Fortinet believes that Chinese hackers are the primary suspects behind the recent Ivanti Cloud Services Application (CSA) zero-day attacks. These attacks have involved the exploitation of multiple zero-days which impact Ivanti’s CSA product. The main flaw, CVE-2024-8190, allows the attacker to obtain remote code execution. Attackers are chaining this flaw together with other zero-days, allowing for authentication. Fortinet investigated an attack on one Ivanti customer. They discovered that the attackers were able to first compromise the customer’s system by using the CSA zero-days. Then, the attacker could move laterally within the system and was able to collect information, conduct brute-force attacks, and deploy web shells. Fortinet believes that a nation-state is behind the attack, and there are indicators that the threat group is linked to China. 

Read more: https://www.securityweek.com/ivanti-csa-zero-day-exploitation-attributed-to-state-sponsored-hackers/