Mirai Botnet Exploits Ivanti Connect Secure Flaws For Malicious Payloads

Mirai Botnet Exploits Ivanti Connect Secure Flaws For Malicious Payloads

Published on May 13th, 2024

Recently, Juniper Threat Labs disclosed the exploitation of two security vulnerabilities in Ivanti Connect Secure (ICS) devices, which facilitated the deployment of the notorious Mirai botnet.

The vulnerabilities, namely CVE-2023-46805 and CVE-2024-21887, were identified as an authentication bypass flaw and a command injection vulnerability, respectively. These flaws were exploited in tandem, allowing attackers to execute arbitrary code and seize control of vulnerable instances.

In the observed attack scenario, the authentication bypass vulnerability (CVE-2023-46805) was utilized to gain unauthorized access to the vulnerable endpoint “/api/v1/license/key-status/,” which was susceptible to command injection. Subsequently, attackers injected the botnet payload through this compromised endpoint.

As elaborated by Assetnote in their detailed analysis of CVE-2024-21887, the exploit is activated by sending a request to “/api/v1/totp/user-backup-code/,” triggering the deployment of the malware.

Security researcher Kashinath T Pattan explained, “This sequence of commands aims to erase files, retrieve a script from a remote server, assign executable permissions, and execute the script, potentially resulting in a compromised system.”

The accompanying shell script is crafted to download the Mirai botnet malware from an IP address under the control of threat actors (e.g., “192.3.152[.]183”).

Pattan emphasized, “The detection of Mirai botnet propagation through these vulnerabilities underscores the dynamic nature of cyber threats. The utilization of Mirai in this context implies the likelihood of deploying other malicious software and ransomware.”

Meanwhile, SonicWall disclosed the discovery of a counterfeit Windows File Explorer executable (“explorer.exe”) responsible for installing a cryptocurrency miner. Currently, the precise method of distributing this malware remains undisclosed.

“Upon execution, the malware drops malicious files in the /Windows/Fonts/ directory, including the primary crypto miner file and a batch file containing malicious commands to initiate the mining process,” SonicWall stated.

These developments underscore the persistent evolution and diversity of cyber threats, necessitating ongoing vigilance and proactive security measures to mitigate risks effectively.