Headline
Ivanti VPN Flaws Exploited to Spread KrustyLoader Malware
By Deeba Ahmed The Ivanti VPN vulnerabilities have plunged into a black hole. This is a post from HackRead.com Read the original post: Ivanti VPN Flaws Exploited to Spread KrustyLoader Malware
Hackers exploit zero-day vulnerabilities in Ivanti VPN, deploying malware and cryptocurrency miners, with targets including Fortune 500 firms, gov’t agencies, and defence contractors.
Cybersecurity concerns are rising as hackers try to exploit zero-day vulnerabilities in Ivanti VPN devices to deploy malware and cryptocurrency miners. The vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887 were discovered in Ivanti Connect Secure (ICS) and Ivanti Policy Secure Gateway appliances, allowing attackers to execute arbitrary commands remotely on targeted hosts to load a Rust-based malware named KrustyLoader.
“Vulnerabilities have been discovered in Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure and Ivanti Policy Secure gateways. These vulnerabilities impact all supported versions – Version 9.x and 22.x,” Ivanti confirmed in a recent advisory.
CVE-2023-46805 is an Authentication Bypass flaw with a CVSS score of 8.2. It allows a remote attacker to bypass control checks in the web component of Ivanti ICS 9.x, 22.x, and Ivanti Policy Secure.
CVE-2024-21887, is a command injection vulnerability, with a CVSS score of 9.1. It is discovered in Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure web components, and allows an authenticated administrator to exploit Ivanti appliances by sending crafted requests and executing arbitrary commands.
Targets include global small to large businesses, including Fortune 500 companies, government departments, telecommunications, defence contractors, technology firms, banking, finance, accounting institutions, consulting services, and aerospace entities.
The issues were first reported by Volexity, according to which these vulnerabilities have been exploited as zero-days as early as 3 December 2023. They identified a Chinese threat actor named UTA0178 (tracked by Mandiant as UNC5221) to be responsible for this exploitation. Volexity was alerted after discovering an attacker executing webshells on multiple internal and external-facing web servers.
The company launched an investigation and discovered over 2,100 compromised Ivanti Connect Secure VPN devices using the GIFTEDVISITOR webshell in December 2023. A new scan in January 2024 revealed 368 more compromised devices.
Researchers inspected a compromised Connect Secure VPN appliance and found that UTA0178 made modifications to the in-built Integrity Checker Tool, causing the tool to report no new or mismatched files.
Synacktiv researcher Théo Letailleur conducted an extensive probe and discovered that threat actors are exploiting Ivanti zero-days to install an XMRig cryptocurrency miner and execute a Golang-based Sliver backdoor from a remote server.
KrustyLoader served as a loader to download/execute Sliver on compromised hosts. Since it is based on Rust language, it is challenging to fully comprehend the malware’s behaviour.
Bishop Fox’s Sliver is a post-exploitation toolkit designed for cybercriminals to maintain control over compromised systems. It gained popularity among cybercriminals in 2023 after law enforcement attempted to shut down ‘cracked’ versions of Cobalt Strike.
The backdoor offers extensive functionalities, including network spying, command execution, loading reflective DLLs, and spawning sessions. Synacktiv reports that all samples download Sliver from different URLs, and establish a connection with the C2 using HTTP/HTTPS communication.
Ivanti’s advisory suggests that if CVE-2024-21887 and CVE-2023-46805 are used together, an attacker can send malicious requests to unpatched systems without authentication, allowing arbitrary command execution.
Ivanti and Mandiant are working to address over 2100 system compromises, and a patch was scheduled for January 30. However, no patch is currently available.
****RELATED ARTICLES****
- Critical Flaws Found in GNU C Library, Major Linux Distros at Risk
- Excessive Expansion Flaws Leave Jenkins Servers Open to Attacks
- Critical “PixieFail” Flaws Expose Millions of Devices to Cyberattacks
- TeamViewer Exploited to Obtain Remote Access, Deploy Ransomware
- Windows Defender SmartScreen Flaw Exploited with Phemedrone Stealer
Related news
Based on a comprehensive review of more than a dozen prominent ransomware groups, we identified several commonalities in TTPs, along with several notable differences and outliers.
A newly disclosed critical security flaw impacting Progress Software MOVEit Transfer is already seeing exploitation attempts in the wild shortly after details of the bug were publicly disclosed. The vulnerability, tracked as CVE-2024-5806 (CVSS score: 9.1), concerns an authentication bypass that impacts the following versions - From 2023.0.0 before 2023.0.11 From 2023.1.0 before 2023.1.6, and&
Hello everyone! In this episode, I will talk about the February updates of my open source projects, also about projects at my main job at Positive Technologies and interesting vulnerabilities. Alternative video link (for Russia): https://vk.com/video-149273431_456239140 Let’s start with my open source projects. Vulremi A simple vulnerability remediation utility, Vulremi, now has a logo and […]
Plus: Mozilla patches 12 flaws in Firefox, Zoom fixes seven vulnerabilities, and more critical updates from February.
By Deeba Ahmed Ivanti has released patches for vulnerabilities found in its enterprise VPN appliances, including two flagged as exploited zero-days… This is a post from HackRead.com Read the original post: Ivanti VPN Flaws Exploited by DSLog Backdoor and Crypto Miners
Ivanti has alerted customers of yet another high-severity security flaw in its Connect Secure, Policy Secure, and ZTA gateway devices that could allow attackers to bypass authentication. The issue, tracked as CVE-2024-22024, is rated 8.3 out of 10 on the CVSS scoring system. "An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti
By Deeba Ahmed Zero-Day Nightmare: CVE-2024-21893 Exploits Surge in Attacks on Ivanti Products. This is a post from HackRead.com Read the original post: Chained Exploits, Stolen VPN Access: Hackers Target Ivanti Users Despite Patches
A recently disclosed server-side request forgery (SSRF) vulnerability impacting Ivanti Connect Secure and Policy Secure products has come under mass exploitation. The Shadowserver Foundation said it observed exploitation attempts originating from more than 170 unique IP addresses that aim to establish a reverse shell, among others. The attacks exploit CVE-2024-21893 (CVSS
CISA has ordered all FCEB agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products.
Ivanti is alerting of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild. The list of vulnerabilities is as follows - CVE-2024-21888 (CVSS score: 8.8) - A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows
Ivanti is alerting of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild. The list of vulnerabilities is as follows - CVE-2024-21888 (CVSS score: 8.8) - A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows
A pair of recently disclosed zero-day flaws in Ivanti Connect Secure (ICS) virtual private network (VPN) devices have been exploited to deliver a Rust-based payload called KrustyLoader that's used to drop the open-source Sliver adversary simulation tool. The security vulnerabilities, tracked as CVE-2023-46805 (CVSS score: 8.2) and CVE-2024-21887 (CVSS score: 9.1), could be abused
A pair of recently disclosed zero-day flaws in Ivanti Connect Secure (ICS) virtual private network (VPN) devices have been exploited to deliver a Rust-based payload called KrustyLoader that's used to drop the open-source Sliver adversary simulation tool. The security vulnerabilities, tracked as CVE-2023-46805 (CVSS score: 8.2) and CVE-2024-21887 (CVSS score: 9.1), could be abused
This Metasploit module chains an authentication bypass vulnerability and a command injection vulnerability to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x prior to the vendor mitigation are vulnerable. It is unknown if unsupported versions 8.x and below are also vulnerable.
This Metasploit module chains an authentication bypass vulnerability and a command injection vulnerability to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x prior to the vendor mitigation are vulnerable. It is unknown if unsupported versions 8.x and below are also vulnerable.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday issued an emergency directive urging Federal Civilian Executive Branch (FCEB) agencies to implement mitigations against two actively exploited zero-day flaws in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products. The development came after the vulnerabilities – an authentication bypass
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday issued an emergency directive urging Federal Civilian Executive Branch (FCEB) agencies to implement mitigations against two actively exploited zero-day flaws in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products. The development came after the vulnerabilities – an authentication bypass
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core to its Known Exploited Vulnerabilities (KEV) catalog, stating it's being actively exploited in the wild. The vulnerability in question is CVE-2023-35082 (CVSS score: 9.8), an authentication bypass
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core to its Known Exploited Vulnerabilities (KEV) catalog, stating it's being actively exploited in the wild. The vulnerability in question is CVE-2023-35082 (CVSS score: 9.8), an authentication bypass
There are many examples of WiFi-enabled home cameras, assistants and doorbells vulnerable to a wide range of security issues.
There are many examples of WiFi-enabled home cameras, assistants and doorbells vulnerable to a wide range of security issues.
By Deeba Ahmed Another day, another zero-day flaw driving the cybersecurity world crazy. This is a post from HackRead.com Read the original post: Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks
By Deeba Ahmed Another day, another zero-day flaw driving the cybersecurity world crazy. This is a post from HackRead.com Read the original post: Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks
As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since early December 2023. "These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant said in an
As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since early December 2023. "These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant said in an
Several international security agencies are echoing a warning by Ivanti about actively exploited vulnerabilities in its VPN solution.
Several international security agencies are echoing a warning by Ivanti about actively exploited vulnerabilities in its VPN solution.
A pair of zero-day flaws identified in Ivanti Connect Secure (ICS) and Policy Secure have been chained by suspected China-linked nation-state actors to breach less than 10 customers. Cybersecurity firm Volexity, which identified the activity on the network of one of its customers in the second week of December 2023, attributed it to a hacking group it tracks under the name UTA0178
A pair of zero-day flaws identified in Ivanti Connect Secure (ICS) and Policy Secure have been chained by suspected China-linked nation-state actors to breach less than 10 customers. Cybersecurity firm Volexity, which identified the activity on the network of one of its customers in the second week of December 2023, attributed it to a hacking group it tracks under the name UTA0178