Two not too long ago disclosed security flaws in Ivanti Connect Secure (ICS) products are currently being exploited to deploy the infamous Mirai botnet.
That’s according to conclusions from Juniper Danger Labs, which explained the vulnerabilities CVE-2023-46805 and CVE-2024-21887 have been leveraged to provide the botnet payload.
Though CVE-2023-46805 is an authentication bypass flaw, CVE-2024-21887 is a command injection vulnerability, thereby allowing an attacker to chain the two into an exploit chain to execute arbitrary code and take over susceptible instances.
In the attack chain noticed by the network security business, CVE-2023-46805 is exploited to attain access to the “/api/v1/license/critical-standing/” endpoint, which is vulnerable to command injection, and inject the payload.
As formerly outlined by Assetnote in their technical deep dive of the CVE-2024-21887, the exploit is induced by indicates of a request to “/api/v1/totp/person-backup-code/” to deploy the malware.
“This command sequence makes an attempt to wipe files, downloads a script from a remote server, sets executable permissions, and executes the script, possibly top to an contaminated procedure,” security researcher Kashinath T Pattan said.
The shell script, for its part, is intended to obtain the Mirai botnet malware from an actor-managed IP address (“192.3.152[.]183”).
“The discovery of Mirai botnet supply through these exploits highlights the ever-evolving landscape of cyber threats,” Pattan explained. “The point that Mirai was sent via this vulnerability will also necessarily mean the deployment of other harmful malware and ransomware is to be predicted.”
The improvement will come as SonicWall revealed that a bogus Windows File Explorer executable (“explorer.exe”) has been discovered to install a cryptocurrency miner. The specific distribution vector for the malware is currently mysterious.
“Upon execution, it drops destructive files in the /Windows/Fonts/ directory, such as the major crypto miner file, a batch file made up of destructive instructions to start out the mining method,” SonicWall reported.
Located this short article intriguing? Stick to us on Twitter and LinkedIn to go through more exclusive information we post.
Some parts of this article are sourced from:
thehackernews.com