Beware the Botnet Bonanza: Ivanti Flaws Fuel Mirai Mayhem!

Ivanti Connect Secure users, beware! The latest cyber fashion? Sporting a Mirai botnet accessory, thanks to two snazzy security flaws. Hackers are mixing CVE-2023-46805 with CVE-2024-21887 for a hack-a-lot cocktail. So update before you become the botnet’s next runway disaster! #MiraiBotnet #CyberSecurityDonts

Hot Take:

Brace yourselves, the Mirai botnet is playing ‘hide and seek’ with Ivanti Connect Secure flaws, and it’s “seek” time! CVEs are popping up like daisies, and hackers are gardening their way into systems with a two-punch combo of vulnerabilities. It’s like watching a cyber tango where one step is the authentication bypass, and the other is command injection. Cha-Cha real smooth, hackers. But not smooth enough, because Juniper’s got your number!

Key Points:

  • Cybersecurity limbo: How low can Ivanti Connect Secure go with CVE-2023-46805 and CVE-2024-21887? Apparently low enough for Mirai to limbo under the security bar.
  • Two to tango: Hackers are pairing an auth bypass with a command injection for a duo of doom, commandeering ICS devices for their botnet bonanza.
  • The malware mambo: Attackers dance their way through API endpoints to deliver a Mirai botnet payload, proving that even code has rhythm (albeit a malicious one).
  • Script shenanigans: A shell script gets downloaded, chmods its way to executable freedom, and launches the malware, because who doesn’t love an auto-start feature?
  • Miner mischief: SonicWall spots a crypto miner masquerading as Windows File Explorer, dropping its bad beats in the /Windows/Fonts/ directory, because even malware needs good typography.
Cve id: CVE-2023-46805
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/12/2024
Cve description: An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Cve id: CVE-2024-21887
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/12/2024
Cve description: A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Need to know more?

A Duo of Digital Deviousness

Imagine an authentication bypass and command injection vulnerability walking into a bar—except the bar is an Ivanti Connect Secure device, and the punchline is a compromised system. CVE-2023-46805 is like the bouncer who forgot to check IDs, letting attackers waltz right in. Once inside, CVE-2024-21887 plays the role of the bartender who serves up a command injection cocktail, and just like that, your system is under new management.

The Endpoint Tango

In this episode of 'CSI: Cyber', the "/api/v1/license/key-status/;" endpoint is where the Mirai botnet shakes its digital tailfeather. It's like watching a badly choreographed dance number, except every step is an attacker injecting the payload and your network's defenses are the awkward background dancers.

Scripted Spectacle

The hackers are not just dropping the malware; they're directing an entire play with a shell script as the lead actor. This script doesn't just deliver its lines; it downloads the Mirai botnet malware, rehearses its permissions, and gives a standing ovation-worthy performance of 'system infection'. Cue the dramatic music!

Botnet Blues

Security researcher Kashinath T Pattan might as well be the narrator of a cybercrime drama, unveiling how Mirai botnet delivery through these vulnerabilities is akin to opening Pandora's box, but instead of hope at the bottom, there's just more malware and ransomware. It's a cyber thriller where the sequel is always scarier than the original.

Exploring the Miner's Mind

Meanwhile, SonicWall is dealing with a fake Windows File Explorer who's got a secret hobby: crypto mining. It's like finding out your mild-mannered neighbor is actually hosting rave parties in the /Windows/Fonts/ directory. This malware's got a 'drop it like it's hot' attitude, stashing malicious files and kicking off a mining operation faster than you can say 'Bitcoin'.

Tags: authentication bypass, Command Injection Vulnerability, Cryptocurrency Mining, CVE-2023-46805, CVE-2024-21887, Ivanti Connect Secure, mirai botnet