CISA and the FBI have released technical details of two sophisticated exploitation chains leveraged by Chinese hackers to target Ivanti CSA cloud service appliances. The agencies provided indicators of compromise (IOCs) and other data gathered during incident response efforts.
The hackers employed two primary exploitation chains and utilized lateral movement techniques to gain remote access, harvest credentials, and deploy web shells on compromised systems.
The vulnerabilities exploited included CVE-2024-8963 (CVSS score: 9.4), CVE-2024-9379 (CVSS score: 6.5), CVE-2024-8190 (CVSS score: 7.2), and CVE-2024-9380 (CVSS score: 7.2). In one attack scenario, CVE-2024-8963, CVE-2024-8190, and CVE-2024-9380 were exploited together, while the second chain relied on CVE-2024-8963 and CVE-2024-9379. In several cases, the attackers transitioned to additional servers within the compromised infrastructure.
These vulnerabilities affect Ivanti CSA versions 4.6x up to 519 and versions 5.0.1 and below. Version 4.6, no longer supported or receiving security updates, is particularly susceptible. However, Ivanti confirmed that these vulnerabilities were not exploited in the latest CSA version 5.0.
The agencies also shared detailed accounts of the hackers’ operations. In one instance, a system administrator detected the suspicious creation of user accounts and swiftly thwarted the attack. In another case, endpoint protection software flagged the execution of encrypted scripts used to generate web shells. In a third scenario, prior indicators of compromise enabled the rapid identification of malicious activity, including the use of tools such as Obelisk and GoGo Scanner.
In all reported incidents, the affected organizations replaced virtual machines with clean, updated versions. The agencies strongly advised security professionals to scrutinize logs and artifacts for traces of intrusion and to treat all credentials stored on compromised devices as potentially compromised.
Mandiant attributed the attacks to the Chinese APT group UNC5221, previously known for exploiting vulnerabilities in Ivanti Connect Secure VPN devices in December 2023. These attacks involved custom malware, including the backdoor Zipline, the dropper Thinspool, the web shell Lightwire, and the credential-harvesting tool Warpwire. Additionally, tunneling tools such as PySoxy and BusyBox were employed to facilitate follow-on activities.
