A pair of critical zero-day vulnerabilities in Ivanti VPNs are being used by attackers to deploy a Rust-based set of backdoors and download a backdoor malware called “KrustyLoader.” The two bugs, which were disclosed earlier in January, allow unauthenticated remote code execution (RCE) and authentication bypass, respectively, affecting Ivanti’s Connect Secure VPN gear. Neither of the vulnerabilities has patches yet.
It has been reported that both zero-day vulnerabilities were already under active exploitation in the wild, and Chinese state-sponsored advanced persistent threat (APT) actors (UNC5221, aka UTA0178) were quick to exploit the bugs after their public disclosure, mounting mass exploitation attempts worldwide. According to Volexity’s analysis of the attacks, 12 separate but nearly identical Rust payloads were uncovered, being downloaded to compromised appliances, which in turn download and execute a variant of the Sliver red-teaming tool, known as KrustyLoader.
Théo Letailleur, a Synacktiv researcher, referred to the open-source adversary simulation tool “Sliver 11” and noted its increasing popularity among threat actors, as it provides a practical command-and-control framework. Letailleur mentioned that the rejiggered Sliver implant acts as a stealthy and easily controlled backdoor. Furthermore, Letailleur stated that KrustyLoader was developed in Rust, which brings additional difficulties to obtain a good overview of its behavior.
As for the patches for CVE-2024-21887 and CVE-2023-46805 in Connect Secure VPNs, they are delayed. Ivanti had promised them on Jan. 22, prompting a CISA alert, but they failed to materialize. In the latest update to its advisory on the bugs, published Jan. 26, the firm noted that “The targeted release of patches for supported versions is delayed, this delay impacts all subsequent planned patch releases … Patches for supported versions will still be released on a staggered schedule.” Ivanti said it is targeting this week for the fixes, but it also noted that “the timing of patch release is subject to change as we prioritize the security and quality of each release.” It has been 20 days since the vulnerabilities’ disclosure, and the patches are yet to be implemented.
In conclusion, the exploitation of the zero-day vulnerabilities in Ivanti VPNs has become a cause for concern, especially with the swift adoption of these bugs by Chinese state-sponsored APT actors. The delayed release of patches only exacerbates the situation, leaving organizations that use Ivanti’s Connect Secure VPN gear vulnerable to potential attacks. It is imperative for Ivanti to expedite the release of patches to mitigate the risk and ensure the security of its customers’ networks.