Risk actors are leveraging a just lately disclosed safety flaw impacting Ivanti Join Safe, Coverage Safe, and ZTA gateways to deploy a backdoor codenamed DSLog on vulnerable units.
That is based on findings from Orange Cyberdefense, which stated it noticed the exploitation of CVE-2024-21893 inside hours of the general public launch of the proof-the-concept (PoC) code.
CVE-2024-21893, which was disclosed by Ivanti late final month alongside CVE-2024-21888, refers to a server-side request forgery (SSRF) vulnerability within the SAML module that, if efficiently exploited, may allow entry to in any other case restricted assets sans any authentication.
The Utah-based firm has since acknowledged that the flaw has restricted focused assaults, though the precise scale of the compromises is unclear.
Then, final week, the Shadowserver Basis revealed a surge in exploitation makes an attempt concentrating on the vulnerability originating from over 170 distinctive IP addresses, shortly after each Rapid7 and AssetNote shared further technical specifics.
Orange Cyberdefense’s newest evaluation reveals that compromises have been detected as early as February 3, with the assault concentrating on an unnamed buyer to inject a backdoor that grants persistent distant entry.
“The backdoor is inserted into an existing Perl file called ‘DSLog.pm,'” the corporate stated, highlighting an ongoing pattern wherein existing legitimate components – on this case, a logging module – are modified so as to add the malicious code.
DSLog, the implant, comes fitted with its personal tips to hamper evaluation and detection, together with embedding a novel hash per equipment, thereby making it not possible to make use of the hash to contact the identical backdoor on one other gadget.
The identical hash worth is equipped by the attackers to the User-Agent header field in an HTTP request to the equipment to permit the malware to extract the command to be executed from a question parameter referred to as “cdi.” The decoded instruction is then run as the foundation consumer.
“The web shell does not return status/code when trying to contact it,” Orange Cyberdefense stated. “There is no known way to detect it directly.”
It additional noticed proof of risk actors erasing “.access” logs on “multiple” home equipment in a bid to cowl up the forensic path and fly underneath the radar.
However by checking the artifacts that had been created when triggering the SSRF vulnerability, the corporate stated it was capable of detect 670 compromised belongings throughout an preliminary scan on February 3, a quantity that has dropped to 524 as of February 7.
In gentle of the continued exploitation of Ivanti units, it is highly recommended that “all customers factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment.”
Author: data@thehackernews.com (The Hacker Information)
Date: 2024-02-13 02:03:00