In mid-September of this year, Fortiguard Labs revealed an attack, where an unknown attacker exploited vulnerabilities in the cloud service of Cloud Services Appliance (CSA) from Ivanti. While one of the three vulnerabilities was already known as CVE-2024-8190, the other two were previously undiscovered.
The hacker breached the system on September 4, 2024, utilizing vulnerabilities to bypass paths in the “/client/index.php” file and perform command injections in the “Reports.php” file. This allowed unauthorized extraction of user data and execution of malicious commands to further penetrate victim systems.
By September 11, the attacker had begun targeting user passwords using Bubors. After obtaining access to privileged accounts, the attacker installed web shells and continued to manipulate vulnerable files. Interestingly, the attacker also took measures to patch the discovered vulnerabilities to prevent other hackers from exploiting them.
As of now, Ivanti has released a patch for the CVE-2024-8190 vulnerability, but other vulnerabilities in CSA still pose a threat to users. Fortiguard Labs are actively monitoring the attackers’ activities and have promised to share additional information in upcoming reports.