
admin 2024年2月15日10:54:53评论16 views字数 3354阅读11分10秒阅读模式


Threat actors are leveraging a recently disclosed security flaw impacting Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy a backdoor codenamed DSLog on susceptible devices.

威胁行动者正在利用影响Ivanti Connect Secure、Policy Secure和ZTA网关的最近披露的安全漏洞,在易感设备上部署一个名为DSLog的后门。

That's according to findings from Orange Cyberdefense, which said it observed the exploitation of CVE-2024-21893 within hours of the public release of the proof-the-concept (PoC) code.

据Orange Cyberdefense的调查结果显示,该公司观察到在PoC代码公开发布几小时内就有人利用CVE-2024-21893进行攻击。

CVE-2024-21893, which was disclosed by Ivanti late last month alongside CVE-2024-21888, refers to a server-side request forgery (SSRF) vulnerability in the SAML module that, if successfully exploited, could permit access to otherwise restricted resources sans any authentication.


The Utah-based company has since acknowledged that the flaw has limited targeted attacks, although the exact scale of the compromises is unclear.


Then, last week, the Shadowserver Foundation revealed a surge in exploitation attempts targeting the vulnerability originating from over 170 unique IP addresses, shortly after both Rapid7 and AssetNote shared additional technical specifics.

然后,在上周,Shadowserver Foundation揭示了来自170多个独特IP地址的利用尝试的激增,这些尝试源于Rapid7和AssetNote共享的技术细节。

Orange Cyberdefense's latest analysis shows that compromises have been detected as early as February 3, with the attack targeting an unnamed customer to inject a backdoor that grants persistent remote access.

Orange Cyberdefense的最新分析显示,早在2月3日就已经发现了受到攻击的迹象,攻击的目标是一个未命名的客户,用于注入一个授予持久远程访问权限的后门。

"The backdoor is inserted into an existing Perl file called 'DSLog.pm,'" the company said, highlighting an ongoing pattern in which existing legitimate components – in this case, a logging module – are modified to add the malicious code.



DSLog, the implant, comes fitted with its own tricks to hamper analysis and detection, including embedding a unique hash per appliance, thereby making it impossible to use the hash to contact the same backdoor on another device.


The same hash value is supplied by the attackers to the User-Agent header field in an HTTP request to the appliance to allow the malware to extract the command to be executed from a query parameter called "cdi." The decoded instruction is then run as the root user.


"The web shell does not return status/code when trying to contact it," Orange Cyberdefense said. "There is no known way to detect it directly."

Orange Cyberdefense表示:“尝试联系该Web Shell时,Web Shell不返回状态/代码,没有已知的直接检测方法。”

It further observed evidence of threat actors erasing ".access" logs on "multiple" appliances in a bid to cover up the forensic trail and fly under the radar.


But by checking the artifacts that were created when triggering the SSRF vulnerability, the company said it was able to detect 670 compromised assets during an initial scan on February 3, a number that has dropped to 524 as of February 7.


In light of the continued exploitation of Ivanti devices, it's highly recommended that "all customers factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment."



  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
  • 本文由 发表于 2024年2月15日10:54:53
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):


匿名网友 填写信息