黑客利用Ivanti漏洞，在670多个IT基础设施上安装了DSLog后门

Threat actors are leveraging a recently disclosed security flaw impacting Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy a backdoor codenamed DSLog on susceptible devices.

威胁行动者正在利用影响Ivanti Connect Secure、Policy Secure和ZTA网关的最近披露的安全漏洞，在易感设备上部署一个名为DSLog的后门。

That's according to findings from Orange Cyberdefense, which said it observed the exploitation of CVE-2024-21893 within hours of the public release of the proof-the-concept (PoC) code.

据Orange Cyberdefense的调查结果显示，该公司观察到在PoC代码公开发布几小时内就有人利用CVE-2024-21893进行攻击。

CVE-2024-21893, which was disclosed by Ivanti late last month alongside CVE-2024-21888, refers to a server-side request forgery (SSRF) vulnerability in the SAML module that, if successfully exploited, could permit access to otherwise restricted resources sans any authentication.

Ivanti在上个月底披露的CVE-2024-21893和CVE-2024-21888中，指的是SAML模块中的一种服务器端请求伪造（SSRF）漏洞，如果成功利用，可以无需任何身份验证访问受限资源。

The Utah-based company has since acknowledged that the flaw has limited targeted attacks, although the exact scale of the compromises is unclear.

这家总部位于犹他州的公司承认该漏洞只受到了有限的有针对性攻击，尽管具体的受影响程度尚不清楚。

Then, last week, the Shadowserver Foundation revealed a surge in exploitation attempts targeting the vulnerability originating from over 170 unique IP addresses, shortly after both Rapid7 and AssetNote shared additional technical specifics.

然后，在上周，Shadowserver Foundation揭示了来自170多个独特IP地址的利用尝试的激增，这些尝试源于Rapid7和AssetNote共享的技术细节。

Orange Cyberdefense's latest analysis shows that compromises have been detected as early as February 3, with the attack targeting an unnamed customer to inject a backdoor that grants persistent remote access.

Orange Cyberdefense的最新分析显示，早在2月3日就已经发现了受到攻击的迹象，攻击的目标是一个未命名的客户，用于注入一个授予持久远程访问权限的后门。

"The backdoor is inserted into an existing Perl file called 'DSLog.pm,'" the company said, highlighting an ongoing pattern in which existing legitimate components – in this case, a logging module – are modified to add the malicious code.

该公司表示：“该后门被插入到一个名为'DSLog.pm'的现有Perl文件中，”并强调了一个持续存在的模式，即修改现有的合法组件（在本例中是一个日志模块）以添加恶意代码。

DSLog, the implant, comes fitted with its own tricks to hamper analysis and detection, including embedding a unique hash per appliance, thereby making it impossible to use the hash to contact the same backdoor on another device.

DSLog这个注入物自带一些技巧来阻碍分析和检测，包括为每个设备嵌入一个唯一的哈希值，从而使得使用该哈希值在另一个设备上联系到同一个后门变得不可能。

The same hash value is supplied by the attackers to the User-Agent header field in an HTTP request to the appliance to allow the malware to extract the command to be executed from a query parameter called "cdi." The decoded instruction is then run as the root user.

攻击者将相同的哈希值提供给HTTP请求中的User-Agent标头字段，以允许恶意软件从名为“cdi”的查询参数中提取要执行的命令。解码后的指令然后以root用户身份运行。

"The web shell does not return status/code when trying to contact it," Orange Cyberdefense said. "There is no known way to detect it directly."

Orange Cyberdefense表示：“尝试联系该Web Shell时，Web Shell不返回状态/代码，没有已知的直接检测方法。”

It further observed evidence of threat actors erasing ".access" logs on "multiple" appliances in a bid to cover up the forensic trail and fly under the radar.

该公司还观察到威胁行动者在“多个”设备上删除了“.access”日志，以试图掩盖取证轨迹并低调行事。

But by checking the artifacts that were created when triggering the SSRF vulnerability, the company said it was able to detect 670 compromised assets during an initial scan on February 3, a number that has dropped to 524 as of February 7.

但通过检查触发SSRF漏洞时创建的工件，该公司称在2月3日的初步扫描中检测到了670个受影响的资产，截至2月7日，这个数字已经下降到524个。

In light of the continued exploitation of Ivanti devices, it's highly recommended that "all customers factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment."

鉴于Ivanti设备的持续被利用，强烈建议“所有客户在应用补丁之前恢复出厂设置，以防止威胁行动者在您的环境中获取升级持久性。”

原文始发于微信公众号（知机安全）：黑客利用Ivanti漏洞，在670多个IT基础设施上安装了“DSLog”后门