The U.S. government is warning of a new exploit against multiple flaws in cloud applications.
The Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are chaining a number of CVE-listed vulnerabilities into a single exploit script.
The flaws in question are present in Ivanti appliances version 4.6 and earlier. The threat actors use the obsolete status of the appliances to gather account details and harvest credentials.
“Ivanti CSA 4.6 is End-of-Life (EOL) and no longer receives patches or third-party libraries. CISA and FBI strongly encourage network administrators to upgrade to the latest supported version of Ivanti CSA,” the agency said in its advisory.
“Network defenders are encouraged to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory. Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised.”
In this case, the flaws in question are a chain of flaws.
CVE-2024-8963 is an administrative bypass vulnerability while CVE-2024-9379 is a SQL injection vulnerability, and CVE-2024-8190 and CVE-2024-9380 are both remote code execution vulnerabilities.
On their own, these vulnerabilities would not be considered to be particularly dangerous. As a combination, however, they can be quite lethal. An attacker can use the flaws in tandem to elevate their access from a simple elevation of privilege attack to an administration privilege exploit to a remote code takeover attack.
“According to CISA and trusted third-party incident response data, threat actors chained the above listed vulnerabilities to gain initial access, conduct RCE, obtain credentials, and implant webshells on victim networks,” CISA said.
“The primary exploit paths included two vulnerability chains. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380. The other chain exploited CVE-2024-8963 and CVE-2024-9379.”
This is particularly dangerous because many security professionals and network defenders base their security deployment agendas on CVSS scores rather than real-world threat scenarios.
When planning out cybersecurity war games, the blue team often only plans for the highest CVSS ratings, discounting the effect of chaining lower-level flaws into a higher risk exploit. This leaves a gaping hole for threat actors looking to find a foothold into a network in order to gain long-term access.
The attacks underscore the need for administrators and network defenders to maintain regular updates and monitor all systems in use on a network, not matter how insignificant they seem.
