SecurityWeek reports that the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI said Chinese threat actors have leveraged a pair of exploit chains involving four Ivanti Cloud Service Appliance vulnerabilities.
CISA and the FBI said the threat actors aimed to compromise targeted networks, one of which combined the CVE-2024-8963, CVE-2024-8190, and CVE-2024-9380 while the other concurrently used CVE-2024-8963 and CVE-2024-9379.
Attacks with the chained vulnerabilities — which Mandiant has linked to suspected China-linked cyberespionage operation UNC5221 — have been thwarted by three organizations. The first org escaped compromise following sysadmin identification of suspicious user accounts. The second org averted the breach after an endpoint protection platform detected web shell-creating base64-encoded scripts, according to the CISA-FBI advisory.
IOCs from the two intrusions were then used to immediately determine and counter the attempted compromise of the third org, said the alert. Organizations using the vulnerable Ivanti CSA instances have been urged to conduct log and artifact analyses while considering stored credentials to be compromised.
