iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
An advanced threat actor was observed chaining one known and two previously unknown vulnerabilities to access a victim’s network.
Security researchers from Fortinet’s FortiGuard Labs have outlined the activity of what they suspect is an advanced nation-state-backed threat actor leveraging a string of vulnerabilities in older versions of Ivanti’s Cloud Services Appliance (CSA) platform.
The incident was spotted by a Fortinet customer on 9 September, when they noted several internal systems communicating with what appeared to be a malicious IP address in Singapore.
The customer engaged FortiGuard Incident Response the next day, and the investigation was able to reveal the threat actor’s activity.
The threat actor was using a previously reported vulnerability, CVE-2024-8190 – which the Australian Cyber Security Centre (ACSC) has already revealed to be actively exploited in the wild – alongside two unreported vulnerabilities.
The first of these previously unknown vulnerabilities is a path traversal bug, while the second is a command injection vulnerability. Both of these vulnerabilities impact CSA’s web-based management console.
According to the investigation, on 4 September, the threat actor used the path traversal vulnerability to ultimately gain access to a list of users on the appliance and subsequently create “rogue users” and maintain authenticated, persistent access to the CSA front end.
Once that access had been attained, the threat actor exploited the known command injection vulnerability CVE-2024-8190 to access user credentials. Python code was then implanted that was able to extract the admin password for the appliance and gain access to the private key of the root user from the most recent backup.
When Ivanti released its first advisory for CVE-2024-8190 on 10 September, the threat actor – which was still active inside the victim’s network – patched the vulnerability themselves, effectively closing the door behind them.
“In the past, threat actors have been observed to patch vulnerabilities after having exploited them, and gained foothold into the victim’s network, to stop any other intruder from gaining access to the vulnerable asset(s), and potentially interfering with their attack operations,” FortiGuard Labs said in a blog post.
“In this case, the threat actor downloaded the patched version of the two vulnerable resources from temp[.]sh and saved them as /tmp/1 on disk, before moving them to the webroot folder and overwriting the vulnerable version of the files with them.”
The threat actor applied several patches that effectively lock out any further exploitation of vulnerabilities on the appliance. The actor then conducted limited network reconnaissance and executed several commands to access sensitive files, capture network traffic, and monitor ports.
On 7 September, the threat actor attempted to deploy a rootkit to maintain kernel-level persistence, while on 11 September, they launched a brute force dictionary attack on the victim’s internal network.
The rootkit is currently being analysed in detail.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
