Man
Professional
- Messages
- 3,085
- Reaction score
- 623
- Points
- 113
FortiGuard Labs continues to investigate the mysterious incident.
In mid-September of this year, FortiGuard Labs researchers identified an attack in which an unknown attacker exploited vulnerabilities in Ivanti's Cloud Services Appliance (CSA). One of the three vulnerabilities discovered was already known as CVE-2024-8190, but the other two remained undisclosed until the investigation began.
The hacker gained access to the system on September 4, 2024, by exploiting a path bypass vulnerability in the '/client/index.php' file and a command injection in the «reports.php file. This made it possible to extract user data without authorization, as well as run malicious commands, which made it possible to gain further access to the victim's systems.
On September 11, the attacker launched an attack on user passwords using brute force. After gaining access to privileged accounts, he installed web shells and continued to exploit vulnerable files. At the same time, it is noteworthy that in order to prevent the interference of other hackers, he himself "patched" the discovered vulnerabilities.
At the time of publication, Ivanti has released a patch for the CVE-2024-8190 vulnerability, but other vulnerabilities in the CSA still remain a potential threat to users. FortiGuard Labs continues to analyze the activities of this cybercriminal cell and promises to publish additional information in future reports.
Source
In mid-September of this year, FortiGuard Labs researchers identified an attack in which an unknown attacker exploited vulnerabilities in Ivanti's Cloud Services Appliance (CSA). One of the three vulnerabilities discovered was already known as CVE-2024-8190, but the other two remained undisclosed until the investigation began.
The hacker gained access to the system on September 4, 2024, by exploiting a path bypass vulnerability in the '/client/index.php' file and a command injection in the «reports.php file. This made it possible to extract user data without authorization, as well as run malicious commands, which made it possible to gain further access to the victim's systems.
On September 11, the attacker launched an attack on user passwords using brute force. After gaining access to privileged accounts, he installed web shells and continued to exploit vulnerable files. At the same time, it is noteworthy that in order to prevent the interference of other hackers, he himself "patched" the discovered vulnerabilities.
At the time of publication, Ivanti has released a patch for the CVE-2024-8190 vulnerability, but other vulnerabilities in the CSA still remain a potential threat to users. FortiGuard Labs continues to analyze the activities of this cybercriminal cell and promises to publish additional information in future reports.
Source
