Exploitation of Ivanti VPN Flaws to Spread KrustyLoader Malware

Exploitation of Ivanti VPN Flaws to Spread KrustyLoader Malware

Posted: 2024-01-31 19:45:40

Hackers utilize undisclosed vulnerabilities in Ivanti VPN, deploying malicious software and digital currency miners, with targets including large corporations, government agencies, and defense contractors.

Concerns about cybersecurity are increasing as hackers attempt to utilize undisclosed vulnerabilities in Ivanti VPN devices to deploy malicious software and digital currency miners. The vulnerabilities, known as CVE-2023-46805 and CVE-2024-21887 were identified in Ivanti Connect Secure (ICS) and Ivanti Policy Secure Gateway devices, enabling attackers to remotely execute arbitrary commands on targeted hosts to load a Rust-based malware called KrustyLoader.

“Vulnerabilities were found in Ivanti Connect Secure (ICS), previously known as Pulse Connect Secure and Ivanti Policy Secure gateways. These vulnerabilities affect all supported versions – Version 9.x and 22.x,” Ivanti confirmed in a recent advisory.

CVE-2023-46805 is an Authentication Bypass flaw with a CVSS score of 8.2. It allows a remote attacker to bypass control checks in the web component of Ivanti ICS 9.x, 22.x, and Ivanti Policy Secure.

CVE-2024-21887, is a command injection vulnerability, with a CVSS score of 9.1. It is discovered in Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure web components, and allows an authenticated administrator to exploit Ivanti appliances by sending crafted requests and executing arbitrary commands.

Targets include global small to large businesses, including Fortune 500 companies, government departments, telecommunications, defense contractors, technology firms, banking, finance, accounting institutions, consulting services, and aerospace entities.

The issues were first reported by Volexity, according to which these vulnerabilities have been exploited as zero-days as early as 3 December 2023. They identified a Chinese threat actor named UTA0178 (tracked by Mandiant as UNC5221) to be responsible for this exploitation. Volexity was alerted after discovering an attacker executing webshells on multiple internal and external-facing web servers.

The company launched an investigation and discovered over 2,100 compromised Ivanti Connect Secure VPN devices using the GIFTEDVISITOR webshell in December 2023. A new scan in January 2024 revealed 368 more compromised devices.

Researchers inspected a compromised Connect Secure VPN appliance and found that UTA0178 made modifications to the in-built Integrity Checker Tool, causing the tool to report no new or mismatched files.

Synacktiv researcher Théo Letailleur conducted an extensive probe and found that threat actors are utilizing Ivanti undisclosed vulnerabilities to install an XMRig digital currency miner and execute a Golang-based Sliver backdoor from a remote server.

KrustyLoader served as a loader to download/execute Sliver on compromised hosts. Since it is based on Rust language, it is challenging to fully comprehend the malware’s behavior.

Bishop Fox’s Sliver is a post-exploitation toolkit designed for cybercriminals to maintain control over compromised systems. It gained popularity among cybercriminals in 2023 after law enforcement attempted to shut down ‘cracked’ versions of Cobalt Strike.

The backdoor offers extensive functionalities, including network spying, command execution, loading reflective DLLs, and spawning sessions. Synacktiv reports that all samples download Sliver from different URLs, and establish a connection with the C2 using HTTP/HTTPS communication.

Ivanti’s advisory suggests that if CVE-2024-21887 and CVE-2023-46805 are used together, an attacker can send malicious requests to unpatched systems without authentication, allowing arbitrary command execution.

Ivanti and Mandiant are working to address over 2100 system compromises, and a patch was scheduled for January 30. However, no patch is currently available.

Critical Flaws Found in GNU C Library, Major Linux Distros at Risk

Excessive Expansion Flaws Leave Jenkins Servers Open to Attacks

Critical “PixieFail” Flaws Expose Millions of Devices to Cyberattacks

TeamViewer Exploited to Obtain Remote Access, Deploy Ransomware

Windows Defender SmartScreen Flaw Exploited with Phemedrone Stealer