Two vulnerabilities recently identified in the Ivanti Connect Secure (ICS) seem to be used for development of the famous Mirai botnet.
According to Research of Juniper Threat Labs, the vulnerabilities CVE-2023-46805 and CVE-2024-21887 have been used to deliver the botnet payload. The first vulnerability allows authentication bypass, while the second is a command injection vulnerability. Attackers can combine the two flaws to execute code and take control of uninformed instances.
In the detected chain of attacks, the Ivanti CVE-2023-46805 vulnerability was used to gain access to the "/api/v1/license/key-status/;" endpoint (which is vulnerable to command injection) and for introducing the Mirai botnet payload.
See also: Goldoon Botnet targets D-Link Routers
As for the exploitation of the CVE-2024-21887 vulnerability, it is triggered by a request to "/api/v1/totp/user-backup-code/" for the development of malware.
“This command sequence attempts to delete files, downloads a script from a remote server, sets executable permissions and executes the script, potentially leading to an infected system" said security researcher Kashinath T Pattan.
The shell script, for its part, downloads the Mirai botnet malware from an IP address controlled by the attackers ("192.3.152[.]183").
According to the researcher, the delivery of the Mirai botnet through these vulnerabilities "highlights the ever-evolving landscape of cyber threats“.
See also: USA: Charges against Moldavian for handling botnet
The Mirai infection also means that other harmful malware and ransomware will be developed.
Protection against botnet malware
To protect yourself from Botnet, it is important to keep your device's software and operating system up to date. The attacks botnets often exploit known vulnerabilities (as in this case).
In addition, it is important to use a reliable security program that provides protection against malware and botnets. This should include running regular scans to detect and remove any attacks.
See also: Multiple botnets exploiting TP-Link flaws
Η use strong passwords and change them regularly is another way to protect yourself from the Botnet (e.g. Mirai). Botnet attacks often try to guess the codes passwords, so using strong passwords and changing them regularly can help protect your accounts.
Finally, the information security training can be particularly useful. Understanding the ways in which the attacks botnet operate and the techniques they use can help you identify and avoid attacks.
Source: thehackernews.com
