Chinese Hackers Exploiting VPN Flaws to Deploy KrustyLoader Malware

Cyber Security

Products You May Like

Jan 31, 2024NewsroomCyber Attack / Network Security

A pair of recently disclosed zero-day flaws in Ivanti Connect Secure (ICS) virtual private network (VPN) devices have been exploited to deliver a Rust-based payload called KrustyLoader that’s used to drop the open-source Sliver adversary simulation tool.

The security vulnerabilities, tracked as CVE-2023-46805 (CVSS score: 8.2) and CVE-2024-21887 (CVSS score: 9.1), could be abused in tandem to achieve unauthenticated remote code execution on susceptible appliances.

As of January 26, patches for the two flaws have been delayed, although the software company has released a temporary mitigation through an XML file.

Cybersecurity

Volexity, which first shed light on the shortcomings, said they have been weaponized as zero-days since December 3, 2023, by a Chinese nation-state threat actor it tracks under the name UTA0178. Google-owned Mandiant has assigned the moniker UNC5221 to the group.

Following public disclosure earlier this month, the vulnerabilities have come under broad exploitation by other adversaries to drop XMRig cryptocurrency miners as well as Rust-based malware.

Synacktiv’s analysis of the Rust malware, codenamed KrustyLoader, has revealed that it functions as a loader to download Sliver from a remote server and execute it on the compromised host.

Recorded Future
Image Credit: Recorded Future

Sliver, developed by cybersecurity company BishopFox, is a Golang-based cross-platform post-exploitation framework that has emerged as a lucrative option for threat actors in comparison to other well-known alternatives like Cobalt Strike.

Cybersecurity

That said, Cobalt Strike continues to be the top offensive security tool observed among attacker-controlled infrastructure in 2023, followed by Viper, and Meterpreter, according to a report published by Recorded Future earlier this month.

“Both Havoc and Mythic have also become relatively popular but are still observed in far lower numbers than Cobalt Strike, Meterpreter, or Viper,” the company said. “Four other well-known frameworks are Sliver, Havoc, Brute Ratel (BRc4), and Mythic.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

Brazil Telecom Regulator Moves to Block Access to Elon Musk’s X After Court Order
Vietnamese Human Rights Group Targeted in Multi-Year Cyberattack by APT32
NASA Researcher to Study Gravity’s Impact on Plants Aboard Blue Origin’s Suborbital Rocket
Fortra Issues Patch for High-Risk FileCatalyst Workflow Security Vulnerability
Here’s How AI is Helping Astronomers to Understand Universe’s Fundamental Parameters

Leave a Reply

Your email address will not be published. Required fields are marked *