Ivanti Zero-Day Patches Delayed as 'KrustyLoader' Attacks Mount

The RCE/auth bypass bugs in Connect Secure VPNs have gone unpatched for 20 days as state-sponsored groups continue to backdoor Ivanti gear.

Krusty Burger is a fast-food burger restaurant chain that was founded by Krusty the clown in Springfield
Source: Peter Etchells via Alamy Stock Photo

UPDATE 9:45 a.m. ET Jan. 31, 2024: Ivanti released patches for the two zero-days this morning.

Attackers are using a pair of critical zero-day vulnerabilities in Ivanti VPNs to deploy a Rust-based set of backdoors, which in turn download a backdoor malware dubbed "KrustyLoader."

The two bugs were disclosed earlier in January (CVE-2024-21887 and CVE-2023-46805), allowing unauthenticated remote code execution (RCE) and authentication bypass, respectively, affecting Ivanti's Connect Secure VPN gear. Neither has patches yet.

While both zero days were already under active exploitation in the wild, Chinese state-sponsored advanced persistent threat (APT) actors (UNC5221, aka UTA0178) quickly hopped on the bugs after public disclosure, mounting mass exploitation attempts worldwide. Volexity's analysis of the attacks uncovered 12 separate but nearly identical Rust payloads being downloaded to compromised appliances, which in turn download and execute a variant of the Sliver red-teaming tool, which Synacktiv researcher Théo Letailleur named KrustyLoader.

"Sliver 11 is an open-source adversary simulation tool that is gaining popularity among threat actors, since it provides a practical command-and-control framework," Letailleur said in his analysis yesterday, which also offers hashes, a Yara rule, and a script for detection and extraction of indicators of compromise (IoCs). He noted that the rejiggered Sliver implant acts as a stealthy and easily controlled backdoor.

"KrustyLoader — as I dubbed it — performs specific checks in order to run only if conditions are met," he added, noting that it’s also well-obfuscated. "The fact that KrustyLoader was developed in Rust brings additional difficulties to obtain a good overview of its behavior."

Meanwhile, the patches for CVE-2024-21887 and CVE-2023-46805 in Connect Secure VPNs are delayed. Ivanti had promised them on Jan. 22, prompting a CISA alert, but they failed to materialize. In the latest update to its advisory on the bugs, published Jan. 26, the firm noted, "The targeted release of patches for supported versions is delayed, this delay impacts all subsequent planned patch releases ... Patches for supported versions will still be released on a staggered schedule."

Ivanti said it is targeting this week for the fixes, but noted that "the timing of patch release is subject to change as we prioritize the security and quality of each release."

As of today, it's been 20 days since the vulnerabilities' disclosure.

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights