Analysis Summary

The recent security vulnerabilities in Ivanti Connect Secure (ICS) devices, specifically CVE-2023-46805 and CVE-2024-21887, have raised significant concerns within the cybersecurity community due to their exploitation by threat actors to deploy the notorious Mirai botnet.

According to researchers, these vulnerabilities have been leveraged in tandem allowing attackers to execute arbitrary code and compromise vulnerable instances of ICS. CVE-2023-46805, identified as an authentication bypass flaw, enables unauthorized access to certain endpoints within ICS. This flaw was exploited by attackers to gain entry into the vulnerable "/api/v1/license/key-status/" endpoint, which is susceptible to command injection.

By exploiting this weakness, threat actors can inject malicious payloads initiating a sequence of actions that ultimately compromise the system. In conjunction with CVE-2023-46805, the command injection vulnerability (CVE-2024-21887) provides attackers with the means to execute arbitrary commands within the ICS environment. The attack chain observed by security researchers involves triggering the exploit via a request to "/api/v1/totp/user-backup-code/," which, according to technical analysis, facilitates the deployment of malware.

The deployed malware includes a shell script designed to download the Mirai botnet from a specified IP address controlled by the threat actor. This botnet, infamous for its capacity to launch distributed denial-of-service (DDoS) attacks by compromising IoT devices, represents a significant escalation in the threat landscape.

The ramifications of these exploits extend beyond Mirai deployment, potentially opening the door to various other forms of malware and ransomware. As highlighted by security researchers, the delivery of Mirai through these vulnerabilities underscores the evolving nature of cyber threats emphasizing the need for proactive security measures.

Amidst these developments, additional concerns arise from discoveries regarding a fake Windows File Explorer executable ("explorer.exe") used to distribute a cryptocurrency miner. This tactic reflects a broader trend of cybercriminals diversifying their attack vectors and payloads.

The precise distribution methods for this malware remain unclear, necessitating ongoing investigation and vigilance from security professionals. The findings underscore the importance of holistic cybersecurity strategies that encompass threat detection prevention and response to mitigate the evolving risks posed by sophisticated threat actors.

Impact

• Code Execution
• Unauthorized Access
• Denial of Service

Indicators of Compromise

SHA1

• c18b078672f44c0fc2cf015858a4647ba5edd22a
• 3917d7c86874b0bc65e809c3cb61e0fd0b3bdece
• 92264440d5ae6366b038f6eecd35d0f16cd48a7c
• 801b0f681971ef167dfbc6d5d5d32fc07228241d
• 7840a7e6d57a5b8ff5751cdaffb98d027492f5eb
• 0e4282419bdc1c100251aebf67e8bddb385e71ce
• ee840fe5aaf7a32eebb972ef043ada01ed586da1
• c3e6535abd3168bad066bd751b65e6e68e9db7e4
• b78f462be54da6a3739b0a0778f2cbd1581cfdd7
• 888a790a0d7b268c16c6bdbed0d07b2e7d7dd79d
• a81171394b9e1a837463e91e207ce955cbf2a87f
• e9b45ce39ff9ce32a6cb42f9ea38adb346afa7b4
• 3ae49cd41b84c97a14ca7f10840c1201164dcc89
• b9fc58c31ef7c4e4f93d20c2e40b3c9c71476b0d
• 8ded684340a0e6de4d7fe7db4a89f7d29a3ca839
• 3ed6c0b972869da6273757f3f1c94d8d351d11dc

Remediation

• Refer to the Ivanti Website for patch, upgrade, or suggested workaround information.
• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.