Two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPNs have been exploited by a Chinese nation-state threat actor, identified as UTA0178 by Volexity and UNC5221 by Mandiant. Tracked as CVE-2023-46805 and CVE-2024-21887, the flaws could lead to unauthenticated remote code execution on vulnerable appliances. The attack involves the delivery of a Rust-based payload called KrustyLoader, which is utilized to drop the open-source Sliver adversary simulation tool. Although patches are pending, Ivanti has released a temporary mitigation in the form of an XML file.
The security vulnerabilities in Ivanti’s VPNs have been actively used as zero-days by the Chinese threat actor since December 3, 2023, according to Volexity. The flaws, assigned CVSS scores of 8.2 and 9.1, have broader implications as they allow for unauthenticated remote code execution, emphasizing the challenges in securing VPN infrastructure. The attack campaign has also been noted for dropping XMRig cryptocurrency miners and Rust-based malware, showcasing the diverse objectives of threat actors in exploiting these vulnerabilities. The Chinese threat actor’s use of Ivanti’s VPN flaws highlights the strategic targeting of critical network infrastructure by sophisticated adversaries.
The Rust-based KrustyLoader payload is leveraged to deliver the Sliver adversary simulation tool, a Golang-based cross-platform post-exploitation framework developed by cybersecurity company BishopFox. Synacktiv’s analysis reveals that KrustyLoader functions as a loader to download Sliver from a remote server and execute it on compromised hosts. Sliver, considered a lucrative option for threat actors, has gained prominence as a post-exploitation framework. While Ivanti works on patches, the incident underscores the ongoing threat landscape surrounding VPN vulnerabilities, urging organizations to stay vigilant and implement necessary mitigations.
