Protecting Networks from Opportunistic Ivanti Pulse Secure Vulnerability Exploitation

May 10, 2024, 9:27 a.m.

Description

Juniper Threat Labs has observed attempts to exploit Ivanti Pulse Secure authentication bypass and remote code execution vulnerabilities (CVE-2023-46805 and CVE-2024-21887), leading to the delivery of Mirai botnet payloads. This analysis explores the vulnerabilities, exploitation methods, observed payloads, and Juniper's response, highlighting the importance of understanding and mitigating these threats to protect network security.

External References

https://blogs.juniper.net/en-us/security/protecting-your-network-from-opportunistic-ivanti-pulse-secure-vulnerability-exploitation
https://otx.alienvault.com/pulse/663de38e4eaac52e30197797
Tags
botnet
2024-05-05
2024-05-06
2024-05-07
2024-05-08
mirai
ivanti
CVE-2024-21887
CVE-2023-46805
2024-05-09
2024-05-10

Date

  • Created: May 10, 2024, 9:06 a.m.
  • Published: May 10, 2024, 9:06 a.m.
  • Modified: May 10, 2024, 9:27 a.m.

Indicators

  • f20da76d75c7966abcbc050dde259a2c85b331c80cce0d113bc976734b78d61d
  • d6f5fc248e4c8fc7a86a8193eb970fe9503f2766951a3e4b8c084684e423e917
  • cf1b85d4812f7ee052666276a184b481368f0c0c7a43e6d5df903535f466c5fd
  • b9d92f637996e981006173eb207734301ff69ded8f9c2a7f0c9b6d5fcc9063a2
  • b0bc9a42a874cab6583e4993de7cc11a2b8343a4453bda97b83b0c2975e7181d
  • a843971908aa31a81d96cc8383dcde7f386050c6e3437ad6a470f43dc2bf894b
  • 9b5fe87aaa4f7ae1c375276bfe36bc862a150478db37450858bbfb3fb81123c2
  • 8f0c5baaca3b81bdaf404de8e7dcca1e60b01505297d14d85fea36067c2a0f14
  • 850d3521693b4e1ec79981b3232e87b0bc22af327300dfdc7ea1b7a7e97619cd
  • 67d989388b188a817a4d006503e5350a1a2af7eb64006ec6ad6acc51e29fdcd5
  • 5fcbe868a8c53b7146724d579ff82252f00d62049a75a04baa4476e300b42d15
  • 5d155f86425b02e45a6a5d62eb8ce7827c9c43f3025bffd6d996aabd039d27f9
  • 5b20ed646362a2c6cdc5ca0a79850c7d816248c7fd5f5203ce598a4acd509f6b
  • 575f0acd67df2620378fb5bd8379fd2f2ba0539b614986d60e85822ba0e9aa08
  • 53f6cedcf89fccdcb6b4b9c7c756f73be3e027645548ee7370fd3486840099c4
  • 3e785100c227af58767f253e4dfe937b2aa755c363a1497099b63e3079209800
  • 3d19de117388d50e5685d203683c2045881a92646c69ee6d4b99a71bf65dafa7
  • 1e6d93a27b0d7e97df5405650986e32641696967c07df3fa8edd41063b49507b
  • 10686a12b7241a0836db6501a130ab67c7b38dbd583ccd39c9e655096695932e
  • 038187ceb4df706b13967d2a4bff9f67256ba9615c43196f307145a01729b3b8
  • c27b64277c3d14b4c78f42ca9ee2438b602416f988f06cb1a3e026eab2425ffc
  • 4e2c5513cf1c4a3c12c6e108d0120d57355b3411c30d59dfb0d263ad932b6868
  • 192.3.152.183
Download all indicators here!

Attack Patterns

  • Mirai
  • T1609
  • T1082
  • T1105
  • T1204
  • T1190
  • T1059
  • CVE-2024-21887
  • CVE-2023-46805