The two bugs were disclosed earlier in January, allowing unauthenticated remote code execution and authentication bypass, respectively, affecting Ivanti's Connect Secure VPN gear.
While both zero days were already under active exploitation in the wild, Chinese state-sponsored advanced persistent threat actors quickly hopped on the bugs after public disclosure, mounting mass exploitation attempts worldwide.
Volexity's analysis of the attacks uncovered 12 separate but nearly identical Rust payloads being downloaded to compromised appliances, which in turn download and execute a variant of the Sliver red-teaming tool, which Synacktiv researcher Théo Letailleur named KrustyLoader.
He noted that the rejiggered Sliver implant acts as a stealthy and easily controlled backdoor.
The patches for CVE-2024-21887 and CVE-2023-46805 in Connect Secure VPNs are delayed.
Ivanti had promised them on Jan. 22, prompting a CISA alert, but they failed to materialize.
As of today, it's been 20 days since the vulnerabilities' disclosure.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 30 Jan 2024 23:25:26 +0000