Photo credit: www.darkreading.com
Ivanti Vulnerabilities Exploited in Recent Cyberattacks
Recent cyberattacks have targeted multiple vulnerabilities in Ivanti’s Cloud Service Appliance (CSA), raising concerns among organizations that utilize this software.
The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have identified key vulnerabilities that cybercriminals are exploiting. These include CVE-2024-8963, an admin bypass vulnerability; CVE-2024-9379, which pertains to SQL injection; and both CVE-2024-8190 and CVE-2024-9380, categorized as remote code execution (RCE) vulnerabilities.
Using insights from various incident-response sources, CISA discovered that attackers are leveraging these vulnerabilities in combination to gain initial access. This access facilitates RCE, credential harvesting, and the installation of web shells on compromised networks.
CISA noted, “All four vulnerabilities affect Ivanti CSA versions 4.6x prior to 519, with CVE-2024-9379 and CVE-2024-9380 also impacting CSA versions 5.0.1 and lower. Ivanti has indicated that these vulnerabilities remain unexploited in version 5.0,” CISA stated in their advisory.
To defend against these threats, CISA and the FBI advise network administrators to update to the most current supported version of Ivanti CSA. They also recommend employing available detection tools and monitoring the indicators of compromise (IoCs) shared in CISA’s advisory to help identify any malicious activities within their networks.
In cases of detected compromise, organizations should quarantine or disconnect potentially affected systems and consider reimaging them. Additionally, it is crucial for administrators to generate new account credentials, collect and assess relevant digital evidence, and report incidents to CISA. Organizations are also encouraged to review and bolster their security measures based on the risks posed by threat actors as outlined in the MITRE ATT&CK for Enterprise framework.
Source
www.darkreading.com