VPN users beware — security flaws are being exploited to spread dangerous malware

Ivanti VPN tools are being abused to drop malware

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Users of Ivanti’s Connect Secure (ICS) virtual private network (VPN) devices beware - the solutions carry two high severity vulnerabilities that are being chained together to deliver the Silvermalware.

First things first - the two vulnerabilities being abused here are tracked as CVE-2023-46805, and CVE-2024-21887. The former carries a severity score of 8.2, while the latter 9.1. Researchers from Volexity first spotted these two being abused in early December 2023, claiming that Chinese state-sponsored threat actors abused them as zero-days.

Now, some hacking collectives seem to be using the flaws to first deliver KrustyLoader, a payload dropper built in Rust.Synacktivresearchers are saying that KrustyLoader’s goal is to download Sliver from a remote server and run it on the compromised endpoint. Sliver, on the other hand, is an open-source, cross-platform post-exploitation framework built in the Go language. Some use it as an alternative to Cobalt Strike, it was said.

More bugs to patch

It first emerged in mid-2022, whenBleepingComputerreported of hackers “dumping the Cobalt Strike penetration testing suite in favor of similar frameworks that are less known.” These include not just Sliver, but also Brute Ratel, Viper, Meterpreter, and Havoc. Apparently, hackers started ditching Cobalt Strike due to stronger defenses being set up by their targets. Sliver was developed by a cybersecurity firm called BishopFox.

The patch for the two flaws is not yet available, it was said, but Ivanti did release a temporary mitigation solution via an XML file.

Besides Sliver, some hackers are apparently using these vulnerabilities to install XMRig on the vulnerable endpoints. XMRig is a cryptojacker that “hijacks” the device’s computing power and quietly mines the Monero cryptocurrency for the attackers. “Quietly” being a stretch, however, as miners take up so much computing power that it’s hard not to see the device performing poorly.

ViaThe Hacker News

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Should your VPN always be on?

3 reasons why PIA fell in our best VPN rankings

The M4 Mac mini has removable, modular storage – and an important SSD upgrade