbfa7af1449c0bf2c5e52403adbcd
  • 61928ff36c5d8983853ec2f411860b97231729f047527434d3b2db8bf0b42d25
  • 18556a794f5d47f93d375e257fa94b9fb1088f3021cf79cc955eb4c1813a95da
  • 074739c7ccdee5baef649b7f7cb53668109be8f7e016294b66a5d1469803e42b
  • 00109666ef878c6d61f1882bcf66e3c9ed60943ba8bc77b66de00f594174e3bb
  • 195.133.52.87
  • 156.251.172.80
  • www.vip8025.mom
  • test.vip8025.mom
  • vip8806.mom
  • golang.org
  • vip8025.mom
Download all indicators here!

Attack Patterns

  • NHAS reverse_ssh
  • ReverseSSH
  • T1053.003
  • T1021.002
  • T1021.004
  • T1505.003
  • T1136
  • T1059.004
  • T1552
  • T1190
  • T1078

Additional Informations

  • Technology
  • Healthcare
  • Finance
  • Government
  • Manufacturing
  • France
  • Germany
  • United States of America

Linked vulnerabilities

CVE-2020-1472

None
Published:

CVE-2021-4034

None
Published:

CVE-2021-44529

None
Published:

CVE-2022-1388

None
Published:

CVE-2023-3519

None
Published:

CVE-2024-8190

7.2
    Ivanti
  • Cloud Services Appliance
Published: September 10, 2024

CVE-2024-8963

9.1
    Ivanti
  • Endpoint Manager Cloud Services Appliance
Published: September 19, 2024

CVE-2024-9379

7.2
    Ivanti
  • Endpoint Manager Cloud Services Appliance
Published: October 8, 2024

CVE-2024-9381

7.2
    Ivanti
  • Endpoint Manager Cloud Services Appliance
Published: October 8, 2024