{"id":2450,"date":"2024-01-30T23:22:00","date_gmt":"2024-01-30T23:22:00","guid":{"rendered":"https:\/\/www.darkreading.com\/endpoint-security\/ivanti-zero-day-patches-delayed-krustyloader-attacks-mount"},"modified":"2024-01-30T23:22:00","modified_gmt":"2024-01-30T23:22:00","slug":"ivanti-zero-day-patches-delayed-as-krustyloader-attacks-mount","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/01\/30\/ivanti-zero-day-patches-delayed-as-krustyloader-attacks-mount\/","title":{"rendered":"Ivanti Zero-Day Patches Delayed as ‘KrustyLoader’ Attacks Mount"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

Attackers are using a pair of critical zero-day vulnerabilities in Ivanti VPNs to deploy a Rust-based set of backdoors, which in turn download a backdoor malware dubbed “KrustyLoader.”<\/span><\/p>\n

The two bugs were <\/span>disclosed earlier in January<\/a><\/span> (CVE-2024-21887 and CVE-2023-46805), allowing unauthenticated remote code execution (RCE) and authentication bypass, respectively, affecting Ivanti’s Connect Secure VPN gear. Neither has patches yet.<\/span><\/p>\n

While both zero days were already under active exploitation in the wild, Chinese state-sponsored advanced persistent threat (APT) actors (UNC5221, aka UTA0178) quickly hopped on the bugs after public disclosure, <\/span>mounting mass exploitation attempts worldwide<\/a><\/span>. Volexity’s analysis of the attacks uncovered 12 separate but nearly identical Rust payloads being downloaded to compromised appliances, which in turn download and execute a variant of the Sliver red-teaming tool, which Synacktiv researcher Th\u00e9o Letailleur named KrustyLoader.<\/span><\/p>\n

“<\/span>Sliver 11<\/a><\/span> is an open-source adversary simulation tool that is gaining popularity among threat actors, since it provides a practical command-and-control framework,” Letailleur said in his analysis yesterday, which also offers hashes, a Yara rule, and a <\/span>script for detection and extraction<\/a><\/span> of indicators of compromise (IoCs). He noted that the rejiggered Sliver implant acts as a stealthy and easily controlled backdoor.<\/span><\/p>\n

“KrustyLoader \u2014 as I dubbed it \u2014 performs specific checks in order to run only if conditions are met,” he added, noting that it\u2019s also well-obfuscated. “The fact that KrustyLoader was developed in Rust brings additional difficulties to obtain a good overview of its behavior.”<\/span><\/p>\n

Meanwhile, the <\/span>patches for CVE-2024-21887 and CVE-2023-46805<\/a><\/span> in Connect Secure VPNs are delayed. Ivanti had promised them on Jan. 22, prompting a CISA alert, but they failed to materialize. In the latest update to its advisory on the bugs, published Jan. 26, the firm noted, “The targeted release of patches for supported versions is delayed, this delay impacts all subsequent planned patch releases … Patches for supported versions will still be released on a staggered schedule.”<\/span><\/p>\n

Ivanti said it is targeting this week for the fixes, but noted that “the timing of patch release is subject to change as we prioritize the security and quality of each release.”<\/span><\/p>\n

As of today, it’s been 20 days since the vulnerabilities’ disclosure.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Attackers are using a pair of critical zero-day vulnerabilities in<\/p>\n","protected":false},"author":12,"featured_media":2451,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-2450","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/ivanti-zero-day-patches-delayed-as-krustyloader-attacks-mount-scaled.jpg?fit=2560%2C1677&ssl=1",2560,1677,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/ivanti-zero-day-patches-delayed-as-krustyloader-attacks-mount-scaled.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/ivanti-zero-day-patches-delayed-as-krustyloader-attacks-mount-scaled.jpg?fit=300%2C197&ssl=1",300,197,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/ivanti-zero-day-patches-delayed-as-krustyloader-attacks-mount-scaled.jpg?fit=640%2C419&ssl=1",640,419,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/ivanti-zero-day-patches-delayed-as-krustyloader-attacks-mount-scaled.jpg?fit=640%2C419&ssl=1",640,419,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/ivanti-zero-day-patches-delayed-as-krustyloader-attacks-mount-scaled.jpg?fit=1536%2C1006&ssl=1",1536,1006,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/ivanti-zero-day-patches-delayed-as-krustyloader-attacks-mount-scaled.jpg?fit=2048%2C1341&ssl=1",2048,1341,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/ivanti-zero-day-patches-delayed-as-krustyloader-attacks-mount-scaled.jpg?fit=1024%2C671&ssl=1",1024,671,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/ivanti-zero-day-patches-delayed-as-krustyloader-attacks-mount-scaled.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/ivanti-zero-day-patches-delayed-as-krustyloader-attacks-mount-scaled.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/ivanti-zero-day-patches-delayed-as-krustyloader-attacks-mount-scaled.jpg?fit=2560%2C1677&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2450","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2450"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2450\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/2451"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2450"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2450"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2450"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}