Recently reported zero-day vulnerabilities in Ivanti Connect Secure (ICS) virtual private network (VPN) devices have been actively exploited to deploy a Rust-based payload known as KrustyLoader. This malicious software component is specifically designed to install the open-source Sliver adversary simulation tool, which has gained traction among threat actors.
The security flaws, identified as CVE-2023-46805 and CVE-2024-21887, present critical risks, with CVSS scores of 8.2 and 9.1, respectively. These vulnerabilities allow attackers to perform unauthenticated remote code execution on targeted devices, making them particularly hazardous. While Ivanti has acknowledged the issues, as of January 26, 2024, official patches remain unresolved; however, a temporary mitigation solution has been released via an XML file.
Volexity, a cybersecurity firm that first uncovered these vulnerabilities, reports that they have been weaponized by a Chinese nation-state actor referenced as UTA0178 since December 3, 2023. Simultaneously, Google’s Mandiant has labeled this group as UNC5221. Following the disclosure of these vulnerabilities, other malicious entities have begun exploiting them to deploy both XMRig cryptocurrency miners and additional Rust-based malware.
In-depth analysis by Synacktiv has revealed that KrustyLoader serves as a loader, capable of downloading Sliver from remote servers and executing it on compromised systems. Sliver itself, developed by BishopFox, is a versatile post-exploitation framework built using Golang, positioning it as an appealing alternative to established tools like Cobalt Strike for adversaries seeking effective exploitation solutions.
Despite Sliver’s rise, Cobalt Strike remains the preferred offensive security tool among malicious actors, according to a recent report from Recorded Future. Other frameworks, such as Viper and Meterpreter, trail behind but have not been overlooked by threat actors, who also show an increased interest in tools like Havoc and Mythic, albeit at a significantly lower frequency.
In terms of cyber threat tactics, this incident showcases numerous MITRE ATT&CK techniques, including initial access via exploitation of software vulnerabilities, and potential persistence methods associated with deploying loaders and other malware. Moreover, privilege escalation could be a factor as attackers leverage these vulnerabilities to gain deeper access into compromised networks.
As cyber threats continue to evolve, the importance of timely patch management and comprehensive vulnerability assessments becomes paramount for organizations utilizing Ivanti Connect Secure and similar technologies. Business owners need to remain vigilant, understanding that heightened activity from threat actors could pose significant risks to their operations and sensitive data. As always, maintaining awareness of the changing landscape of cyber threats is crucial for informed decision-making and effective cybersecurity strategies.
