Backdoor Blitz: Hackers Exploit Ivanti Flaw for Stealthy DSLog Assault

Beware, digital overlords! Ivanti gateways face a comedic calamity as threat actors deploy ‘DSLog’, a backdoor more sneaky than a ninja in socks. Brace for tech’s latest punchline: CVE-2024-21893. #BackdoorBonanza

Hot Take:

When life gives you SSRFs, make… backdoors? That seems to be the mantra of threat actors who turned a freshly squeezed Ivanti Connect Secure flaw into a cocktail of chaos, complete with a backdoor garnish dubbed DSLog. With exploitation faster than a microwave minute, it’s a stark reminder that in the cyber world, there’s no such thing as a lazy Sunday. Even your server’s SAML module isn’t safe from having its logs turned into a Trojan horse’s Airbnb.

Key Points:

  • Ivanti’s got a security hangover with a SSRF vulnerability (CVE-2024-21893) leading to unauthorized access—a real party crasher.
  • The DSLog backdoor is the uninvited guest lurking in the server’s Perl files, and it’s got more tricks than a magician with a rabbit.
  • Attacks were as swift as a cheetah on a skateboard, starting mere hours after the PoC code was released.
  • Orange Cyberdefense is playing detective, finding 670 compromised assets faster than you can say “oops.”
  • Reset and patch your Ivanti appliances, or you might as well leave the keys in the door for the cyber boogeyman.
Cve id: CVE-2024-21893
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/31/2024
Cve description: A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Cve id: CVE-2024-21888
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/31/2024
Cve description: A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.

Need to know more?

Exploitation at the Speed of Light

Imagine if your favorite superhero decided to go rogue; that's kind of what happened here. CVE-2024-21893 was disclosed, and faster than you can say "zero-day," attackers were all over it like ants on a spilled milkshake. These cyber villains didn't waste any time crafting their nifty backdoor, proving that punctuality is just as important in the underworld.

DSLog: The Backdoor Tailor

DSLog isn't your average malware; it's the James Bond of backdoors—suave, sophisticated, and harder to detect than a chameleon in a crayon box. It's so good at hide-and-seek that it embeds a unique hash in each appliance, ensuring that no two secret handshakes are the same. This is no amateur hour; it's the work of pros who know their Perl like a poet knows pentameter.

The Cleanup Crew

These attackers are tidier than a compulsive cleaner, erasing their tracks like they're wiping away dust before an in-law's visit. But even the best cleaners leave a little something behind, and that's how Orange Cyberdefense caught a whiff of something fishy. By looking at the artifacts left behind by the SSRF exploitation, they could sniff out the compromised assets. Talk about a cyber-sleuthing success story!

A Patch in Time Saves Nine... Hundred Appliances

If you're running Ivanti, consider this your wake-up call. Don't hit snooze; it's time to factory reset and patch up faster than a kid with a skinned knee. Otherwise, you're just rolling out the red carpet for the attackers, asking them to take their shoes off and stay awhile. Remember, an ounce of prevention is worth a pound of cure—or in this case, worth about 670 less compromised assets.

Tags: CVE-2024-21893, DSLog backdoor, Ivanti Connect Secure, Malware Analysis, patch management, SSRF vulnerability, threat actors