Ivanti Zero-Day Patches Delayed as 'KrustyLoader' Attacks Mount

UPDATE 9:45 a.m. ET Jan. 31, 2024: Ivanti released patches for the two zero-days this morning.

Attackers are using a pair of critical zero-day vulnerabilities in Ivanti VPNs to deploy a Rust-based set of backdoors, which in turn download a backdoor malware dubbed "KrustyLoader."

The two bugs were disclosed earlier in January (CVE-2024-21887 and CVE-2023-46805), allowing unauthenticated remote code execution (RCE) and authentication bypass, respectively, affecting Ivanti's Connect Secure VPN gear. Neither has patches yet.

While both zero days were already under active exploitation in the wild, Chinese state-sponsored advanced persistent threat (APT) actors (UNC5221, aka UTA0178) quickly hopped on the bugs after public disclosure, mounting mass exploitation attempts worldwide. Volexity's analysis of the attacks uncovered 12 separate but nearly identical Rust payloads being downloaded to compromised appliances, which in turn download and execute a variant of the Sliver red-teaming tool, which Synacktiv researcher Théo Letailleur named KrustyLoader.

"Sliver 11 is an open-source adversary simulation tool that is gaining popularity among threat actors, since it provides a practical command-and-control framework," Letailleur said in his analysis yesterday, which also offers hashes, a Yara rule, and a script for detection and extraction of indicators of compromise (IoCs). He noted that the rejiggered Sliver implant acts as a stealthy and easily controlled backdoor.

"KrustyLoader — as I dubbed it — performs specific checks in order to run only if conditions are met," he added, noting that it’s also well-obfuscated. "The fact that KrustyLoader was developed in Rust brings additional difficulties to obtain a good overview of its behavior."

Meanwhile, the patches for CVE-2024-21887 and CVE-2023-46805 in Connect Secure VPNs are delayed. Ivanti had promised them on Jan. 22, prompting a CISA alert, but they failed to materialize. In the latest update to its advisory on the bugs, published Jan. 26, the firm noted, "The targeted release of patches for supported versions is delayed, this delay impacts all subsequent planned patch releases ... Patches for supported versions will still be released on a staggered schedule."

Ivanti said it is targeting this week for the fixes, but noted that "the timing of patch release is subject to change as we prioritize the security and quality of each release."

As of today, it's been 20 days since the vulnerabilities' disclosure.