Chinese Hackers Suspected in Ivanti CSA Attacks: Webshells and Lateral Movement Detected Sources and related content

A series of critical vulnerabilities affecting Ivanti Cloud Service Appliance (CSA) 4.6 have been actively exploited in the wild, raising serious security concerns for enterprises relying on the platform for endpoint management, patching, and remote troubleshooting. Despite reaching its end-of-life on August 31, 2024, the platform continues to be a high-profile target for cybercriminals.

According to HarfangLab, multiple vulnerabilities, when chained together, enable unauthenticated remote code execution (RCE) and SQL injection attacks, allowing adversaries to gain full control over compromised appliances.

Between September 10 and October 8, 2024, Ivanti issued security advisories for several vulnerabilities in CSA 4.6. These include:

• CVE-2024-8963 – A path traversal vulnerability that allows “remote unauthenticated attackers to access restricted functionality.” Initially misattributed to PHP script issues, a deeper analysis revealed that “CVE-2024-8963 is the result of a combination of URL parsing issues in the Ivanti-proprietary Web server for CSA (broker), as well as a confusing behavior in chosen configuration for PHP CGI.”
• CVE-2024-8190 & CVE-2024-9381 – Remote command execution vulnerabilities that allow attackers to inject OS commands through manipulated API requests.
• CVE-2024-9379 – An SQL injection flaw that enables attackers to manipulate database queries and extract sensitive information.

These vulnerabilities were patched in Patch 519, released on September 10, 2024, but many enterprises failed to upgrade before active exploitation began.

Starting September 13, 2024, public reports emerged confirming in-the-wild exploitation of these flaws:

• Fortinet published a detailed analysis on October 11, 2024, confirming active exploitation by sophisticated threat actors.
• The French government’s CERT issued an alert on October 22, 2024, warning organizations about widespread attacks.
• A joint cybersecurity advisory by CISA and the FBI, released on January 22, 2025, emphasized the severity of the attacks.

Further escalating the threat, an exploitation script for CVE-2024-8190 was publicly released on September 16, 2024, providing attackers with an easy-to-use proof-of-concept (PoC).

HarfangLab’s investigation reveals a multi-stage attack chain where threat actors exploit Ivanti CSA vulnerabilities to gain initial access and deploy persistent malware.

One of the key attack methods leverages a maliciously crafted URL, such as:

https://<hostname>/client/index.php%3F.php/gsb/users.php

This URL forces the execution of a restricted PHP script without authentication, allowing adversaries to execute remote commands.

Additionally, another variation of the exploit allows attackers to target any restricted PHP file:

https://<hostname>/client/doesnotexist.php%3F.php/rc/about.php

Through URL misinterpretation and improper authentication enforcement, attackers gain unauthorized access to sensitive server components.

After exploiting the vulnerabilities, attackers frequently deploy webshells to maintain long-term access. HarfangLab’s research highlights four primary webshell variants observed in compromised Ivanti CSA devices:

1. Simple PHP System Wrapper – Executes arbitrary system commands via a request parameter.
2. Encoded PHP Eval Wrapper – A base64 and XOR-encoded backdoor designed for stealth.
3. Ice-Scorpion/Behinder Webshell – A known Chinese-origin backdoor used for remote execution.
4. Godzilla PHP Webshell – A forked version of the well-known Godzilla webshell, featuring obfuscation and remote control capabilities.

These webshells were most commonly found in the following locations:

• /gsb/help.php
• /client/RCClient.php
• /client/LDSupport.php
• /rc/config.php

According to HarfangLab, “at least one webshell deployed on almost half (48%) of the vulnerable devices”, indicating widespread and systematic exploitation.

Attackers didn’t stop at Ivanti CSA. After gaining an initial foothold, they moved laterally within compromised networks using various privilege escalation and credential harvesting techniques:

• Exploiting ZeroLogon (CVE-2020-1472) to gain Windows domain administrator privileges.
• Leveraging Polkit (CVE-2021-4034) for local Linux privilege escalation.
• Targeting F5 BIG-IP devices (CVE-2022-1388) to compromise network infrastructure.

Additionally, adversaries used NHAS reverse_ssh—a Golang-based backdoor—to establish persistent SSH access over WebSockets. The implant was downloaded from a staging server: 195.133.52[.]87. This infrastructure served as a command-and-control (C2) hub, facilitating remote control of compromised systems.

While the attribution remains unclear, several Chinese-language artifacts in the exploit toolset suggest possible involvement of Chinese-speaking actors. HarfangLab notes that “the timely vulnerability exploitation on appliances with invariable Webshells deployment reminds us of the Citrix/NetScaler devices compromises in mid-2023 (CVE-2023-3519)”, which were previously linked to China-based groups.

Related Posts:

• CISA Adds Three Actively Exploited Security Vulnerabilities to KEV Catalog, Urges Urgent Patching
• Unmasking PackXOR: The FIN7 Packer Exposed
• Suspected Nation-State Adversary Exploits Ivanti CSA in a Series of Sophisticated Attacks
• CISA & Ivanti Warn of Active Exploitation Cloud Services Appliance Flaw CVE-2024-8190