Threat actors continue to hammer out the five security vulnerabilities that have been recently disclosed in Ivanti VPN equipment. This week, researchers said attackers are inserting a never-before-seen backdoor for persistent remote access within target networks, compromising more than 670 IT infrastructures so far in a mass exploitation campaign.
Ivanti disclosed the vulnerability (a server-side request forgery vulnerability in the SAML component tracked as CVE-2024-21893) on January 31, along with a additional new bugs and fixes for two previously reported defects. On February 3, Orange Cyberdefense researchers identified a compromised Ivanti appliance infected with a new backdoor, called “DSLog” after a legitimate logging module within the device.
“This device had the initial XML mitigation (blocked API endpoints) but not yet the second mitigation (or patch),” the new Cyberdefense advisory explains. Upon closer examination, the backdoor turned out to be “interesting,” because it is controlled with a basic “API key” mechanism, the report explains. Furthermore, it is different from previous webshells used in campaigns targeting Ivanti bugs: 1), because the webshell does not return a status message after contact, so there is no known way to detect it directly; and 2), DSLog uses a unique hash for each device. “This hash cannot be used to contact the same backdoor deployed on another device,” the company explained.
Cyberdefense warned in its report that the Ivanti Integrity Checker Tool is not a completely accurate method for detecting compromises, but it remains a useful tool.
If IT teams can check these boxes, their systems will likely be in the clear, according to the report:
-
your device has been mitigated early (around January 11th onwards)
-
no historical ICT nor external ICT scans have shown signs of compromise,
-
and no other suspicious behavior was seen elsewhere in the infrastructure, such as in IOCs, logs, or security solution alerts.
“If these are true, then the device is probably free from compromise,” the researchers added.
This is not the first instance of threat actors, including China-backed state-run attackers launching pioneering malware on unprotected Ivanti systems. THE Cyber Defense Report advised that any Ivanti device compromised or potentially targeted by Chinese threat actors should perform a fully patched factory reset. There are some versions of the Ivanti appliance without an available patch, the Cyberdefense team added, in which case IT teams are advised to apply the XML mitigation as an interim fix and continue to check for a more permanent patch.