Wednesday, January 31, 2024

NEW Ivanti VPN Zero-day Vulnerability Found using BishopFox Tool

A duo of zero-day vulnerabilities discovered in Ivanti Connect Secure (ICS) VPN devices has been exploited to deploy a Rust-based payload named KrustyLoader, facilitating the installation of the open-source Sliver adversary simulation tool. The security flaws, identified as CVE-2023-46805 (CVSS score: 8.2) and CVE-2024-21887 (CVSS score: 9.1), enable unauthenticated remote code execution on vulnerable appliances when exploited together. Patches for the vulnerabilities are currently delayed, but Ivanti has released a temporary mitigation in the form of an XML file.

The vulnerabilities, initially exposed by Volexity, have been actively exploited as zero-days since December 3, 2023, by a Chinese nation-state threat actor known as UTA0178 (UNC5221 by Mandiant). Subsequent to public disclosure, adversaries have leveraged these vulnerabilities to distribute XMRig cryptocurrency miners and Rust-based malware. Synacktiv's analysis of the Rust malware, KrustyLoader, reveals its role as a loader, downloading Sliver from a remote server and executing it on the compromised host.

Sliver, developed by BishopFox, is a Golang-based cross-platform post-exploitation framework, offering an attractive alternative for threat actors compared to widely recognized tools like Cobalt Strike. Despite the rise of alternatives such as Sliver, a report by Recorded Future indicates that Cobalt Strike remains the predominant offensive security tool, followed by Viper and Meterpreter, as observed in attacker-controlled infrastructure throughout 2023. Other frameworks gaining traction include Havoc, Mythic, Brute Ratel (BRc4), and Sliver.


Post a Comment