黑客利用Ivanti VPN漏洞传播KrustyLoader恶意软件

A pair of recently disclosed zero-day flaws in Ivanti Connect Secure (ICS) virtual private network (VPN) devices have been exploited to deliver a Rust-based payload called KrustyLoader that's used to drop the open-source Sliver adversary simulation tool.

近期披露的Ivanti Connect Secure（ICS）虚拟专用网络（VPN）设备中的一对零日漏洞已被利用，以释放一种名为KrustyLoader的基于Rust的有效负载，用于投放开源的Sliver对手仿真工具。

The security vulnerabilities, tracked as CVE-2023-46805 (CVSS score: 8.2) and CVE-2024-21887 (CVSS score: 9.1), could be abused in tandem to achieve unauthenticated remote code execution on susceptible appliances.

这些安全漏洞（CVE-2023-46805，CVSS评分：8.2和CVE-2024-21887，CVSS评分：9.1）可以一起被滥用，以在易受攻击的设备上实现未经身份验证的远程代码执行。

As of January 26, patches for the two flaws have been delayed, although the software company has released a temporary mitigation through an XML file.

截至1月26日，这两个漏洞的修补程序已经延迟发布，尽管该软件公司已通过XML文件发布了一个临时缓解措施。

Volexity, which first shed light on the shortcomings, said they have been weaponized as zero-days since December 3, 2023, by a  threat actor it tracks under the name UTA0178. Google-owned Mandiant has assigned the moniker UNC5221 to the group.

首次披露后，Volexity表示，这些漏洞已于2023年12月3日起被一名被其追踪的威胁行动者（代号为UTA0178）武器化为零日攻击。谷歌旗下的Mandiant将该组织命名为UNC5221。

Following public disclosure earlier this month, the vulnerabilities have come under broad exploitation by other adversaries to drop XMRig cryptocurrency miners as well as Rust-based malware.

在本月初公开披露后，这些漏洞已被其他对手广泛利用，用于投放XMRig加密货币挖矿程序以及基于Rust的恶意软件。

Synacktiv's analysis of the Rust malware, codenamed KrustyLoader, has revealed that it functions as a loader to download Sliver from a remote server and execute it on the compromised host.

Synacktiv对Rust恶意软件KrustyLoader的分析揭示，它作为一个加载器，从远程服务器下载Sliver并在受攻击主机上执行。

Sliver, developed by cybersecurity company BishopFox, is a Golang-based cross-platform post-exploitation framework that has emerged as a lucrative option for threat actors in comparison to other well-known alternatives like Cobalt Strike.

Sliver是由网络安全公司BishopFox开发的基于Golang的跨平台后渗透框架，与其他众所周知的替代品（如Cobalt Strike）相比，它已成为威胁行动者的一个赚钱选择。

That said, Cobalt Strike continues to be the top offensive security tool observed among attacker-controlled infrastructure in 2023, followed by Viper, and Meterpreter, according to a report published by Recorded Future earlier this month.

根据Recorded Future本月早些时候发布的报告，Cobalt Strike仍然是2023年攻击者控制基础设施中观察到的最受欢迎的攻击性安全工具，其次是Viper和Meterpreter。

"Both Havoc and Mythic have also become relatively popular but are still observed in far lower numbers than Cobalt Strike, Meterpreter, or Viper," the company said. "Four other well-known frameworks are Sliver, Havoc, Brute Ratel (BRc4), and Mythic."

该公司表示：“Havoc和Mythic也相对较受欢迎，但其数量远远低于Cobalt Strike、Meterpreter或Viper。”“另外四个众所周知的框架是Sliver、Havoc、Brute Ratel（BRc4）和Mythic。”

原文始发于微信公众号（知机安全）：黑客利用Ivanti VPN漏洞传播KrustyLoader恶意软件