CISA, in partnership with the Federal Bureau of Investigation (FBI), released Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications. This advisory was crafted in response to active exploitation of vulnerabilities—CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities—in Ivanti Cloud Service Appliances (CSA) in September 2024.
CISA, and the use of trusted third-party incident response data, found that threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks.
CISA and FBI strongly encourage network administrators and defenders to upgrade to the latest supported version of Ivanti CSA and to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) provided in the advisory. All members of the cybersecurity community are also encouraged to visit CISA’s Known Exploited Vulnerabilities Catalog to help better manage vulnerabilities and keep pace with threat activity. For more information and guidance on protection against the most common and impactful threats, tactics, techniques, and procedures, visit CISA’s Cross-Sector Cybersecurity Performance Goals.
Brief
On September 2024, the Cybersecurity and Infrastructure Security Agency issued an update regarding CISA and FBI Release Advisory on How Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications. The advisory was crafted in response to active exploitation of vulnerabilities CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, and CVE-2024-9380 in Ivanti Cloud Service Appliances (CSA).
Highlights content goes here...
Purpose:
The purpose of this advisory is to inform network administrators and defenders about the active exploitation of vulnerabilities in Ivanti Cloud Service Appliances (CSA) by threat actors. This advisory was issued in response to the discovery of three vulnerabilities, CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, and CVE-2024-9380, which are being exploited by threat actors to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks.
Effects on Industry:
The active exploitation of these vulnerabilities in Ivanti CSA is expected to have a significant impact on the industry. Threat actors are using these vulnerabilities to compromise networks, steal sensitive information, and disrupt business operations. This advisory serves as a warning to network administrators and defenders to take immediate action to protect their systems and data from these threats.
Relevant Stakeholders:
The stakeholders affected by this advisory include:
- Network administrators responsible for Ivanti CSA
- Defenders who are responsible for protecting their networks from cyber threats
- Organizations that rely on Ivanti CSA for their business operations
- Individuals whose sensitive information is stored on Ivanti CSA
These stakeholders should take immediate action to protect their systems and data from these threats.
Next Steps:
To comply with this advisory, network administrators and defenders are strongly encouraged to:
- Upgrade to the latest supported version of Ivanti CSA
- Hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) provided in the advisory
- Visit CISA’s Known Exploited Vulnerabilities Catalog to help better manage vulnerabilities and keep pace with threat activity
Any Other Relevant Information:
For more information and guidance on protection against the most common and impactful threats, tactics, techniques, and procedures, visit CISA’s Cross-Sector Cybersecurity Performance Goals. This advisory is part of a larger effort by CISA and the FBI to inform the public about emerging cyber threats and provide guidance on how to protect themselves from these threats.
