Serious adversaries were seen using three zero-day vulnerabilities in Ivanti's Cloud Service Appliance to gain persistent access, with Fortinet's FortiGuard Labs warning organizations using Ivanti's CSA version 4.6 and prior to take necessary precautions. The attack chain involving command injection, path traversal, and unauthenticated command injection was detailed, with the threat group dropping a Web shell and gaining remote execution on the SQL server
Following Ivanti's patch release for one vulnerability, the attackers 'patched' the exploited flaws to prevent other intruders. The group attempted to maintain access through DNS tunneling and a kernel rootkit, aiming for kernel-level persistence on the compromised system. This incident highlights the sophistication of attackers in chaining zero-days to infiltrate networks and maintain control, emphasizing the importance of prompt security measures and continuous vigilance against evolving cyber threats. https://www.darkreading.com/cyberattacks-data-breaches/serious-adversaries-circle-ivanti-csa-flaws