Mirai Botnet Exploits Ivanti Connect Secure Flaws

Recent vulnerabilities in Ivanti Connect Secure devices have enabled attackers to deploy the Mirai botnet, according to security researchers from Juniper. These vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, are currently being actively exploited.

The first vulnerability allows for authentication bypass, while the second enables command injection. Together, they permit attackers to execute arbitrary code and gain control over the compromised systems. In the attack chain observed by Juniper, these vulnerabilities were used to access the endpoint “/api/v1/license/key-status/,” which is susceptible to command injection.

According to a January study by Assetnote, the malicious software is activated by a request to “/api/v1/totp/user-backup-code/,” where a sequence of commands deletes files, downloads a script from a remote server, assigns execution rights, and launches the script, leading to system infection.

Security researcher Kashinath Pattan explained that the script is designed to download the Mirai malware from an IP address controlled by the attackers (“192.3.152[.]183”). “The discovery of these vulnerabilities for the delivery of the Mirai botnet highlights the ever-evolving landscape of cyber threats,” noted Pattan.

He added that in the future, these vulnerabilities are expected to be increasingly used to spread this and other malicious software.