Threat actors have leveraged Ivanti Connect Secure and Policy Secure zero-day vulnerabilities, tracked as CVE-2023-46805 and CVE-2024-21887, to facilitate the deployment of the Mirai botnet, reports Security Affairs.
Attacks commenced with the exploitation of CVE-2023-46805 to infiltrate the "/api/v1/license/key-status/;" endpoint before proceeding with the use of CVE-2024-21887 for Mirai botnet injections, a report from Juniper Threat Labs revealed. Both Python-based and curl reverse shells have also been used to enable system takeovers, while shell scripts have been utilized for Mirai payload distribution, according to researchers.
"The increasing attempts to exploit Ivanti Pulse Secure's authentication bypass and remote code execution vulnerabilities are a significant threat to network security… The fact that Mirai was delivered through this vulnerability will also mean the deployment of other harmful malware and ransomware is to be expected. Understanding how these vulnerabilities can be exploited and recognizing the specific threats they pose is crucial for protecting against potential risks," said the report.