Summary:
Recent findings suggest that payloads discovered on compromised Ivanti Connect Secure appliances may originate from a single, highly skilled threat actor, according to incident response provider Synacktiv. A malware analysis by Synacktiv reveals that the 12 Rust payloads found in relation to two Ivanti Connect Secure VPN zero-day vulnerabilities share nearly identical code, suggesting a common origin.

These payloads, collectively dubbed “KrustyLoader” are designed to download and execute a Silver backdoor written in Golang, a tool used by cybersecurity professionals to maintain access and control over compromised systems. Silver, developed by Bishop Fox, is a post exploitation toolkit used primarily by red teams to maintain access and control over compromised systems . The sophistication of these payloads, include specific conditional checks, indicates a high level of expertise, consistent with previous reports linking the attacks to an APT actor.

Security Officer Comments:
Volexity and Mandiant have both implicated a Chinese-backed group and activity Cluster UNC5221 in these exploits, with similarities noted to previous Chinese linked attacks. Despite efforts to mitigate the threat, over 2100 systems have been compromised prompting Ivanti to delay the release of a patch, originally scheduled for the week of January 22.

Suggested Corrections:

It is critically important that organizations running Ivanti Connect Secure VPN appliance ensure the following:

• The mitigation is applied in the proper order, applying it after importing any backup configurations.
• The external Integrity Checker Tool results do not show signs of compromise.
• Once a patch becomes available, it is applied as soon as possible.

Link(s):
https://www.infosecurity-magazine.com/news/rust-payloads-ivanti-zero-days/

https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/