After executing several PowerShell scripts using WhatsUp Gold's Active Monitor PowerShell Script functionality, threat actors proceeded with exploiting the 'msiexec.exe' Windows utility to install the Atera Agent, SimpleHelp Remote Access, Splashtop Remote, and Radmin remote access tools for persistence and further payload deployment.
No active exploitation of the vulnerability, which stemmed from the agent portal's untrusted data serialization issue, has been observed so far, according to Ivanti, which also patched nearly two dozen other critical and high-severity bugs in EPM, Cloud Service Appliance, and Workspace Control.
Intrusions leveraging the vulnerability have facilitated the distribution of not only the GOREVERSE reverse proxy server but also the Condi malware, the Mirai botnet variant Jenx, and four other cryptocurrency mining payloads.
Such a development comes just after organizations with SonicWall Firewall Gen 5, Gen 6, and Gen 7 devices were advised by SonicWall to immediately apply issued fixes amid potential in-the-wild exploitation of the flaw, which also affects firewalls' SSLVPN functionality.