Threat actors exploited a recently disclosed security flaw affecting Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy a backdoor codenamed. DSLog of dangerous devices.
This is according to findings from Orange Cyberdefense, which says it observed the CVE-2024-21893 exploit within hours of the public release of the proof-of-concept (PoC) code.
CVE-2024-21893, disclosed by Ivanti late last month along with CVE-2024-21888, refers to a server-side request forgery (SSRF) vulnerability in the SAML module that, if successfully exploited, could allow to access restricted resources. without any authentication.
The Utah-based company has since acknowledged that the flaw had limited targeted attacks, though the exact scale of the compromises is unclear.
Then, last week, the Shadowserver Foundation revealed a flurry of exploit attempts targeting the vulnerability originating from more than 170 unique IP addresses, shortly after Rapid7 and AssetNote IMPARTED more technical details.
The latest analysis by Orange Cyberdefense shows that compromises were detected as early as February 3, with the attack targeting an unnamed customer to inject a backdoor that provides constant remote access.
“The backdoor was embedded in an existing Perl file called ‘DSLog.pm,'” the company said, highlighting an ongoing pattern in which existing legitimate components — in this case, a logging module – modified to add malicious code.
DSLog, the implant, has its own tricks to prevent analysis and detection, including embedding a unique hash per appliance, thus making it impossible to use the hash to contact the same backdoor in another device.
The same hash value is given to the attackers in the User-Agent header field in an HTTP request to the appliance to allow the malware to retrieve the command to be executed from the query parameter called “cdi.” The decoded instruction is then run as the root user.
“The web shell does not return a status/code when trying to contact it,” said Orange Cyberdefense. “There is no known way to know this directly.”
It further observed evidence of threat actors deleting “.access” logs on “numerous” appliances in a bid to cover the forensic trail and fly under the radar.
But by examining the artifacts created when the SSRF vulnerability was triggered, the company said it found 670 compromised assets during an initial scan on February 3, a a number that fell to 524 on February 7.
In light of the continuous exploitation of Ivanti tools, this highly recommended that “all customers factory reset their appliance before applying the patch to prevent the threat actor from claiming to continue upgrading your environment.”