Users of Ivanti’s Connect Secure (ICS) Virtual Private Network (VPN) devices should beware: the fixes contain two high-severity vulnerabilities linked together to deliver the Silver malware.
First things first: the two vulnerabilities exploited here are tracked as CVE-2023-46805 and CVE-2024-21887. The former has a severity score of 8.2, the latter a 9.1. Volexity researchers first spotted these two being exploited in early December 2023 and alleged that Chinese state-sponsored threat actors were exploiting them as zero-days.
Now some hacking collectives appear to be using the flaws to first deliver KrustyLoader, a payload dropper built into Rust. Synacktiv researchers say the purpose of KrustyLoader is to download Sliver from a remote server and run it on the compromised endpoint. Sliver, on the other hand, is an open-source, cross-platform post-exploitation framework built in the Go language. Some are using it as an alternative to Cobalt Strike, it was said.
Even more bugs to patch
It first appeared in mid-2022, then BleepingComputer It is reported that hackers are “dumping the Cobalt Strike penetration test suite in favor of similar frameworks that are less well known.” These include not only Sliver, but also Brute Ratel, Viper, Meterpreter and Havoc. Apparently hackers started ditching Cobalt Strike because their targets had put up stronger defenses. Sliver was developed by a cybersecurity company called BishopFox.
The patch for the two flaws is not yet available, it said, but Ivanti did release a temporary mitigation solution via an XML file.
Besides Sliver, some hackers are apparently using these vulnerabilities to install XMRig on the vulnerable endpoints. XMRig is a cryptojacker that “hijacks” the computing power of the device and quietly mines the Monero cryptocurrency for the attackers. ‘Silent’ is a tall order, however, because miners take up so much computing power that it’s hard not to see that the device is performing poorly.
Through The hacker news