Users of Ivanti’s Connect Secure (ICS) virtual private network (VPN) devices beware – the solutions carry two high severity vulnerabilities that are being chained together to deliver the Silver malware.
First things first – the two vulnerabilities being abused here are tracked as CVE-2023-46805, and CVE-2024-21887. The former carries a severity score of 8.2, while the latter 9.1. Researchers from Volexity first spotted these two being abused in early December 2023, claiming that Chinese state-sponsored threat actors abused them as zero-days.
Now, some hacking collectives seem to be using the flaws to first deliver KrustyLoader, a payload dropper built in Rust. Synacktiv researchers are saying that KrustyLoader’s goal is to download Sliver from a remote server and run it on the compromised endpoint. Sliver, on the other hand, is an open-source, cross-platform post-exploitation framework built in the Go language. Some use it as an alternative to Cobalt Strike, it was said.
More bugs to patch
It first emerged in mid-2022, when BleepingComputer reported of hackers “dumping the Cobalt Strike penetration testing suite in favor of similar frameworks that are less known.” These include not just Sliver, but also Brute Ratel, Viper, Meterpreter, and Havoc. Apparently, hackers started ditching Cobalt Strike due to stronger defenses being set up by their targets. Sliver was developed by a cybersecurity firm called BishopFox.
The patch for the two flaws is not yet available, it was said, but Ivanti did release a temporary mitigation solution via an XML file.
Besides Sliver, some hackers are apparently using these vulnerabilities to install XMRig on the vulnerable endpoints. XMRig is a cryptojacker that “hijacks” the device’s computing power and quietly mines the Monero cryptocurrency for the attackers. “Quietly” being a stretch, however, as miners take up so much computing power that it’s hard not to see the device performing poorly.
Via The Hacker News