Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications

Date: 01/23/2025

Severity: Critical

Summary

According to reliable third-party incident response data, threat actors exploited the listed vulnerabilities to achieve initial access, execute remote code (RCE), acquire credentials, and deploy webshells on victim networks. The attackers primarily used two exploit chains: one combined CVE-2024-8963 with CVE-2024-8190 and CVE-2024-9380, while the other paired CVE-2024-8963 with CVE-2024-9379. In one confirmed case, the attackers laterally moved to two additional servers.

Indicators of Compromise (IOC) List

Domains\Urls :

https://file.io/E50vtqmJP5aa

https://file.io/RBKuU8gicWt

https://file.io/frdZ9L18R7Nx

http://ip.sb

https://pan.xj.hk/d/6401646e701f5f47518ecef48a308a36/redis

108.174.199.200/Xa27efd2.tmp

45.33.101.53/log

45.33.101.53/log2

208.184.237.75/fdsupdate

173.243.138.76/fdsupdate

cri07nnrg958pkh6qhk0977u8c83jog6t.oast.fun

cri07nnrg958pkh6qhk0yrgy1e76p1od6.oast.fun

gg.oyr2ohrm.eyes.sh

ggg.oyr2ohrm.eyes.sh

gggg.oyr2ohrm.eyes.sh

txt.xj.hk

book.hacktricks.xyz

https://file.io/1zqvMYY1dpkk

IP Address :

142.171.217.195
154.64.226.166
216.131.75.53
23.236.66.97
38.207.159.76
149.154.167.41
95.161.76.100
206.189.156.69
107.173.89.16
156.234.193.18
205.169.39.11
149.154.176.41
67.217.228.83
203.160.72.174
142.11.217.3
104.168.133.228
64.176.49.160
45.141.215.17
98.101.25.30
134.195.90.71
192.42.116.210
82.197.182.161
154.213.185.230
208.105.190.170
136.144.17.145
136.144.17.133
216.73.162.56
104.28.240.123
163.5.171.49
89.187.178.179
203.160.86.69
185.220.69.83
185.199.103.196
188.172.229.15
155.138.215.144
185.40.4.38
185.40.4.95

Hash :

a50660fb31df96b3328640fdfbeea755  

53c5b7d124f13039eb62409e1ec2089d  

698a752ec1ca43237cb1dc791700afde  

aa69300617faab4eb39b789ebfeb5abe  

c2becc553b96ba27d60265d07ec3bd6c  

cacc30e2a5b2683e19e45dc4f191cebc

061e5946c9595e560d64d5a8c65be49e

e35cf026057a3729387b7ecfb213ae62a611f0f1a418876b11c9df3b56885bed

c7d20ca6fe596009afaeb725fec8635f

F7F81AE880A17975F60E1E0FE1A4048B

86B62FFD33597FD635E01B95F08BB996

DD975310201079CACD4CDE6FACAB8C1D

1B20E9310CA815F9E2BD366FB94E147F

30f57e14596f1bcad7cc4284d1af4684 

78cc672218949a9ec87407ad3bcb5db6

d13f71e51b38ffef6b9dc8efbed27615

d88bfac2b43509abdc70308bef75e2a6

60d5648d35bacf5c7aa713b2a0d267d3

ae51c891d2e895b5ca919d14edd42c26

d88bfac2b43509abdc70308bef75e2a6

f82847bccb621e6822a3947bc9ce9621

c894f55c8fa9d92e2dd2c78172cff745

e09fef2f502a41c199046219a6584e8d

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Domains\Urls :	userdomainname like "https://file.io/1zqvMYY1dpkk" or url like "https://file.io/1zqvMYY1dpkk" or userdomainname like "https://file.io/E50vtqmJP5aa" or url like "https://file.io/E50vtqmJP5aa" or userdomainname like "ggg.oyr2ohrm.eyes.sh" or url like "ggg.oyr2ohrm.eyes.sh" or userdomainname like "cri07nnrg958pkh6qhk0977u8c83jog6t.oast.fun" or url like "cri07nnrg958pkh6qhk0977u8c83jog6t.oast.fun" or userdomainname like "book.hacktricks.xyz" or url like "book.hacktricks.xyz" or userdomainname like "cri07nnrg958pkh6qhk0yrgy1e76p1od6.oast.fun" or url like "cri07nnrg958pkh6qhk0yrgy1e76p1od6.oast.fun" or userdomainname like "gg.oyr2ohrm.eyes.sh" or url like "gg.oyr2ohrm.eyes.sh" or userdomainname like "https://file.io/RBKuU8gicWt" or url like "https://file.io/RBKuU8gicWt" or userdomainname like "https://file.io/frdZ9L18R7Nx" or url like "https://file.io/frdZ9L18R7Nx" or userdomainname like "http://ip.sb" or url like "http://ip.sb" or userdomainname like "https://pan.xj.hk/d/6401646e701f5f47518ecef48a308a36/redis" or url like "https://pan.xj.hk/d/6401646e701f5f47518ecef48a308a36/redis" or userdomainname like "108.174.199.200/Xa27efd2.tmp" or url like "108.174.199.200/Xa27efd2.tmp" or userdomainname like "173.243.138.76/fdsupdate" or url like "173.243.138.76/fdsupdate" or userdomainname like "208.184.237.75/fdsupdate" or url like "208.184.237.75/fdsupdate" or userdomainname like "45.33.101.53/log" or url like "45.33.101.53/log" or userdomainname like "45.33.101.53/log2" or url like "45.33.101.53/log2" or userdomainname like "gg.oyr2ohrm.eyes.sh" or url like "gg.oyr2ohrm.eyes.sh" or userdomainname like "gggg.oyr2ohrm.eyes.sh" or url like "gggg.oyr2ohrm.eyes.sh" or userdomainname like "txt.xj.hk" or url like "txt.xj.hk"
IP Address :	dstipaddress IN ("64.176.49.160","154.64.226.166","136.144.17.133","188.172.229.15","23.236.66.97","216.131.75.53","82.197.182.161","185.199.103.196","208.105.190.170","107.173.89.16","38.207.159.76","136.144.17.145","142.171.217.195","104.28.240.123","185.40.4.95","95.161.76.100","156.234.193.18","205.169.39.11","206.189.156.69","149.154.167.41","134.195.90.71","45.141.215.17","192.42.116.210","89.187.178.179","149.154.176.41","67.217.228.83","203.160.72.174","142.11.217.3","104.168.133.228","98.101.25.30","154.213.185.230","216.73.162.56","163.5.171.49","203.160.86.69","185.220.69.83","155.138.215.144","185.40.4.38") or ipaddress IN ("64.176.49.160","154.64.226.166","136.144.17.133","188.172.229.15","23.236.66.97","216.131.75.53","82.197.182.161","185.199.103.196","208.105.190.170","107.173.89.16","38.207.159.76","136.144.17.145","142.171.217.195","104.28.240.123","185.40.4.95","95.161.76.100","156.234.193.18","205.169.39.11","206.189.156.69","149.154.167.41","134.195.90.71","45.141.215.17","192.42.116.210","89.187.178.179","149.154.176.41","67.217.228.83","203.160.72.174","142.11.217.3","104.168.133.228","98.101.25.30","154.213.185.230","216.73.162.56","163.5.171.49","203.160.86.69","185.220.69.83","155.138.215.144","185.40.4.38") or publicipaddress IN ("64.176.49.160","154.64.226.166","136.144.17.133","188.172.229.15","23.236.66.97","216.131.75.53","82.197.182.161","185.199.103.196","208.105.190.170","107.173.89.16","38.207.159.76","136.144.17.145","142.171.217.195","104.28.240.123","185.40.4.95","95.161.76.100","156.234.193.18","205.169.39.11","206.189.156.69","149.154.167.41","134.195.90.71","45.141.215.17","192.42.116.210","89.187.178.179","149.154.176.41","67.217.228.83","203.160.72.174","142.11.217.3","104.168.133.228","98.101.25.30","154.213.185.230","216.73.162.56","163.5.171.49","203.160.86.69","185.220.69.83","155.138.215.144","185.40.4.38") or srcipaddress IN ("64.176.49.160","154.64.226.166","136.144.17.133","188.172.229.15","23.236.66.97","216.131.75.53","82.197.182.161","185.199.103.196","208.105.190.170","107.173.89.16","38.207.159.76","136.144.17.145","142.171.217.195","104.28.240.123","185.40.4.95","95.161.76.100","156.234.193.18","205.169.39.11","206.189.156.69","149.154.167.41","134.195.90.71","45.141.215.17","192.42.116.210","89.187.178.179","149.154.176.41","67.217.228.83","203.160.72.174","142.11.217.3","104.168.133.228","98.101.25.30","154.213.185.230","216.73.162.56","163.5.171.49","203.160.86.69","185.220.69.83","155.138.215.144","185.40.4.38")
Hash 1 :	md5hash IN ("78cc672218949a9ec87407ad3bcb5db6","30f57e14596f1bcad7cc4284d1af4684","a50660fb31df96b3328640fdfbeea755","53c5b7d124f13039eb62409e1ec2089d","698a752ec1ca43237cb1dc791700afde","aa69300617faab4eb39b789ebfeb5abe","c2becc553b96ba27d60265d07ec3bd6c","cacc30e2a5b2683e19e45dc4f191cebc","061e5946c9595e560d64d5a8c65be49e","c7d20ca6fe596009afaeb725fec8635f","F7F81AE880A17975F60E1E0FE1A4048B","86B62FFD33597FD635E01B95F08BB996","DD975310201079CACD4CDE6FACAB8C1D","1B20E9310CA815F9E2BD366FB94E147F","d88bfac2b43509abdc70308bef75e2a6","60d5648d35bacf5c7aa713b2a0d267d3","ae51c891d2e895b5ca919d14edd42c26","d88bfac2b43509abdc70308bef75e2a6","f82847bccb621e6822a3947bc9ce9621","c894f55c8fa9d92e2dd2c78172cff745","e09fef2f502a41c199046219a6584e8d")
Hash 2 :	sha256hash like "e35cf026057a3729387b7ecfb213ae62a611f0f1a418876b11c9df3b56885bed"

Reference:

https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a

Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments