January 30, 2024 at 06:27PM
Attacks are exploiting zero-day vulnerabilities in Ivanti VPNs allowing remote code execution and authentication bypass. Rust-based backdoors are being deployed, downloading a backdoor malware, “KrustyLoader.” Chinese state-sponsored APT actors are exploiting these bugs worldwide. Patches for the vulnerabilities (CVE-2024-21887 and CVE-2023-46805) have been delayed, with Ivanti targeting a release this week.
Based on the meeting notes, the key takeaways include:
1. Attackers are actively exploiting two critical zero-day vulnerabilities (CVE-2024-21887 and CVE-2023-46805) in Ivanti VPNs, allowing remote code execution and authentication bypass.
2. The vulnerabilities are being leveraged by Chinese state-sponsored APT actors (UNC5221, aka UTA0178) for mass exploitation attempts worldwide.
3. The exploitation involves deploying a Rust-based set of backdoors, leading to the download and execution of a backdoor malware called “KrustyLoader”, which in turn utilizes a variant of the Sliver red-teaming tool.
4. The patches for the vulnerabilities in Connect Secure VPNs are delayed, despite Ivanti’s initial promise to release them on Jan. 22. The firm is now targeting this week for the patches, but the timing is subject to change.
5. As of today, it has been 20 days since the vulnerabilities were disclosed.
These takeaways highlight the urgency of addressing the vulnerabilities and the ongoing threat posed by the active exploitation.