Two not too long ago disclosed safety flaws in Ivanti Join Safe (ICS) gadgets are being exploited to deploy the notorious Mirai botnet.
That is based on findings from Juniper Menace Labs, which mentioned the vulnerabilities CVE-2023-46805 and CVE-2024-21887 have been leveraged to ship the botnet payload.
Whereas CVE-2023-46805 is an authentication bypass flaw, CVE-2024-21887 is a command injection vulnerability, thereby permitting an attacker to chain the 2 into an exploit chain to execute arbitrary code and take over vulnerable situations.
Within the assault chain noticed by the community safety firm, CVE-2023-46805 is exploited to achieve entry to the “/api/v1/license/key-status/;” endpoint, which is weak to command injection, and inject the payload.
As beforehand outlined by Assetnote of their technical deep dive of the CVE-2024-21887, the exploit is triggered via a request to “/api/v1/totp/user-backup-code/” to deploy the malware.
“This command sequence makes an attempt to wipe information, downloads a script from a distant server, units executable permissions, and executes the script, doubtlessly resulting in an contaminated system,” safety researcher Kashinath T Pattan mentioned.
The shell script, for its half, is designed to obtain the Mirai botnet malware from an actor-controlled IP deal with (“192.3.152[.]183”).
“The invention of Mirai botnet supply by way of these exploits highlights the ever-evolving panorama of cyber threats,” Pattan mentioned. “The truth that Mirai was delivered by way of this vulnerability can even imply the deployment of different dangerous malware and ransomware is to be anticipated.”
The event comes as SonicWall revealed {that a} faux Home windows File Explorer executable (“explorer.exe”) has been discovered to put in a cryptocurrency miner. The precise distribution vector for the malware is at present unknown.
“Upon execution, it drops malicious information within the /Home windows/Fonts/ listing, together with the primary crypto miner file, a batch file containing malicious instructions to begin the mining course of,” SonicWall mentioned.