Cybersecurity and intelligence agencies CISA and the FBI have released technical details on two intricate chains of exploitation used by Chinese hackers in attacks on cloud service devices, specifically Ivanti CSA. The report includes indicators of compromise (IOCs) and other data gathered during the investigations into these attacks.
The hackers employed two primary attack chains and utilized lateral movement techniques to gain remote access, exfiltrate data, and establish web shells on compromised systems. The vulnerabilities targeted included CVE-2024-8963 (CVSS score: 9.4), CVE-2024-9379 (CVSS: 6.5), CVE-2024-8190 (CVSS: 7.2), and CVE-2024-9380 (CVSS: 7.2).
These vulnerabilities impact IVANTI CSA versions 4.6x to 5.19 and versions 5.0.1 and below. Notably, version 4.6 is no longer supported, leaving it susceptible to exploitation. However, Ivanti has confirmed that the latest 5.0 version of CSA is not affected by these vulnerabilities.
The agencies also provided in-depth insights into the hackers’ tactics. One incident involved a system administrator detecting suspicious account creations and preventing the attack. In another case, endpoint protection systems identified the execution of encrypted scripts to establish web shells. Additionally, prior compromise indicators helped swiftly identify malicious activities, such as the use of Obelisk and Gogo Scanner tools.
In response to these attacks, affected organizations replaced compromised virtual machines with updated versions. Security experts are urged to thoroughly analyze logs and artifacts for signs of intrusion and review all stored data on affected systems for potential compromise.
Mandiant, a cybersecurity firm, linked these attacks to the Chinese APT group Unc5221, which previously exploited vulnerabilities in Ivanti Connect Secure VPN devices in December 2023. During the attacks, custom malware like Zipline Bekdor and ThinSpool Dropper were used, along with tools like Pysoxy and Busybox for further malicious activities.