Pulse Detail — Threat Intelligence

PULSE NAME

Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications | CISA

WHITE CyberHunter_NL 2025-01-29 Modified: 2025-02-28

IOCs

MEDIUM VOLUME

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory in response to exploitation in September 2024 of vulnerabilities in Ivanti Cloud Service Appliances (CSA): CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1059 T1068 T1071 T1140 T1190 T1210 T1219 T1505 T1548 T1552 T1556 T1564 T1595

Indicators of Compromise (49)

All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
CVE	CVE-2024-8190	—	2025-01-29
CVE	CVE-2024-8963	—	2025-01-29
CVE	CVE-2024-9379	—	2025-01-29
CVE	CVE-2024-9380	—	2025-01-29
CVE	CVE-2024-9381	—	2025-01-29
CVE	CVE-2025-0282	—	2025-01-29
CVE	CVE-2025-0283	—	2025-01-29
FileHash-MD5	061e5946c9595e560d64d5a8c65be49e	—	2025-01-29
FileHash-MD5	1b20e9310ca815f9e2bd366fb94e147f	—	2025-01-29
FileHash-MD5	30f57e14596f1bcad7cc4284d1af4684	—	2025-01-29
FileHash-MD5	53c5b7d124f13039eb62409e1ec2089d	—	2025-01-29
FileHash-MD5	60d5648d35bacf5c7aa713b2a0d267d3	—	2025-01-29
FileHash-MD5	6401646e701f5f47518ecef48a308a36	—	2025-01-29
FileHash-MD5	698a752ec1ca43237cb1dc791700afde	—	2025-01-29
FileHash-MD5	78cc672218949a9ec87407ad3bcb5db6	—	2025-01-29
FileHash-MD5	86b62ffd33597fd635e01b95f08bb996	—	2025-01-29
FileHash-MD5	a50660fb31df96b3328640fdfbeea755	—	2025-01-29
FileHash-MD5	aa69300617faab4eb39b789ebfeb5abe	—	2025-01-29
FileHash-MD5	ae51c891d2e895b5ca919d14edd42c26	—	2025-01-29
FileHash-MD5	c2becc553b96ba27d60265d07ec3bd6c	—	2025-01-29
FileHash-MD5	c7d20ca6fe596009afaeb725fec8635f	—	2025-01-29
FileHash-MD5	c894f55c8fa9d92e2dd2c78172cff745	—	2025-01-29
FileHash-MD5	cacc30e2a5b2683e19e45dc4f191cebc	—	2025-01-29
FileHash-MD5	d13f71e51b38ffef6b9dc8efbed27615	—	2025-01-29
FileHash-MD5	d88bfac2b43509abdc70308bef75e2a6	—	2025-01-29
FileHash-MD5	dd975310201079cacd4cde6facab8c1d	—	2025-01-29
FileHash-MD5	f7f81ae880a17975f60e1e0fe1a4048b	—	2025-01-29
FileHash-MD5	f82847bccb621e6822a3947bc9ce9621	—	2025-01-29
FileHash-SHA1	25b79b4984a567b501e71fb3c43530a9b65d1c6e	SHA1 of 78cc672218949a9ec87407ad3bcb5db6	2025-01-29
FileHash-SHA1	6f0d712b2c41ff8d4c1d6ad5f5d60bb1ac9d2db9	SHA1 of 30f57e14596f1bcad7cc4284d1af4684	2025-01-29
FileHash-SHA1	a62af4ac233d914a25e79ec0705e2a187ebd7567	SHA1 of 60d5648d35bacf5c7aa713b2a0d267d3	2025-01-29
FileHash-SHA1	cb6be7d4e741864817bd965ea4652364cccc9045	SHA1 of 061e5946c9595e560d64d5a8c65be49e	2025-01-29
FileHash-SHA256	4b16ea1b1273f8746cf399c71bfc1f5bff7378b5414b4ea044c55e0ee08c89d3	SHA256 of 60d5648d35bacf5c7aa713b2a0d267d3	2025-01-29
FileHash-SHA256	7cc4ed7bfd2a6f56ee1427a951bac36ad4e4e23fb66002d2befd2305e2d01bf3	SHA256 of 78cc672218949a9ec87407ad3bcb5db6	2025-01-29
FileHash-SHA256	dc08dce9c852df817837f035f7a2b49ca9ea6114c35bcba7fc94a595f21eb805	SHA256 of 30f57e14596f1bcad7cc4284d1af4684	2025-01-29
FileHash-SHA256	dcd04c0ac081fff41021d08cd882bcf70b696aa7824361ef23849e26f395148b	SHA256 of 061e5946c9595e560d64d5a8c65be49e	2025-01-29
URL	http://107.173.89.16/8000	—	2025-01-29
URL	http://108.174.199.200/Xa27efd2.tmp	—	2025-01-29
URL	http://173.243.138.76/fdsupdate	—	2025-01-29
URL	http://208.184.237.75/fdsupdate	—	2025-01-29
URL	http://45.33.101.53/log	—	2025-01-29
URL	http://45.33.101.53/log2	—	2025-01-29
URL	http://98.98.54.209/a.sh	—	2025-01-29
URL	http://ip.sb	—	2025-01-29
URL	https://pan.xj.hk/d/	0019dfc4b32d63c1392aa264aed2253c1e0c2fb09216f8e2cc269bbfb8bb49b5	2025-01-29
domain	socket.af	—	2025-01-29
domain	subprocess.call	—	2025-01-29
hostname	cri07nnrg958pkh6qhk0977u8c83jog6t.oast.fun	—	2025-01-29
hostname	cri07nnrg958pkh6qhk0yrgy1e76p1od6.oast.fun	—	2025-01-29

References (1)

↗ https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a