The threat actor exploited the CVE-2024-8190 vulnerability in conjunction with two previously unknown vulnerabilities, CVE-2024-8963 and CVE-2024-9380, to gain unauthorized access to the Ivanti CSA appliance.
They leveraged the path traversal vulnerability in CVE-2024-8963 to navigate to other sensitive resources and then exploited the command injection vulnerability in CVE-2024-9380 to execute arbitrary commands on the system.
By taking advantage of these vulnerabilities, the customer’s network was compromised, which in turn made it easier for malicious activities to flourish.
An attacker exploited a path traversal vulnerability in Ivanti CSA /client/index.php to gain access to unauthorized resources, which allowed manipulation of the $filename variable in /client/OnDemand.php through a malformed URL.
By adding “%3F.php” to the end of the URI and appending the desired resource path, the attacker could access internal resources like “/gsb/users.php” to see user lists or “/gsb/datetime.php.”
This access was also possibly utilized by the attacker in order to create rogue users (referred to as “aiadmin” and “services”) in order to gain persistent access.
The threat actor exploited a command injection vulnerability in /gsb/DateTimeTab.php to access the credentials of users configured on the CSA appliance.
By manipulating the TIMEZONE POST variable, the attacker executed a Python script that extracted the password of the gsbadmin user from broker.conf and the password of the admin user from the user_info table in the Postgres database.
The script then modified the permissions of a PHP file within the latest backup and replaced the organization column in the user_info table with the base64-encoded private key of the root user, which allowed the threat actor to gain unauthorized access and potentially compromise the system further.
They exploited a command injection vulnerability in the /gsb/reports.php resource by injecting malicious commands to create a web shell and gain unauthorized access. The vulnerability existed in the TW_ID parameter, which was passed to the /subin/tripwire script without proper sanitization.
The threat actor patched the vulnerability by replacing semicolons with underscores in the TW_ID parameter, preventing further exploitation. FGIR confirmed the effectiveness of the patch and identified that the official Ivanti patch did not address this specific vulnerability.
After compromising the Ivanti CSA appliance, attackers exploited a SQL injection vulnerability on the backend SQL server to gain remote code execution.
They then moved laterally within the network, creating web shells, launching a brute-force attack with a custom dictionary and using a tool called ReverseSocks5 to tunnel traffic through the compromised CSA appliance.
The attackers also attempted to deploy a rootkit on the CSA appliance in the form of a kernel object module, which would have provided persistence on the device even after a factory reset.
