A pair of recently disclosed zero-day flaws in Ivanti Connect Secure (ICS) virtual private network (VPN) devices have been exploited to deliver a Rust-based payload called KrustyLoader that’s used to drop the open-source Sliver adversary simulation tool.
The security vulnerabilities, tracked as CVE-2023-46805 (CVSS score: 8.2) and CVE-2024-21887 (CVSS score: 9.1), can be abused to achieve unauthenticated remote code execution on susceptible devices.
As of January 26, patches for the two flaws have been delayed, although the software company has released a temporary mitigation via XML file.
Volexity, which first highlighted the vulnerabilities, said they have been weaponized as a zero-day by a Chinese nation-state threat actor since December 3, 2023, which it tracks under the name UTA0178. Google-owned Mandiant has assigned the nickname UNC5221 to the group.
Following public disclosure earlier this month, the vulnerability has been widely exploited by XMRIG cryptocurrency miners as well as other adversaries to release Rust-based malware.
Synacktiv’s analysis of the Rust malware codenamed KrustyLoader revealed that it acts as a loader to download slivers from remote servers and execute them on the compromised host.
Sliver, developed by cybersecurity company BishopFox, is a Golang-based cross-platform post-exploitation framework that has emerged as an attractive option for threat actors compared to other well-known alternatives such as Cobalt Strike.
According to a report published by Recorded Future earlier this month, Cobalt Strike remains the top offensive security tool among attacker-controlled infrastructure in 2023, followed by Viper and Meterpreter.
“Both Havoc and Mythic have become relatively popular, but are still seen in much smaller numbers than Cobalt Strike, Meterpreter, or Viper,” the company said. “Four other popular frameworks are Sliver, Havoc, Brute Ratel (BRc4), and Mythic.”