Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

VPN users beware — security flaws are being exploited to spread dangerous malware

A computer being guarded by cybersecurity.

Users of Ivanti’s Connect Secure (ICS) virtual private network (VPN) devices beware - the solutions carry two high severity vulnerabilities that are being chained together to deliver the Silver malware

First things first - the two vulnerabilities being abused here are tracked as CVE-2023-46805, and CVE-2024-21887. The former carries a severity score of 8.2, while the latter 9.1. Researchers from Volexity first spotted these two being abused in early December 2023, claiming that Chinese state-sponsored threat actors abused them as zero-days.

Now, some hacking collectives seem to be using the flaws to first deliver KrustyLoader, a payload dropper built in Rust. Synacktiv researchers are saying that KrustyLoader’s goal is to download Sliver from a remote server and run it on the compromised endpoint. Sliver, on the other hand, is an open-source, cross-platform post-exploitation framework built in the Go language. Some use it as an alternative to Cobalt Strike, it was said.

More bugs to patch

It first emerged in mid-2022, when BleepingComputer reported of hackers “dumping the Cobalt Strike penetration testing suite in favor of similar frameworks that are less known.” These include not just Sliver, but also Brute Ratel, Viper, Meterpreter, and Havoc. Apparently, hackers started ditching Cobalt Strike due to stronger defenses being set up by their targets. Sliver was developed by a cybersecurity firm called BishopFox. 

The patch for the two flaws is not yet available, it was said, but Ivanti did release a temporary mitigation solution via an XML file. 

Besides Sliver, some hackers are apparently using these vulnerabilities to install XMRig on the vulnerable endpoints. XMRig is a cryptojacker that “hijacks” the device’s computing power and quietly mines the Monero cryptocurrency for the attackers. “Quietly” being a stretch, however, as miners take up so much computing power that it’s hard not to see the device performing poorly.

Via The Hacker News

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.