Ivanti Vulnerability Exploited to Install ‘DSLog’ Backdoor on Over 670 IT Infrastructures

Ivanti Flaw

Threat actors are taking advantage of a recently disclosed vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy a backdoor codenamed DSLog on sensitive devices.

That’s according to findings from Orange Cyberdefense, which says it observed the exploitation of CVE-2024-21893 within hours of the public release of the proof-the-concept (PoC) code.

CVE-2024-21893, disclosed by Ivanti late last month alongside CVE-2024-21888, refers to a server-side request forgery (SSRF) vulnerability in the SAML module that, if successfully exploited, could grant access to otherwise limited resources without any authentication.

The Utah-based company has since acknowledged that the flaw limited targeted attacks, although the exact extent of the compromises is unclear.

Last week, the Shadowserver Foundation revealed a wave of exploit attempts targeting the vulnerability that originated from more than 170 unique IP addresses, shortly after both Rapid7 and AssetNote shared additional technical specifications.

Orange Cyberdefense’s latest analysis shows that compromises were discovered as early as February 3, with the attack targeting an unnamed customer to inject a backdoor allowing permanent remote access.

“The backdoor is inserted into an existing Perl file named ‘DSLog.pm,’” the company said, highlighting an ongoing pattern of modifying existing legitimate components – in this case a logging module – to apply the malicious code add.

Ivanti wrong

DSLog, the implant, comes equipped with its own tricks to hinder analysis and detection, including embedding a unique hash per device, making it impossible to use the hash to contact the same backdoor on another device.

The same hash value is given to the attackers by the attackers User-Agent header field in an HTTP request to the device, allowing the malware to extract the command to execute from a query parameter called ‘cdi’. The decoded instruction is then executed as the root user.

“The web shell does not return a status/code when contacted,” Orange Cyberdefense said. “There is no known way to detect it directly.”

Furthermore, it has observed evidence of threat actors wiping “.access” logs on “multiple” devices in an attempt to hide the forensic trail and stay under the radar.

But by checking the artifacts created by activating the SSRF vulnerability, the company said it was able to detect 670 compromised assets during an initial scan on February 3, a number that dropped to 524 as of February 7.

In light of the continued exploitation of Ivanti devices, it is Strongly recommended that “all customers should factory reset their device before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment.”

#Ivanti #Vulnerability #Exploited #Install #DSLog #Backdoor #Infrastructures

Notify of
Inline Feedbacks
View all comments
Previous Post
Cloudflare-Atlassian Cybersecurity Incidents

Midnight Blizzard and Cloudflare-Atlassian Cybersecurity Incidents: What You Need to Know

Next Post
Email Attacks

Warning: CISA warns of active ‘Roundcube’ email attacks

Related Posts