Attackers are using a pair of critical zero-day vulnerabilities in Ivanti VPNs to deploy a series of Rust-based backdoors, which in turn download a backdoor malware called “KrustyLoader.”
The two insects were announced at the beginning of January (CVE-2024-21887 and CVE-2023-46805), allowing unauthenticated remote code execution (RCE) and authentication bypass, respectively, affecting Ivanti’s Connect Secure VPN equipment. Neither have patches yet.
While both zero days were already actively exploited in the wild, the authors of the Chinese state-sponsored Advanced Persistent Threat (APT) (UNC5221, aka UTA0178) quickly addressed the bugs after the public disclosure, growing attempts at mass exploitation around the world. Volexity’s analysis of the attacks found that 12 separate but nearly identical Rust payloads were being downloaded onto compromised machines, which in turn downloaded and ran a variant of the Sliver red-teaming tool, which Synacktiv researcher Théo Letailleur has called KrustyLoader.
“Plot 11 is an open source adversary simulation tool that is gaining popularity among threat actors, as it provides a practical command and control framework,” Letailur said in his analysis yesterday, which also offers hashes, a Yara rule, and a script for detection and extraction of indicators of compromise (IoC). He noted that the rearranged Sliver implant acts as a stealthy and easily controlled backdoor.
“KrustyLoader, as I’ve nicknamed it, makes specific checks to only run if conditions are met,” he added, noting that it’s also well obfuscated. “The fact that KrustyLoader was developed in Rust brings additional difficulties in getting a good overview of its behavior.”
Meanwhile, the patches for CVE-2024-21887 and CVE-2023-46805 in Connect Secure VPN experience delays. Ivanti promised them on January 22, prompting a CISA alert, but they did not materialize. In the latest bug advisory update, published on January 26, the company noted: “Targeted patch releases for supported versions are delayed, this delay impacts all subsequent scheduled patch releases…Patches supported versions will continue to be released on a staggered schedule.”
Ivanti said the focus is this week for fixes, but noted that “patch release times are subject to change as we prioritize the security and quality of each release.”
To date, 20 days have passed since the disclosure of the vulnerabilities.