Threat actors are exploiting recently disclosed zero-day flaws in Ivanti Connect Secure (ICS) VPN devices to deliver KrustyLoader.
In early January 2024, software firm Ivanti reported that threat actors were exploiting two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Connect Secure (ICS) and Policy Secure to remotely execute arbitrary commands on targeted gateways.
Researchers from cybersecurity firm Synacktiv published a technical analysis of a Rust malware, named KrustyLoader, that was delivered by threat actors exploiting the above vulnerabilities.
The flaw CVE-2023-46805 (CVSS score 8.2) is an Authentication Bypass issue that resides in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure. A remote attacker can trigger the vulnerability to access restricted resources by bypassing control checks.
The second flaw, tracked as CVE-2024-21887 (CVSS score 9.1) is a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. An authenticated administrator can exploit the issue by sending specially crafted requests and execute arbitrary commands on the appliance.
An attacker can chain the two flaws to send specially crafted requests to unpatched systems and execute arbitrary commands.
“If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.” reads the advisory published by Ivanti.
The company is providing mitigation and confirmed it is working on the development of a security patch.
Volexity researchers observed threat actors actively exploiting the two zero-days in the wild. In December 2023, Volexity investigated an attack where an attacker was placing webshells on multiple internal and external-facing web servers.
The researchers also reported that threat actors tracked as UTA0178 (aka UNC5221) are actively exploiting the vulnerabilities and are actively trying to exploit devices.
Targets span across the globe, they include both small businesses and large organizations. The list of targets includes multiple Fortune 500 companies operating in various industry sectors, such as:
- Global government and military departments
- National telecommunications companies
- Defense contractors
- Technology firms
- Banking, finance, and accounting institutions
- Worldwide consulting services
- Aerospace, aviation, and engineering entities
After being publicly disclosed, multiple threat actors started exploiting these vulnerabilities to deploy XMRig cryptocurrency miners and Rust-based malware.
Synacktiv researchers noticed that threat actors used the KrustyLoader as a loader to download a Golang-based Sliver backdoor from a remote server and execute it.
“Based on my observations, all the samples download a Sliver (Golang) backdoor, though from different URLs.” reads the report published by Synacktiv. “The Sliver backdoors contact their C2 server using HTTP/HTTPS communication. Sliver 11 is an open-source adversary simulation tool that is gaining popularity among threat actors, since it provides a practical command and control framework.”
Sliver is a post-exploitation framework that is gaining notoriety in the hacking underground as an alternative to the Cobalt Strike framework.
The choice of using Rust language for the development of KrustyLoader introduces additional challenges in obtaining a comprehensive understanding of malware behavior.
The experts published the Yara rule for the detection of similar KrustyLoader samples.
“Rust payloads detected by Volexity team turn out to be pretty interesting Sliver downloaders as they were executed on Ivanti Connect Secure VPN after the exploitation of CVE-2024-21887 and CVE-2023-46805. KrustyLoader – as I dubbed it – performs specific checks in order to run only if conditions are met.” concludes the report. “The fact that KrustyLoader was developed in Rust brings additional difficulties to obtain a good overview of its behavior. A script as well as a Yara rule are publicly available to help detection and extraction of indicators.
“Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, KrustyLoader)