State-sponsored groups have been actively exploiting two critical zero-day vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure VPNs, known as CVE-2024-21887 and CVE-2023-46805 [1]. These vulnerabilities have allowed for authentication bypass [5], command injection [5], and remote code execution [1] [2] [4] [5]. The attacks, attributed to a nation state threat actor [5], have impacted numerous organizations and have been ongoing since December. The Cybersecurity and Infrastructure Security Agency issued an emergency directive for Federal Civilian Executive Branch agencies in response to the attacks [5]. The attacks have similarities to the Volt Typhoon attacks linked to the People’s Republic of China [5].
Description
Chinese state-sponsored advanced persistent threat actors quickly began exploiting the vulnerabilities after they were publicly disclosed [1]. The compromised appliances were found to be downloading 12 separate but nearly identical Rust payloads [1], which then executed a backdoor malware called KrustyLoader. KrustyLoader is a variant of the Sliver red-teaming tool and acts as a stealthy and easily controlled backdoor [1]. An analysis of these Rust payloads revealed that they share almost 100% code similarity, indicating that they are likely from the same threat actor. The payloads were discovered during an investigation into the Ivanti Connect Secure VPN vulnerabilities [4].
The analysis also revealed that KrustyLoader extracts an encrypted URL from a sample and performs various actions [6], including creating a random file [6], decrypting the URL [6], and executing the downloaded payload [6]. The decryption process involves using AES-128 CFB [6]. The executed payloads all download a Sliver backdoor from different URLs [6], which communicate with their C2 server using HTTP/HTTPS [6]. Incident response provider Synacktiv has developed a script that can statically retrieve and decrypt the URL used by KrustyLoader without executing the malware. The script has successfully decrypted the URL for all 12 samples [6].
Ivanti has confirmed that a patch to address these vulnerabilities will be delayed until this week, despite promises to release the patches on January 22 [1]. The vulnerabilities have been widely exploited [1] [5], and users have been eagerly awaiting the patch [5]. Over 26,000 Connect Secure hosts were previously reported to be exposed to the public internet, with over 410 hosts compromised [5]. Administrators were warned not to push configuration to appliances until they were patched [5], as it caused key web services to stop functioning properly [5]. The affected products are Ivanti Connect Secure and Ivanti Policy Secure [5], and it was reported that about 15 federal agencies were using these products [5].
The payloads discovered on compromised Ivanti Connect Secure appliances have been found to have almost 100% code similarity [3], suggesting they may be from the same sophisticated threat actor [3]. An analysis of 12 Rust payloads by Synacktiv researcher Théo Letailleur revealed that these payloads are highly sophisticated [3], performing specific checks before running [3]. This aligns with previous findings from Volexity and Mandiant [3], who reported that an advanced persistent threat (APT) actor was responsible for exploiting Ivanti zero-days [3].
Conclusion
The exploitation of the Ivanti Connect Secure and Ivanti Policy Secure VPN vulnerabilities by state-sponsored groups has had significant impacts on numerous organizations. The delayed patch release from Ivanti has left users vulnerable to attacks, and the widespread exploitation of these vulnerabilities highlights the need for timely and effective security measures. Incident response providers [4], such as Synacktiv, have played a crucial role in analyzing and mitigating the threats posed by the KrustyLoader malware. Moving forward, it is essential for organizations to remain vigilant and implement necessary security measures to protect against advanced persistent threats.
References
[1] https://www.darkreading.com/endpoint-security/ivanti-zero-day-patches-delayed-krustyloader-attacks-mount
[2] https://flyytech.com/2024/01/31/ivanti-zero-day-patches-delayed-as-krustyloader-attacks-mount/
[3] https://ciso2ciso.com/rust-payloads-exploiting-ivanti-zero-days-linked-to-sophisticated-sliver-toolkit-source-www-infosecurity-magazine-com/
[4] https://www.infosecurity-magazine.com/news/rust-payloads-ivanti-zero-days/
[5] https://www.cybersecuritydive.com/news/ivanti–zero-day-patches-delayed/705866/
[6] https://www.synacktiv.com/en/publications/krustyloader-rust-malware-linked-to-ivanti-connectsecure-compromises
