A sophisticated nation-state threat actor has been observed exploiting three vulnerabilities in Ivanti Cloud Service Appliance (CSA) to gain unauthorized access and carry out a range of malicious actions, a new report from Fortinet's FortiGuard Labs reveals.

The attackers targeted critical security flaws to infiltrate the victim's network. The flaws, tracked as CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380, were abused to compromise the CSA, enumerate user credentials, and escalate privileges.

Once inside the system, the intruders escalated the privileges using the stolen credentials of high-privilege accounts like "gsbadmin" and "admin." These credentials were then used to exploit the command injection flaw in /gsb/reports.php, allowing them to deploy a web shell named "help.php," to carry out further malicious actions.

Interestingly, the threat actors ‘patched’ the vulnerabilities they exploited to maintain exclusive control of the compromised network after Ivanti published an advisory on September 10, 2024. At the time, the adversaries were still active in the victim's network and to prevent other threat actors from exploiting the same vulnerabilities, they patched the affected software, securing their foothold in the network.

Further investigation revealed that the attackers also exploited a critical SQL injection vulnerability (CVE-2024-29824) on Ivanti’s backend SQL database server (SQLS) to execute remote commands on the server.

Additionally, the threat actor set up a new user account, ran reconnaissance commands, and exfiltrated sensitive data using DNS tunneling with PowerShell scripts. The attackers also leveraged the ReverseSocks5 open-source tool to proxy traffic through the compromised CSA appliance, which allowed them to bypass network defenses.