Hackers exploit a SSRF (server-side request forgery) vulnerability in the Ivanti Connect Secure, Policy Secure and ZTA gateways to install the new DSLog backdoor on vulnerable Devices.
See also: Kimsuky hackers target research centres for backdoor distribution
The vulnerability, recorded as CVE-2024-21893, revealed as zero-day on 31 January 2024, with Ivanti sharing security updates and troubleshooting tips.
The issue affects the SAML component of the reported products and allows attackers to bypass authentication and have Accessed at on resource-constrained Ivanti gateways running versions 9.x and 22.x.
The problem can be solved by updating the following versions: Ivanti Connect Secure 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1, and 22.5R2.2; Ivanti Policy Secure 22.5R1.1; and ZTA 22.6R1.3.
On 5 February 2024, the threat monitoring service Shadowserver reported that multiple attackers were observed trying to exploit the vulnerability, some using PoC previously published by Rapid7, with the exact success rate unknown at this time.
A new report from Orange Cyberdefense confirms the successful exploitation of the SSRF vulnerability, known as CVE-2024-21893, to install a new backdoor named DSLog, which allows malicious actors to execute commands remotely on compromised servers Ivanti.
Orange reports that it first identified this new backdoor on 3 February 2024, after analysing a degraded device that had implemented Ivanti's proposed XML remediation (blocking all API termination points) but had not applied the patch.
Examining the logs of the compromised Invanti device, the researchers of Orange they discovered that a backdoor had been inserted into the device's code by issuing SAML authentication requests containing encrypted commands.
See also: Russian APT28 hackers infect organizations with the HeadLace backdoor
These commands performed operations such as exporting system information to a publicly accessible file (index2.txt), indicating that the attackers were aiming to perform internal exploration and confirm their root access.
The backdoor is inserted into the DSLog file, which is responsible for logging various kinds of authenticated web requests and system logs.
The attackers used a unique SHA256 hash per device as the API key, requiring this hash in the HTTP User-Agent header to execute commands. Orange explains that no hash can be used to communicate with the same backdoor on another device.
The main function of the backdoor is to execute commands as root. Orange says the DSLog backdoor can execute "any commands" on the compromised device, received via HTTP requests from attackers.
Orange unfortunately could not identify the scheme used to calculate the SHA256 hash and noted that the logs '.access' were eliminated from many machines that had been hacked to hide the actions of the attackers.
Nevertheless, the researchers discovered nearly 700 Ivanti servers by examining other data, such as the 'index' text files in the 'hxxp://{ip}/dana-na/imgs/‘.
About 20% of these sites were already affected by previous campaigns, while others were only vulnerable due to the lack of additional updates or treatments.
It is recommended to follow the most recent recommendations Ivanti to address all threats targeting the vendor's products by leveraging this SSRF or any of the recently disclosed vulnerabilities affecting Ivanti devices.
See also: New WordPress backdoor leads to compromised sites
What is the basic idea of backdoor threats?
The basic idea of backdoor threats is to bypass the normal methods of accessing a system or network, enabling the attacker to control, spy on or cause damage. Backdoors can be installed in a variety of ways, including software vulnerabilities, malware or even physical attacks.
Detecting backdoors can be difficult, as they are often designed to remain hidden, using techniques such as hiding communication and changing their behaviour to avoid detection.
To counter backdoor threats, it is essential to use up-to-date security solutions, educate users to recognise and avoid malicious attacks and conduct regular security audits.
Source: bleepingcomputer
