www.fortinet.com
Open in
urlscan Pro
2600:1f18:1492:1701:a964:c08d:f5eb:b0c
Public Scan
Submitted URL: https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa#new_tab
Effective URL: https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa
Submission: On October 18 via api from IN — Scanned from US
Effective URL: https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa
Submission: On October 18 via api from IN — Scanned from US
Form analysis
1 forms found in the DOMGET /blog/search
<form class="b3-searchbox__form" action="/blog/search" method="get">
<input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs">
<button class="b3-searchbox__icon" aria-label="Search" type="submit">
<svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
<path
d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z"
fill="#fff">
</path>
</svg>
</button>
</form>
Text Content
Blog * Categories * Business & Technology * FortiGuard Labs Threat Research * Industry Trends * Life at Fortinet * Partners * Customer Stories * PSIRT Blogs * Business & Technology * FortiGuard Labs Threat Research * Industry Trends * Life at Fortinet * Partners * Customer Stories * PSIRT Blogs * CISO Collective * Subscribe FortiGuard Labs Threat Research BURNING ZERO DAYS: SUSPECTED NATION-STATE ADVERSARY TARGETS IVANTI CSA By Faisal Abdul Malik Qureshi, John Simmons, Jared Betts, Luca Pugliese, Trent Healy, Ken Evans and Robert Reyes | October 11, 2024 * Article Contents * Background * Vulnerabilities Overview and Disclosure * Vulnerabilities Details * Other Findings * Conclusion Fortinet ProtectionsMITRE Mapping * IOCs Network Based IndicatorsHost Based Indicators By Faisal Abdul Malik Qureshi, John Simmons, Jared Betts, Luca Pugliese, Trent Healy, Ken Evans and Robert Reyes | October 11, 2024 Affected Platforms: Ivanti Cloud Services Appliance version 4.6 and prior Impacted Users: Any organization Impact: Remote attackers gain control of the vulnerable systems Severity Level: Critical Today FortiGuard Labs is releasing this blog post about a case where an advanced adversary was observed exploiting three vulnerabilities affecting the Ivanti Cloud Services Appliance (CSA). At the time of our investigation, two out of the three identified vulnerabilities were not publicly known. This incident is a prime example of how threat actors chain zero-day vulnerabilities to gain initial access to a victim’s network. BACKGROUND In a recent incident response engagement, FortiGuard Incident Response (FGIR) services were engaged by a customer to investigate malicious communication originating from their network. During the investigation, FGIR came across an adversary who had gained access to the customer’s network by exploiting the CVE-2024-8190 and two previously unknown vulnerabilities affecting the PHP front end of the Ivanti CSA appliance. The incident was detected by the customer on September 9, 2024, when some of its internal systems were found to be communicating to a malicious IP address, 206[.]189[.]156[.]69. FGIR was engaged the next day. VULNERABILITIES OVERVIEW AND DISCLOSURE During the IR investigation, FGIR observed that the threat actor exploited the vulnerability CVE-2024-8190 in conjunction with the following two previously publicly unknown vulnerabilities: * A publicly unknown path traversal vulnerability on the resource /client/index.php, to gain unauthorized access to other resources like users.php, reports.php etc. (CVE-2024-8963, disclosed September 19) * A publicly unknown command injection vulnerability affecting the resource reports.php. (CVE-2024-9380, disclosed October 8) These resources are located under the root folder of the PHP web front, which serves as the management console of the CSA. On September 19, 2024, FGIR disclosed to Ivanti’s security team the discovery of the two new vulnerabilities. During the meeting, the Ivanti team claimed that they were aware and tracking the two publicly unknown exploited vulnerabilities. On September 19, Ivanti published the advisory for CVE-2024-8963, which addressed the path traversal vulnerability. VULNERABILITIES DETAILS On September 10, 2024, at 14:00:02, Ivanti published the security advisory CVE-2024-8190 on their forum. The advisory informed about the discovery of an authenticated command injection vulnerability in the DateTimeTab.php resource, affecting CSA 4.6 with patch 518 and earlier versions. On September 13, 2024, the CVE-2024-8190 vulnerability was added to the CISA’s Known Exploited Vulnerabilities list. On the same date, Ivanti updated their security advisory to mention that, following public disclosure of the September 10th, exploitation of the command injection vulnerability had been observed in the wild. On September 16, 2024, the research team at Horizon3.ai published the details related to the CVE-2024-8190 vulnerability and also released a proof of concept exploit code. PATH TRAVERSAL VULNERABILITY – /CLIENT/INDEX.PHP During the incident response investigation, FGIR observed that the threat actor exploited a path traversal vulnerability on the resource /client/index.php to gain unauthorized authenticated access to the resource /gsb/users.php by sending the following web request: The first of such requests was sent by the threat actor on September 4, 2024, at 06:53:14 UTC, right before the exploitation of the command injection vulnerability, affecting the resource /gsb/reports.php. The resource /client/index.php on the PHP web front of the Ivanti CSA appliance can be accessed by unauthenticated users to download the “LANDESK Remote Assistance Client” software package. The following picture shows how the resource /client/index.php looks when opened in a browser: Figure 1: GUI to download LANDESK Remote assistance client Upon inspecting the /client/index.php’s code, FGIR discovered that, by clicking the “Install now” button present on it, the user is redirected to a resource called /client/download.php: Figure 2: Redirection to Download.php The resource /client/download.php redirects the user to the page OnDemand.php via the header function. Figure 3: Redirection to OnDemand.php The resource /client/OnDemand.php contains the code to open a local file called LDSupport.exe, using the php function popen. The local file is served to the user via the php echo command. Figure 4: Code vulnerable to path traversal The threat actor sent a malformed URL to the resource /client/index.php, by inserting %3F.php at the end of the URI, and appended the URL with the location of the php resource to be accessed through path traversal. Using this technique, the threat actor managed to access the resource /gsb/users.php. The appended resource, /gsb/users.php, was assigned to the variable $filename in the /client/OnDemand.php code, which led to the path traversal vulnerability, allowing the threat actor to view the list of users configured in the CSA appliance. FGIR simulated the exploitation of this vulnerability in its lab environment to understand what information could be acquired with it and the figure below shows the resulting output, which includes the list of users configured on the test appliance: Figure 5: Path traversal to users.php The threat actor exploited this vulnerability several times over the course of their intrusion to access other resources as well, with connections originating from various IP addresses. As seen in the screenshot below, which has all times expressed using the timezone UTC-007, the threat actor used the same vulnerability to access the resource /gsb/datetime.php as well. Figure 6: Path traversal vulnerability exploitations FGIR states with medium confidence that the threat actor exploited this path traversal vulnerability to gain access to the resource /gsb/users.php not only to list users, but also to attempt to create rogue users and gain authenticated access to the CSA web front end. The messages logs contain evidence of the threat actor creating two users: aiadmin and services, using the CSA utility called dbtool. This was likely performed to maintain persistent, authenticated access to the CSA management console. CVE-2024-8190 VULNERABILITY EXPLOITATION - /GSB/DATETIMETAB.PHP After the threat actor exploited the path traversal vulnerability and enumerated users configured on the CSA appliance, they exploited CVE-2024-8190, the command injection vulnerability affecting the resource /gsb/DateTimeTab.php, to attempt to access the credentials of those users. FGIR observed evidence of this exploitation in Ivanti’s broker logs, as seen in the snippet below. FGIR has high confidence that the threat actor exploited this vulnerability to gain access to the user, admin’s credentials and use these privileged credentials to carry out the authenticated exploitation of the command injection vulnerability in /clients/reports.php resource. Figure 7: SQLi vulnerability exploitation FGIR found the text “rewritten with new timezone” within the function setPhpTimeZone($timezoneinfo) of the resource DateTimeTab.php. Figure 8: Setting timezone value in php.ini From the above systemLog function call, it is clear that the value of the variable, $timezone was the one that was manipulated by the threat actor. Tracing back the value of this variable shows that it was deduced from the parameter $timezoneinfo, which was passed to the function setPhpTimeZone. Figure 9: Vulnerable function setPhpTimeZone Tracing back where the setPhpTimeZone was called, FGIR found that this happened within the function handleDateTimeSubmit(&$msg). This function is responsible for handling change submissions when the “Save” button is clicked, as depicted in the screenshot below. Figure 10: Time zone change submission The value of a global variable, $TIMEZONE, which was passed as a variable to the function setPhpTimeZone, was received from the POST request variable TIMEZONE. This implies that the threat actor crafted and sent a malicious POST request to DateTimeTab.php, with the malicious command passed in the POST request variable TIMEZONE. Figure 11: POST variable TIMEZONE contained the malicious command Going back to the malicious command injected by the threat actor, FGIR decoded the base64 blob, which resulted in the following Python code: Figure 12: Decoded base64 blob The script extracts the password of the user gsbadmin from the file /opt/landesk/broker/broker.conf and assigns its value to the environment variable PGPASSWORD. Figure 13: broker.conf contents The code targets the latest backup file in the /backups directory and iterates through this directory to find the latest backup file. If it finds one, then it connects to the Postgres database using the gsbadmin credentials, extracts the password of the user admin from the table user_info, and assigns it to the environment variable PGPASSWORD. The script then decompresses the latest backup file, and then iterates through the files to search for a filename that satisfies the regular expression php\w{6}, basically looking for a filename containing the string php followed by six characters (letters or numbers only). In case it finds such a file, it changes the permissions of the file so that everyone has the right to read, write, and execute it. The script then reads the private key from the backup file of the user root, encodes it using base64, and then assigns the resultant value to the column organization in the Postgres database table, user_info. Figure 14: Root user’s private key accessed While assessing the backend Postgres database logs, FGIR found confirmation of successful exploitation of this command injection vulnerability, as seen in the screenshot below: Figure 15: Postgres database error COMMAND INJECTION VULNERABILITY – /GSB/REPORTS.PHP Once the threat actor extracted the credentials of the users gsbadmin, admin, and the private key of the user root, they used the stolen credentials to perform authenticated exploitation of the publicly unknown command injection vulnerability affecting the resource /gsb/reports.php. Some of the threat actor requests can be seen in the messages and audit logs below: Figure 16: Command injection vulnerability exploitations Command injection was found to be exploited in the following format, where a php script /subin/tripwire was executed with the parameter –update, followed by a semicolon and a malicious command. The first malicious command injected by the threat actor was used to create a web shell called help.php in the CSA webroot folder under the /gsb directory. Figure 17: Command injected to create a webshell FGIR looked at the code of the resource reports.php and identified the vulnerability in the line highlighted below in yellow. The script accepts the value of the POST parameter TW_ID and passes it as a parameter to the script /subin/tripwire, without sanitization. Figure 18: Code vulnerable to command injection The resource /sbin/tripwire is a PHP wrapper for the binary /usr/sbin/tripwire, which is used to create security reports, when initiated through the gsb/reports.php resource. This is a legitimate functionality of the Ivanti CSA portal. FGIR inspected the tripwire PHP wrapper script and found the function update which passes the command directly to the installed tripwire binary without sanitization. Since the tripwire PHP wrapper runs with sudo privileges, the injected command also runs with elevated privileges. Figure 19: Update function in Tripwire's php wrapper FGIR acquired the patch for CVE-2024-8190, and while analyzing the functionality of the patch, FGIR assessed that the file, reports.php was not in the patch script, nor was it listed as a file in the patch folder, leading FGIR to conclude that the command injection vulnerability found in the resource /gsb/reports.php was not addressed in that patch. Figure 20: Files in the patch for CVE-2024-8190 Figure 21: Patch script for CVE-2024-8190 THREAT ACTOR PATCHING VULNERABILITIES On September 10, 2024, when the advisory for CVE-2024-8190 was published by Ivanti, the threat actor, still active in the customer’s network, “patched” the command injection vulnerabilities in the resources /gsb/DateTimeTab.php, and /gsb/reports.php, making them unexploitable. In the past, threat actors have been observed to patch vulnerabilities after having exploited them, and gained foothold into the victim’s network, to stop any other intruder from gaining access to the vulnerable asset(s), and potentially interfering with their attack operations. In this case, the threat actor downloaded the patched version of the two vulnerable resources from temp[.]sh and saved them as /tmp/1 on disk, before moving them to the webroot folder and overwriting the vulnerable version of the files with them. Below are the relevant commands: The modified timestamps of the resources reports.php, and DateTimeTab.php were September 10, 2024, at 12:37:23 UTC and 13:06:10 UTC, respectively, as seen in the screenshots below. Figure 22: Patch timestamp of reports.php Figure 23: Patch timestamp of DateTimeTab.php Comparing the original vulnerable version of reports.php to the version patched by the threat actor, shows that the threat actor added a piece of code to replace the semicolon with an underscore in the POST parameter TW_ID, so that command injection using the semicolon is not possible anymore. Figure 24: Comparison of original and threat actor's patched code FGIR tested the patching in a lab environment and confirmed that the modification by the threat actor does indeed make the resource reports.php unexploitable after the patch. The screenshot below shows the directory testwithoutfix was successfully created by exploiting the command injection vulnerability on the original vulnerable version of reports.php. When the fix is applied to the reports.php file and the command injection is exploited again, the directory testwithfix is not created. Figure 25: Exploitation testing of the original and the threat actor’s patched version The threat actor also patched the file DateTimeTab.php using the same str_replace function to replace any semicolon in the POST parameter TIMEZONE, with an underscore, rendering the command injection vulnerability using this parameter ineffective. Figure 26: Testing command injection using the orignial and patched versions of DateTimeTab.php OTHER FINDINGS LATERAL MOVEMENT After compromising the internet-facing Ivanti CSA appliance, the threat actor exploited the CVE-2024-29824 SQL Injection vulnerability on Ivanti’s backend SQL database server (SQLS). Sample malicious POST requests exploiting this vulnerability are depicted below. The threat actor enabled the xp_cmdshell stored procedure via the exploitation and used this stored procedure to attain remote code execution on the SQLS system. The threat actor created an account called mssqlsvc on the compromised system SQLS and turned off the host firewall. Table 1: Threat actor's commands FGIR also observed that the threat actor ran some basic reconnaissance commands on the SQLS system and attempted to exfiltrate the reconnaissance output using the following PowerShell command: This is a technique used to exfiltrate data over the DNS protocol. The technique is also known as DNS tunneling. See below for the content of the file that the threat actor tried to exfiltrate: Figure 27: Content of 1.log THREAT ACTOR COMMANDS FGIR discovered more tactics and techniques used by the threat actor during their intrusion. FGIR extracted and decoded some interesting commands executed by the threat actor from the Linux audit logs and other sources. A sample of those commands are shown in the table below: Table 2: Threat actor commands WEB SHELLS During the course of their operations, the threat actor created several webshells. They also modified the legitimate resource, syslog.php, and appended malicious code to it, to use it as a web shell. Some of the web shells found are shown in the table below. Table 3: Web shells BRUTE FORCE ATTACK On September 11, at 04:12:00 UTC, the threat actor started an authentication brute force attack against the customer’s internal network assets, using a dictionary attack. FGIR discovered that the threat actor downloaded a tar file called u from a temp[.]sh URL. This tar file contained three files: brokes, passdic.txt, and u.txt. Figure 28: Brute force tooling The file brokes is a Linux ELF binary, which was used to perform the brute force attack on customer’s network assets. It is likely that brokes used as parameters the list of customer’s users, possibly harvested during a different campaign, in the form of the file u.txt and the password file passdic.txt. The threat actor downloaded an unknown file called target from temp[.]sh, however this one was not found on the disk. The threat actor also downloaded a shell script called s.sh, from the temp[.]sh site. This script was used to execute the bruteforce binary brokes and anonymous logins were attempted on LDAP’s port TCP 389 of the attacked assets with several passwords. Figure 29: Content of s.sh REVERSESOCKS PROXY TOOL During the memory analysis of the CSA appliance, FGIR discovered traces of the use of an open-source go-based proxy tool called ReverseSocks5, which was downloaded and used by the threat actor to perform scanning and brute force attacks on the customer’s internal network, while proxying the traffic through the CSA appliance. The string, which was created in the memory due to an error thrown by the tool, can be seen in the below snippet. Some other suspicious strings found during the analysis of the memory included some PHP variables found to be populated with suspicious values: ZjmgmXsB.php was a webshell, which the threat actor was interacting with, while accessing it from the IP address 208[.]105[.]190[.]170. ROOT KIT DISCOVERY AND ANALYSIS During the investigation, FGIR discovered that on September 7, 2024, at 03:26:17 UTC, the threat actor attempted to deploy a rootkit in the form of a Linux kernel object (KO) module on the CSA appliance. This attempt was found in the audit logs as seen in the snippet below: The likely motive behind this was for the threat actor to maintain kernel-level persistence on the CSA device, which may survive even a factory reset. This activity is in line with the public reporting on the compromise of Ivanti CSA appliances, which is available here and here. FGIR decoded the hex string contained in the snippet above and obtained a base64 encoded blob. The initial part of the resultant base64 encoded blob indicates that this is a compressed archive file. Decompressing the tar file results in the following two files. Figure 30: Malicious tar file content The file install.sh is a malicious bash script that installs a malicious kernel object called sysinitd.ko. The compressed archive file was corrupted and only the file install.sh could be retrieved successfully in its entirety, while the file sysinitd was truncated, and the file sysinitd.ko was missing. FGIR pivoted to the disk image of the CSA appliance and found the sysinitd and sysinitd.ko files in the location /usr/share/empty/init/. Figure 31: Rootkit files ANALYSIS OF INSTALL.SH The script install.sh was meant to install the malicious rootkit sysinitd.ko on the affected system. The following variables were hard-coded in the script install.sh: The script starts with the following function call, which reads two parameters: The first parameter is the INSTALL_NAME string, which is used to rename the two files sysinitd and sysinitd.ko to INSTALL_NAME and INSTALL_NAME.ko respectively. The second parameter is the path where the script copies the renamed version of sysinitd and sysinitd.ko to. In this case, the threat actor did not supply either of the two parameters. Therefore, the default names sysinitd and sysinitd.ko were used by the script. The following snippet of code checks if the install path exists and if not, then it creates it: The script then removes any installed kernel object with the name INSTALL_NAME.ko, using the command rmmod, and then installs the malicious INSTALL_NAME.ko using the command insmod. Figure 32: Installation of malicious kernel object (rootkit) The bash script install.sh installs a persistence mechanism using the technique of adding an entry to install the malicious kernel object in the rc.local and rc.d/rc.local files, if the malicious kernel object file is present on disk. Figure 33: Establishing rootkit persistence Figure 34: Rootkit persistence via RC script ANALYSIS OF THE SYSINITD AND SYSINITD.KO FGIR aims to analyze the rootkit in detail and publish the findings in a follow-up blog post. CONCLUSION The advanced adversaries were observed exploiting and chaining zero-day vulnerabilities to establish beachhead access in the victim’s network. You can read more about the Ivanti CSA zero-day attack in our Threat Signal Report: https://www.fortiguard.com/threat-signal-report/5556. FORTINET PROTECTIONS The malware described in this report is detected and blocked by FortiGuard Antivirus as: BASH/Agent.030E!tr ELF/Agent.69A0!tr ELF/Agent.7E02!tr ELF/Agent.BD!tr FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard Antivirus service. The FortiGuard antivirus engine is a part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected. Fortinet has also released the following IPS signatures to protect our customers from the threats contained in the report. CVE-2024-8190; https://www.fortiguard.com/encyclopedia/ips/56651 The interactsh related URLs are rated as “Malicious Websites” and “Malicious Activities Found” by the FortiGuard Web Filtering service. FortiGuard IP Reputation and Anti-Botnet Security Service proactively blocks these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources. If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team. MITRE MAPPING The MITRE ATT&CK framework has been used to refer to the various tactics and techniques used by the threat actor. Table 4: MITRE Mapping IOCS NETWORK BASED INDICATORS Network Indicator Protocol Port Notes apiv5[.]serverbks[.]xyz 443 Domain associated with IP 156[.]234[.]193[.]18 74[.]62[.]81[.]162 57532 Threat actor’s C2 189f31ed7d[.]ipv6[.]bypass[.]eu[.]org Seen in encoded PowerShell used by the threat actor iowxuintgredogzgblrsmr2cx2e471bor.oast[.]fun Seen in encoded PowerShell used by the threat actor o.lencr[.]org Let's Encrypt domain name c67f045c2f.ipv6.1433.eu[.]org Seen in encoded PowerShell used by the threat actor 206[.]189[.]156[.]69 oast[.]fun domain IP 51[.]91[.]79[.]17 temp[.]sh domain IP 156[.]234[.]193[.]18 C2 IP found in the python reverse shell 208[.]105[.]190[.]170 Threat actor IP interacting with webshell http://temp[.]sh/khkzg/DateTimeTab.php HTTP 80 Patched version of DateTimeTab.php downloaded by the threat actor from this URL to overwrite the vulnerable version. http://temp[.]sh/vQuoW/reports.php HTTP 80 Patched version reports.php downloaded by the threat actor from this URL to overwrite the vulnerable version. http://l8u6aolk4ejfsl9zeq6321zvwm2eq3[.]burpcollaborator.net HTTP 80 Accessed by the threat actor 54[.]77[.]139[.]23 oastify[.].com subdomains 34[.]250[.]195[.]30 portswigger[.]net domain IP, web app security & testing 216[.]131[.]75[.]52 Threat actor IP interacting with webshell 24[.]166[.]100[.]255 Threat actor IP interacting with webshell 67[.]217[.]228[.]92 Threat actor IP interacting with webshell 69[.]49[.]88[.]235 Threat actor IP interacting with webshell 45[.]61[.]136[.]189 Threat actor IP interacting with webshell 3[.]248[.]33[.]252 Threat actor IP interacting with webshell 38[.]207[.]159[.]76 Threat actor IP interacting with webshell 193[.]189[.]100[.]197 Threat actor IP interacting with webshell 23[.]236[.]66[.]97 Threat actor IP interacting with webshell HOST BASED INDICATORS PATH FILE NAME SHA1 HASH NOTES \Device\HarddiskVolume2\ProgramData\1.log 1.log Reconnaissance output \Device\HarddiskVolume2\ProgramData\bakeup.bat bakeup.bat Unknown batch file \Device\HarddiskVolume2\ProgramData\output output Reconnaissance output \Device\HarddiskVolume2\ProgramData\sess010981 sess010981 Reconnaissance output C:\inetpub\wwwroot\aspnet_client\read.txt read.txt Unknown text file https://10.10.11.31/client/site.php site.php Web shell on CSA appliance c:\programdata\output.hex output.hex Encoded reconnaissance output brokes brokes beb723a5f20a1a2c4375f9aa250d968d55155689 Bruteforcer binary passdic.txt passdic.txt List of passwords u.txt u.txt List of harvested usernames /tmp/1 1 Files downloaded on the device are created as /tmp/1 on the CSA disk /tmp/systemd-private-2e4a6ea82da94a9b9fec37fe91c9b820-broker.service-asZTdm/tmp/.br/broke broke 64efc1aad330ea9d98c0c705e16cd4b3af7e74f8 Linux brute force binary /client/site.php site.php Web shell on CSA appliance /gsb/client.php client.php Web shell on CSA appliance /gsb/firewall.php firewall.php Web shell on CSA appliance /gsb/reports.php reports.php Web shell on CSA appliance /gsb/style.php style.php Web shell on CSA appliance /gsb/syslog.php?a=phpinfo(); syslog.php Web shell on CSA appliance /gsb/users.php users.php Web shell on CSA appliance /gsb/uSxhmgm.php uSxhmgm.php Web shell on CSA appliance /gsb/ZjmgmXsB.php ZjmgmXsB.php Web shell on CSA appliance install.sh install.sh 8d016d02f8fbe25dce76481a90dd0b48630ce9e74e8c31ba007cf133e48b8526 Rootkit installation script /usr/share/empty/init/sysinitd.ko sysinitd.ko 6edd7b3123de985846a805931ca8ee5f6f7ed7b160144aa0e066967bc7c0423a Rootkit – Kernel Object Module /usr/share/empty/init/sysinitd sysinitd d57a2cac394a778e19ce9b926f2e0a71936510798f30d20f207f2a49b49ce7b1 Malicious Linux binary Tags: zero-day vulnerability RELATED POSTS FortiGuard Labs Threat Research FORTIGUARD LABS DISCOVERS THREE VULNERABILITIES IN SIEMENS’ TEAMCENTER SOLUTIONS FortiGuard Labs Threat Research RANSOMWARE ROUNDUP: LOCKBIT, BLUESKY, AND MORE FortiGuard Labs Threat Research MOVEIT TRANSFER CRITICAL VULNERABILITY (CVE-2023-34362) EXPLOITED AS A 0-DAY * * * * * * NEWS & ARTICLES * News Releases * News Articles SECURITY RESEARCH * Threat Research * FortiGuard Labs * Threat Map * Ransomware Prevention CONNECT WITH US * Fortinet Community * Partner Portal * Investor Relations * Product Certifications COMPANY * About Us * Exec Mgmt * Careers * Training * Events * Industry Awards * Social Responsibility * CyberGlossary * Sitemap * Blog Sitemap CONTACT US * (866) 868-3678 Copyright © 2024 Fortinet, Inc. All Rights Reserved Terms of Services Privacy Policy | Cookie Settings PRIVACY PREFERENCE CENTER * YOUR PRIVACY * STRICTLY NECESSARY COOKIES * PERFORMANCE COOKIES * FUNCTIONAL COOKIES * ADVERTISING COOKIES YOUR PRIVACY A website may store or retrieve certain information about your browser by using cookies. Cookies store information about how a visitor interacts with a website. The information may be about you, your preferences, your browser, or may be used just to make the website function. We allow certain advertising and analytics partners to collect information from our site through cookies and similar technologies to deliver ads which are more relevant to you, and assist us with advertising-related analytics (e.g., measuring ad performance, optimizing our ad campaigns). This may be considered "selling" or "sharing” / disclosure for targeted online advertising under certain laws. To opt out of these activities, move the toggles for "Performance" and "Advertising" to the left and press "Confirm My Choices." You can also click on the different category headings if you would like to read more about the cookies that we use, and adjust your preferences. Please note that your choice will apply only to your current browser/device. You can choose not to allow some types of cookies; however, please note that blocking some categories of cookies may impact your experience of the site. You can visit our Privacy Policy for more information. privacy policy STRICTLY NECESSARY COOKIES Always Active These cookies are necessary for the basic functionality of the website. The website would not work without these cookies, so they cannot be switched off in our systems. You can set your browser to block or alert you about these cookies, but some parts of the site will not work. PERFORMANCE COOKIES Performance Cookies These cookies help us collect certain data, such as count visits and traffic sources, so that we can measure the performance of our site, improve the content, and build better features that enhance your experience. They help us to know which pages are the most and least popular and see how visitors move around the site. They also allow us to measure the effectiveness of our ads on other sites. FUNCTIONAL COOKIES Functional Cookies These cookies allow our website to remember your preferences and choices made on the website, such as region and language, which help us provide enhanced functionality and personalization. These cookies may be set by us or by third party providers whose services we have added to our pages. If you disable these cookies, then some or all of these features may not function properly. ADVERTISING COOKIES Advertising Cookies These cookies may be set through our website by our advertising partners, and use information uniquely identifying your browser and internet device to build a profile of your interests and show you relevant ads on other websites. If you disable these cookies, you will experience less targeted advertising. BACK BUTTON BACK Vendor Search Filter Button Consent Leg.Interest checkbox label label checkbox label label checkbox label label Clear checkbox label label Apply Cancel Confirm My Choices Allow All word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1