Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA

    Monday, October 14, 2024 In: Threat Research Print

    Date: 10/14/2024

    Severity: Critical

    Summary

    On September 10, 2024, Ivanti announced the CVE-2024-8190 security advisory, revealing an authenticated command injection vulnerability in DateTimeTab.php, affecting CSA 4.6 and earlier versions. By September 13, the vulnerability was added to CISA’s Known Exploited Vulnerabilities list, and Ivanti updated their advisory, noting observed exploitation post-disclosure. On September 16, Horizon3.ai published details and proof of concept exploit code for CVE-2024-8190.

    Indicators of Compromise (IOC) List

    Domains\Urls :

    apiv5.serverbks.xyz

    189f31ed7d.ipv6.bypass.eu.org

    iowxuintgredogzgblrsmr2cx2e471bor.oast.fun

    o.lencr.org

    c67f045c2f.ipv6.1433.eu.org

    oast.fun 

    temp.sh 

    http://temp.sh/khkzg/DateTimeTab.php

    http://temp.sh/vQuoW/reports.php

    http://l8u6aolk4ejfsl9zeq6321zvwm2eq3.burpcollaborator.net

    oastify..com 

     

    156.234.193.18

    74.62.81.162

    206.189.156.69

    51.91.79.17

    208.105.190.170

    54.77.139.23

    34.250.195.30

    216.131.75.52

    24.166.100.255

    67.217.228.92

    69.49.88.235

    45.61.136.189

    3.248.33.252

    38.207.159.76

    193.189.100.197

    23.236.66.97

    Hash :

    beb723a5f20a1a2c4375f9aa250d968d55155689

64efc1aad330ea9d98c0c705e16cd4b3af7e74f8

8d016d02f8fbe25dce76481a90dd0b48630ce9e74e8c31ba007cf133e48b8526

6edd7b3123de985846a805931ca8ee5f6f7ed7b160144aa0e066967bc7c0423a

d57a2cac394a778e19ce9b926f2e0a71936510798f30d20f207f2a49b49ce7b1

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls : 

    userdomainname like "oastify..com" or url like "oastify..com" or userdomainname like "oast.fun" or url like "oast.fun" or userdomainname like "http://temp.sh/vQuoW/reports.php" or url like "http://temp.sh/vQuoW/reports.php" or userdomainname like "http://l8u6aolk4ejfsl9zeq6321zvwm2eq3.burpcollaborator.net" or url like "http://l8u6aolk4ejfsl9zeq6321zvwm2eq3.burpcollaborator.net" or userdomainname like "http://temp.sh/khkzg/DateTimeTab.php" or url like "http://temp.sh/khkzg/DateTimeTab.php" or userdomainname like "189f31ed7d.ipv6.bypass.eu.org" or url like "189f31ed7d.ipv6.bypass.eu.org" or userdomainname like "iowxuintgredogzgblrsmr2cx2e471bor.oast.fun" or url like "iowxuintgredogzgblrsmr2cx2e471bor.oast.fun" or userdomainname like "o.lencr.org" or url like "iowxuintgredogzgblrsmr2cx2e471bor.oast.fun" or userdomainname like "c67f045c2f.ipv6.1433.eu.org" or url like "c67f045c2f.ipv6.1433.eu.org" or userdomainname like "temp.sh" or url like "temp.sh"

    IP Address :

    dstipaddress IN ("51.91.79.17","216.131.75.52","38.207.159.76","156.234.193.18","193.189.100.197","206.189.156.69","74.62.81.162","208.105.190.170","54.77.139.23","34.250.195.30","24.166.100.255","67.217.228.92","69.49.88.235","45.61.136.189","3.248.33.252","23.236.66.97") or ipaddress IN ("51.91.79.17","216.131.75.52","38.207.159.76","156.234.193.18","193.189.100.197","206.189.156.69","74.62.81.162","208.105.190.170","54.77.139.23","34.250.195.30","24.166.100.255","67.217.228.92","69.49.88.235","45.61.136.189","3.248.33.252","23.236.66.97") or publicipaddress IN ("51.91.79.17","216.131.75.52","38.207.159.76","156.234.193.18","193.189.100.197","206.189.156.69","74.62.81.162","208.105.190.170","54.77.139.23","34.250.195.30","24.166.100.255","67.217.228.92","69.49.88.235","45.61.136.189","3.248.33.252","23.236.66.97") or srcipaddress IN ("51.91.79.17","216.131.75.52","38.207.159.76","156.234.193.18","193.189.100.197","206.189.156.69","74.62.81.162","208.105.190.170","54.77.139.23","34.250.195.30","24.166.100.255","67.217.228.92","69.49.88.235","45.61.136.189","3.248.33.252","23.236.66.97")

    Hash : 

    sha1hash IN ("beb723a5f20a1a2c4375f9aa250d968d55155689","64efc1aad330ea9d98c0c705e16cd4b3af7e74f8")

sha256hash IN ("8d016d02f8fbe25dce76481a90dd0b48630ce9e74e8c31ba007cf133e48b8526","6edd7b3123de985846a805931ca8ee5f6f7ed7b160144aa0e066967bc7c0423a","d57a2cac394a778e19ce9b926f2e0a71936510798f30d20f207f2a49b49ce7b1")

    Reference:

    https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa 


    Tags

    MalwareCSAIvanti

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.