Ivanti CSA exploit chains examined in joint CISA, FBI advisory

SecurityWeek reports that Chinese threat actors were noted by the Cybersecurity and Infrastructure Security Agency and the FBI to have leveraged a pair of exploit chains involving four Ivanti Cloud Service Appliance vulnerabilities to compromise targeted networks, one of which combined the CVE-2024-8963, CVE-2024-8190, and CVE-2024-9380 while the other concurrently used CVE-2024-8963 and CVE-2024-9379.

Attacks with the chained vulnerabilities — which Mandiant has linked to suspected China-linked cyberespionage operation UNC5221 — have been thwarted by three organizations, with the first preventing compromise following sysadmin identification of suspicious user accounts and the second averting the breach after an endpoint protection platform detected web shell-creating base64-encoded scripts, according to a joint CISA and FBI advisory. IOCs from the two intrusions were then used to immediately determine and counter the third attempted compromise, said the alert. Organizations using the vulnerable Ivanti CSA instances have been urged to conduct log and artifact analyses while considering stored credentials to be compromised.