Mirai Botnet Exploits Ivanti Connect Secure Vulnerabilities

May 9, 2024

Juniper Threat Labs has reported that unidentified threat actors are exploiting recently exposed vulnerabilities in Ivanti Connect Secure (ICS) to distribute the payload of the Mirai botnet. Ivanti, a software company, had earlier disclosed that two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Connect Secure (ICS) and Policy Secure were being exploited by threat actors to carry out remote execution of arbitrary commands on targeted gateways.

The first vulnerability, CVE-2023-46805, with a CVSS score of 8.2, is an Authentication Bypass issue that is present in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure. This vulnerability can be triggered by a remote attacker to access restricted resources by bypassing control checks.

The second flaw, CVE-2024-21887, with a CVSS score of 9.1, is a command injection vulnerability in the web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. An authenticated administrator can exploit this vulnerability by sending specially crafted requests to execute arbitrary commands on the appliance.

Ivanti's advisory states, “If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.”

Juniper Threat Labs researchers have observed threat actors exploiting the CVE-2023-46805 vulnerability to gain access to the end point “/api/v1/license/key-status/;” They then exploit the command injection issue to inject their payload.

The researchers have noted instances where attackers have exploited this vulnerability using both curl and Python-based reverse shells, enabling them to take control of vulnerable systems. They have also encountered Mirai payloads delivered through shell scripts.

The researchers analyzed the payloads and identified them as Mirai bots. They warn that the increasing attempts to exploit Ivanti Pulse Secure’s authentication bypass and remote code execution vulnerabilities represent a significant threat to network security. The discovery of Mirai botnet delivery through these exploits highlights the constantly changing landscape of cyber threats. The fact that Mirai was delivered through this vulnerability also indicates that the deployment of other harmful malware and ransomware can be expected. Understanding how these vulnerabilities can be exploited and recognizing the specific threats they pose is crucial for protection against potential risks.

Related News

• China-Linked Cyber Espionage Targets MITRE Network: ROOTROT Webshell Exploited
• MITRE Corporation's Network Breached by State-Backed Hackers Using Ivanti Zero-Days
• Ivanti Patches High-Risk Vulnerabilities in VPN Gateways
• CISA Systems Compromised Through Ivanti Vulnerabilities, Prompting System Shutdown
• Magnet Goblin Exploits 1-Day Vulnerabilities with New Linux Variant of NerbianRAT Malware

Latest News

• Apple Patches Safari WebKit Zero-Day Exploit Uncovered at Pwn2Own
• VMware Patches Trio of Zero-Day Vulnerabilities Exposed at Pwn2Own 2024
• Google Chrome Rolls Out Emergency Patch for 6th Zero-Day Exploit of 2024
• Apple Backports Security Patches to Older iPhones and iPads Amid Active Exploitation of Zero-Day
• High-Severity Vulnerabilities in BIG-IP Next Central Manager Patched by F5