CVE-2023-46805 and CVE-2024-21887 – one-way tickets for your network security.
New vulnerabilities in Ivanti Connect Secure devices allow attackers to deploy the Mirai botnet. This is reported by security researchers from Juniper, indicating the active exploitation of two vulnerabilities-CVE-2023-46805 and CVE-2024-21887.
The first allows you to bypass authentication, and the second allows you to implement commands. Together, they allow attackers to execute arbitrary code and take control of vulnerable systems. In the chain of attacks observed by Juniper, vulnerabilities were used to gain access to the endpoint " /api/v1/license/key-status/;", subject to command injection.
According to information from a January Assetnote study, malicious software is activated by a request to " /api/v1/totp/user-backup-code/", where a sequence of commands erases files, downloads a script from a remote server, assigns execution rights and runs the script, which leads to infection of the system.
As security researcher Kashinath Pattan explained, the script is designed to download Mirai malware from an IP address controlled by attackers ("192.3.152[.]183"). "The discovery of these vulnerabilities to deliver the Mirai botnet underscores the ever — changing cyber threat landscape," Pattan noted.
According to him, in the future we should expect more frequent use of these vulnerabilities to spread this and other malicious software.
New vulnerabilities in Ivanti Connect Secure devices allow attackers to deploy the Mirai botnet. This is reported by security researchers from Juniper, indicating the active exploitation of two vulnerabilities-CVE-2023-46805 and CVE-2024-21887.
The first allows you to bypass authentication, and the second allows you to implement commands. Together, they allow attackers to execute arbitrary code and take control of vulnerable systems. In the chain of attacks observed by Juniper, vulnerabilities were used to gain access to the endpoint " /api/v1/license/key-status/;", subject to command injection.
According to information from a January Assetnote study, malicious software is activated by a request to " /api/v1/totp/user-backup-code/", where a sequence of commands erases files, downloads a script from a remote server, assigns execution rights and runs the script, which leads to infection of the system.
As security researcher Kashinath Pattan explained, the script is designed to download Mirai malware from an IP address controlled by attackers ("192.3.152[.]183"). "The discovery of these vulnerabilities to deliver the Mirai botnet underscores the ever — changing cyber threat landscape," Pattan noted.
According to him, in the future we should expect more frequent use of these vulnerabilities to spread this and other malicious software.
