Recently disclosed vulnerabilities in Ivanti Connect Secure, Policy Secure, and ZTA gateways have been exploited by threat actors to implant a backdoor named DSLog on vulnerable systems. Findings from Orange Cyberdefense indicate that the exploitation of CVE-2024-21893 occurred within hours following the public release of its proof-of-concept code.
The identified vulnerability, CVE-2024-21893, which was revealed late last month alongside CVE-2024-21888, is a server-side request forgery (SSRF) flaw affecting the SAML module. If exploited, this vulnerability could allow unauthorized access to restricted resources without proper authentication. Ivanti, headquartered in the United States, confirmed that the flaw has led to targeted attacks, although the scope of affected systems remains uncertain.
Last week, the Shadowserver Foundation reported a significant increase in attempts to exploit the SSRF vulnerability, originating from over 170 distinct IP addresses. This surge followed additional technical disclosures by Rapid7 and AssetNote, revealing further details about the vulnerabilities.
Orange Cyberdefense’s analysis indicated that compromises may have started as early as February 3, with attacks aimed at an unnamed customer to establish a backdoor for persistent remote access. This malicious implant is integrated into an existing Perl file, ‘DSLog.pm’, illustrating a repeated tactic in which legitimate software components are modified to facilitate intrusions.
DSLog possesses built-in mechanisms to evade detection, including the use of a unique hash for each infected device, which makes it challenging to identify the same backdoor across different appliances. The attackers also encode the hash within the User-Agent header of HTTP requests directed at the appliance, facilitating the extraction of commands from a specific query parameter named “cdi.” The decoded commands are executed with root privileges, further complicating detection efforts.
According to Orange Cyberdefense, the web shell established by DSLog does not return any status or response, presenting significant challenges for detection. The threat actors have also been observed deleting “.access” logs on multiple devices to obscure their tracks, further undermining forensic capabilities.
During initial assessments conducted on February 3, 670 compromised devices were identified, a number that declined to 524 by February 7. As the exploitation of Ivanti devices continues, it is strongly advised that all customers perform a factory reset of their appliances prior to applying patches. This measure is essential to prevent threat actors from establishing persistent footholds within compromised environments.
