Attackers are exploiting two severe zero-day vulnerabilities in Ivanti VPNs to implement a set of Rust-based backdoors, which subsequently download a backdoor malware known as 'KrustyLoader'.
The vulnerabilities, identified as CVE-2024-21887 and CVE-2023-46805, enable unauthenticated remote code execution (RCE) and authentication bypass respectively, and are impacting Ivanti's Connect Secure VPN equipment. Despite the severity of the vulnerabilities, no patches have been released yet.
The vulnerabilities were already being exploited before their public disclosure. However, following the public announcement, Chinese state-sponsored advanced persistent threat (APT) actors (UNC5221, aka UTA0178) began exploiting them more aggressively, leading to widespread exploitation attempts globally.
Volexity's analysis revealed 12 almost identical Rust payloads being downloaded to compromised devices. These in turn download and execute a variant of the Sliver red-teaming tool, which Synacktiv researcher Théo Letailleur has named 'KrustyLoader'. Letailleur noted, "Sliver 11 is an open-source adversary simulation tool that is gaining popularity among threat actors, since it provides a practical command-and-control framework."
The modified Sliver implant operates as a covert and easily managed backdoor. Letailleur added, "KrustyLoader — as I dubbed it — performs specific checks in order to run only if conditions are met." He also noted that it's well-obfuscated and its development in Rust adds complexity to understanding its behavior.
Ivanti had initially promised patches for CVE-2024-21887 and CVE-2023-46805 on January 22, triggering an alert from CISA. However, the patches have not been released yet. In an update to its advisory on the bugs, published on January 26, Ivanti confirmed the delay in the release of the patches. The company is now targeting this week for the release of the patches but noted that the timing could change as they prioritize the security and quality of each release. As of now, 20 days have passed since the disclosure of these vulnerabilities.