A pair of recently revealed zero-day flaws in Ivanti Connect Secure (ICS) virtual private network (VPN) devices were exploited to deliver a Rust-based payload called KrustyLoader which is used to eliminate the open source Sliver adversary simulation tool.
The security vulnerabilities, tracked as CVE-2023-46805 (CVSS score: 8.2) and CVE-2024-21887 (CVSS score: 9.1), could be misused to achieve remote code execution. authenticated on sensitive devices.
As of January 26, patches for the two flaws have been delayed, although the software company has released a temporary mitigation via an XML file.
Volexity, which first shed light on the shortcomings, said they have been used as zero-day weapons since December 3, 2023 by a Chinese nation-state threat actor tracked under the name UTA0178. Mandiant, owned by Google, has given the group the nickname UNC5221.
Following public disclosure earlier this month, the vulnerabilities have been widely exploited by other adversaries to eliminate XMRig cryptocurrency miners and Rust-based malware.
Synacktiv’s analysis of the Rust malware, code-named KrustyLoader, revealed that it functions as a loader to download Sliver from a remote server and run it on the compromised host.
 |
| Image credit: Future Recorded |
Sliver, developed by cybersecurity firm BishopFox, is a Golang-based cross-platform post-exploitation framework that has emerged as a profitable option for threat actors compared to other well-known alternatives such as Cobalt Strike.
That said, Cobalt Strike continues to be the top offensive security tool observed across attacker-controlled infrastructure in 2023, followed by Viper and Meterpreter, according to a report published by Recorded Future earlier this month.
“Both Havoc and Mythic have become relatively popular, but are still seen in much lower numbers than Cobalt Strike, Meterpreter or Viper,” the company said. “Four other well-known frameworks are Sliver, Havoc, Brute Ratel (BRc4), and Mythic.”