January 31, 2024 at 02:36AM
Two zero-day flaws in Ivanti Connect Secure (ICS) VPN have been exploited to distribute the Rust-based KrustyLoader and the Sliver adversary simulation tool. Identified as CVE-2023-46805 and CVE-2024-21887, the flaws allow unauthenticated remote code execution with delayed patches. The vulnerabilities have been utilized by threat actors and other adversaries.
Key takeaways from the meeting notes on Newsroom Cyber Attack / Network Security on January 31, 2024 are:
– Two zero-day flaws in Ivanti Connect Secure (ICS) VPN devices have been exploited to deliver a Rust-based payload called KrustyLoader, enabling the drop of the open-source Sliver adversary simulation tool.
– The vulnerabilities (CVE-2023-46805 and CVE-2024-21887) have high CVSS scores and could be used for unauthenticated remote code execution, with patches delayed and only a temporary mitigation available as of January 26.
– The flaws have been used as zero-days by a Chinese nation-state threat actor named UTA0178 and have been broadly exploited to drop XMRig cryptocurrency miners and Rust-based malware.
– KrustyLoader functions as a loader to download Sliver from a remote server and execute it on the compromised host. Sliver, developed by cybersecurity company BishopFox, has been observed as a lucrative option for threat actors in comparison to other frameworks like Cobalt Strike.
– In 2023, Cobalt Strike, Viper, and Meterpreter were the top offensive security tools observed among attacker-controlled infrastructure, with Sliver, Havoc, Brute Ratel (BRc4), and Mythic observed in lower numbers.
– The company encouraged following them on Twitter and LinkedIn for more exclusive content.
Please let me know if you need further information or analysis on these meeting notes.