Help
Lacework
Access helpful articles and other FAQs on Lacework
mary
Staff
Staff

Created on ‎01-28-2025 09:31 PM

Article Id 373236

Outbreak Alert: Detecting post-exploitation activity related to Ivanti CSA vulnerabilities in Lacework FortiCNAPP

Description

This article explains how Lacework FortiCNAPP can help detect post-exploitation behaviors following the exploitation of Ivanti Cloud Services Appliance (CSA) vulnerabilities (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381). 

Although "Cloud" is in the name, Ivanti CSA is a perimeter authentication appliance rather than a cloud-native service. As a result, Lacework does not directly detect the initial exploitation of Ivanti CSA. However, if attackers use Ivanti CSA as an entry point to pivot into cloud environments, Lacework can identify post-compromise behaviors such as credential theft, privilege escalation, and lateral movement. 
Scope

Attackers exploiting Ivanti CSA vulnerabilities may:

  • Steal IAM credentials from affected systems 
  • Abuse API access to escalate privileges in AWS, Azure, or Google Cloud 
  • Move laterally across cloud workloads to expand control 

Lacework FortiCNAPP detects these post-exploitation behaviors using composite alerts that correlate multiple signals within cloud environments. 
Solution

Detecting Post-Exploitation with Lacework FortiCNAPP Alerts (see next table)
Additional Resources

https://www.fortiguard.com/outbreak-alert/ivanti-csa-zero-day-attack

https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-tar... 

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Using-FortiAnalyzer-to-detect-activiti... 

https://community.fortinet.com/t5/FortiRecon/Outbreak-Alert-Ivanti-CSA-Cloud-Services-Appliance-Zero... 

 

https://www.ivanti.com/blog/october-2024-security-update 

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9... 

https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a

 

How Lacework FortiCNAPP can help

Lacework composite alerts help detect attacker activity in cloud environments: 

Threat Type Lacework FortiCNAPP Alert Description
Unusual IAM Role Assumptions (Stolen Credentials)  Potentially Compromised AWS Keys  Detects anomalous use of AWS IAM credentials
  Potentially Compromised Azure Identity Detects unexpected Azure identity usage 
  Potentially Compromised Google Cloud Identity Detects unauthorized access to Google Cloud identities 
AWS: Anomalous API Activity (Privilege Escalation, Cloud Modifications) 

API Failed With Error 

AWS IAM API Error Spike

New AWS API Invoked

 

 Identifies API activity indicative of an attack on AWS  
Azure: Anomalous API Activity (Privilege Escalation, Cloud Modifications) 

New Azure API Failed with Error

New Azure API Call Invoked by User Accessed Resource for the First Time

  Identifies API activity indicative of an attack on Azure 
Google Cloud: Anomalous API Activity (Privilege Escalation, Cloud Modifications) 

New GCP API Call

New API Invoked for Google Cloud Service

GCP API Failed With Error

 Identifies API activity indicative of an attack on Google Cloud

Recommended Actions

1) Apply Ivanti's security patches to mitigate initial exploitation 

2) Monitor IAM & API activity logs for unusual access in AWS, Azure, and Google Cloud 

3) Use Lacework FortiCNAPP anomaly detection to spot attack behavior across cloud environments  

https://www.fortinet.com/products/forticnapp 

280
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.