Beware the Silver Sting: Ivanti VPNs Host High-Risk Bugs for Malware Mayhem!

Batten down your cyber hatches! Ivanti’s VPN is the latest malware magnet, roping in the notorious Silver malware through a diabolical double vulnerability duo. It’s like a digital “Home Alone” heist, but Macaulay Culkin’s not here to save your data. Patch up, folks!

Hot Take:

Ladies and gents, grab your digital armor and raise your cybersecurity shields! It seems Ivanti’s Connect Secure VPN has become the latest hotspot for cyber shenanigans, serving a double-whammy of vulnerabilities that hackers are using to dish out a malware smorgasbord. I mean, who needs a simple breach when you can have a two-course hack fest, right? On the bright side, catching a case of the Silver malware might just be the kick in the pants companies need to finally update their cyber defenses. Silver linings, eh?

Key Points:

  • Ivanti’s Connect Secure VPN is the latest runway for two high-fashion vulnerabilities, CVE-2023-46805 and CVE-2024-21887, strutting with scores of 8.2 and 9.1, respectively.
  • These flaws are the VIP passes for hackers, granting backstage access to deploy the oh-so-trendy KrustyLoader and its plus-one, the Sliver malware.
  • Cybersecurity paparazzi, AKA researchers, caught this act in early December 2023, and pointed fingers at Chinese state-sponsored threat actors for the zero-day exploit debut.
  • While Ivanti’s patch is playing hard to get, they’ve thrown a temporary mitigation lifeline to users via an XML file. It’s like bringing a water gun to a fire fight, but hey, it’s something!
  • Aside from Silver, hackers are multitasking by turning compromised devices into involuntary crypto miners with XMRig, because why not make a buck while wreaking havoc?
Cve id: CVE-2024-21887
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/12/2024
Cve description: A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Cve id: CVE-2023-46805
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/12/2024
Cve description: An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Need to know more?

CSI: Cyber - The Silver Heist

Our cyber detectives at Volexity kicked off the investigation in December 2023 and spotted the digital footprints of these vulnerabilities being exploited. It's like the cyber version of a buddy cop movie, but instead of doughnuts and car chases, we've got code exploits and malware drops. The bad guys, allegedly backed by the Chinese government, have found the perfect one-two punch to infiltrate systems and unleash their malware minions.

Rust-y Droppers and Go-Go Gadgets

Enter KrustyLoader, the malware's Rust-built Robin, designed to usher in the star of the show: Sliver. This open-source, cross-platform framework is the Swiss Army knife of hacking tools, giving Cobalt Strike a run for its money. Crafted by the cunning minds at BishopFox, Sliver is ready to carve up some cyber chaos while the hackers sit back, sip on their energy drinks, and watch the dominos fall.

Temp Fixes and Cryptojacking Chic

While Ivanti is fashionably late with a permanent patch, they've managed to throw together an XML ensemble to hold back the floodgates. In the meantime, some hackers, ever the opportunists, are turning compromised systems into their personal Monero mines with XMRig. Because why stop at just stealing data when you can also steal CPU cycles and mine some crypto gold?

Shift in Hacker Couture

It appears that the hacking world is going through a renaissance of tool swapping. With Cobalt Strike becoming less en vogue due to improved digital defenses, the cyber criminals are switching to Sliver and other trendy frameworks. It's like when plaid went out and stripes came in, but with more dire consequences than a fashion faux pas.

So, dear netizens, until Ivanti's patch saunters down the cybersecurity runway, keep a wary eye on your digital threads and maybe, just maybe, resist the urge to click on that "Too Good to Be True" email offer. Oh, and perhaps start considering that VPNs are less like impenetrable fortresses and more like those trendy open-floor office spaces - great until someone overhears your sensitive phone call.

Tags: cryptojacking, CVE-2023-46805, CVE-2024-21887, Ivanti Connect Secure, KrustyLoader, Post-exploitation framework, Silver malware