Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Threat actors exploit Ivanti VPN bugs to deploy KrustyLoader Malware

Threat actors are exploiting recently disclosed zero-day flaws in Ivanti Connect Secure (ICS) VPN devices to deliver KrustyLoader. In early January 2024, software firm Ivanti reported that threat actors were exploiting two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Connect Secure (ICS) and Policy Secure to remotely execute arbitrary commands on targeted gateways. Researchers from cybersecurity firm Synacktiv published […]

ivanti Endpoint Manager

Threat actors are exploiting recently disclosed zero-day flaws in Ivanti Connect Secure (ICS) VPN devices to deliver KrustyLoader.

In early January 2024, software firm Ivanti reported that threat actors were exploiting two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Connect Secure (ICS) and Policy Secure to remotely execute arbitrary commands on targeted gateways.

Researchers from cybersecurity firm Synacktiv published a technical analysis of a Rust malware, named KrustyLoader, that was delivered by threat actors exploiting the above vulnerabilities.

The flaw CVE-2023-46805 (CVSS score 8.2) is an Authentication Bypass issue that resides in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure. A remote attacker can trigger the vulnerability to access restricted resources by bypassing control checks.

The second flaw, tracked as CVE-2024-21887 (CVSS score 9.1) is a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. An authenticated administrator can exploit the issue by sending specially crafted requests and execute arbitrary commands on the appliance.

An attacker can chain the two flaws to send specially crafted requests to unpatched systems and execute arbitrary commands. 

“If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.” reads the advisory published by Ivanti.

The company is providing mitigation and confirmed it is working on the development of a security patch.

Volexity researchers observed threat actors actively exploiting the two zero-days in the wild. In December 2023, Volexity investigated an attack where an attacker was placing webshells on multiple internal and external-facing web servers.

The researchers also reported that threat actors tracked as UTA0178 (aka UNC5221) are actively exploiting the vulnerabilities and are actively trying to exploit devices.

Targets span across the globe, they include both small businesses and large organizations. The list of targets includes multiple Fortune 500 companies operating in various industry sectors, such as:

  • Global government and military departments
  • National telecommunications companies
  • Defense contractors
  • Technology firms
  • Banking, finance, and accounting institutions
  • Worldwide consulting services
  • Aerospace, aviation, and engineering entities

After being publicly disclosed, multiple threat actors started exploiting these vulnerabilities to deploy XMRig cryptocurrency miners and Rust-based malware.

Synacktiv researchers noticed that threat actors used the KrustyLoader as a loader to download a Golang-based Sliver backdoor from a remote server and execute it.

“Based on my observations, all the samples download a Sliver (Golang) backdoor, though from different URLs.” reads the report published by Synacktiv. “The Sliver backdoors contact their C2 server using HTTP/HTTPS communication. Sliver 11 is an open-source adversary simulation tool that is gaining popularity among threat actors, since it provides a practical command and control framework.”

Sliver is a post-exploitation framework that is gaining notoriety in the hacking underground as an alternative to the Cobalt Strike framework.

The choice of using Rust language for the development of KrustyLoader introduces additional challenges in obtaining a comprehensive understanding of malware behavior.

The experts published the Yara rule for the detection of similar KrustyLoader samples.

“Rust payloads detected by Volexity team turn out to be pretty interesting Sliver downloaders as they were executed on Ivanti Connect Secure VPN after the exploitation of CVE-2024-21887 and CVE-2023-46805. KrustyLoader – as I dubbed it – performs specific checks in order to run only if conditions are met.” concludes the report. “The fact that KrustyLoader was developed in Rust brings additional difficulties to obtain a good overview of its behavior. A script as well as a Yara rule are publicly available to help detection and extraction of indicators.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, KrustyLoader)