Two newly identified security vulnerabilities in Ivanti Connect Secure (ICS) devices are currently being exploited to facilitate the notorious Mirai botnet attack. This information was disclosed by Juniper Threat Labs, which highlighted that the vulnerabilities, known as CVE-2023-46805 and CVE-2024-21887, are being leveraged to deliver the botnet’s malware payload.
CVE-2023-46805 is characterized as an authentication bypass vulnerability, while CVE-2024-21887 is a command injection flaw. These vulnerabilities can be combined in a chain, enabling attackers to execute arbitrary code and ultimately gain control over affected systems. The attack observed by Juniper Threat Labs utilizes CVE-2023-46805 to gain access to the vulnerable endpoint “/api/v1/license/key-status/;”. This endpoint is susceptible to command injection, which allows the attacker to inject the malicious payload effectively.
Further technical analysis provided by Assetnote underscores the method used to trigger this exploit. Specifically, a request made to the “/api/v1/totp/user-backup-code/” endpoint is employed to deploy the malware. Security researcher Kashinath T Pattan elaborated on this process, indicating that the command sequence aims to erase files, fetch a script from a remote server, grant executable permissions, and execute the script, which could lead to system compromise.
Once executed, the shell script is programmed to download Mirai botnet malware from a specific IP address controlled by the attackers. This development signals a troubling trend in cyber threats, as Pattan notes, suggesting that the exploitation of this vulnerability could also pave the way for other malicious software and ransomware to emerge.
In parallel developments, SonicWall has reported a separate cybersecurity issue involving a counterfeit Windows File Explorer executable, which has been observed to install a cryptocurrency miner. The mechanism of distribution for this malware remains unidentified, but it has been noted that, upon activation, it places harmful files within the /Windows/Fonts/ directory, including the primary crypto miner file and a batch file designed to initiate the mining process.
The cybersecurity landscape is becoming increasingly complex, with incidents such as the exploitation of Ivanti’s vulnerabilities underscoring the necessity for robust protective measures. Business owners, particularly in the tech sector, must remain vigilant against such exploits, which leverage initial access and command and control techniques as outlined in the MITRE ATT&CK framework. The findings emphasize the importance of timely updates and patches to safeguard against these evolving threats, as failure to do so could expose organizations to significant risks.
