Threat actors continue to exploit the recently disclosed vulnerabilities in Ivanti VPN appliances, with researchers discovering that attackers are injecting a previously unseen backdoor for persistent remote access into target networks, having already compromised over 670 IT infrastructures in a mass-exploitation campaign.
The vulnerability, a server-side request forgery vulnerability in the SAML component known as CVE-2024-21893, was disclosed by Ivanti on January 31, along with an additional new bug and fixes for two previously disclosed flaws. Just a few days later on February 3, researchers at Orange Cyberdefense found a compromised Ivanti appliance infected with a novel backdoor called “DSLog,” named after a legitimate logging module within the device.
The compromised appliance had the initial XML mitigation (API endpoints blocked) in place but not yet the second mitigation (or patch). Upon closer examination, researchers found that DSLog is controlled with a basic “API key” mechanism and differs from previous webshells used in campaigns targeting the Ivanti bugs because it does not return a status message after contact, making it harder to detect, and uses a unique hash per appliance. Cyberdefense warned that the Ivanti Integrity Checker Tool is not completely accurate method of detecting compromise, but it remains a useful tool.
To determine if their systems are compromised, cyber teams are advised to check whether their appliance was mitigated early on, if no historical ICT nor external ICT scans showed signs of compromise, and if no other suspicious behavior, such as in IOCs, logs, or alerts from security solutions, was found in the rest of the infrastructure. If these checks are successful, then the device is likely free from compromise.
This is not the first time that threat actors, including China-backed state cyber attackers, have targeted Ivanti systems with pioneering malware. In light of these attacks, the Cyberdefense report recommended that any compromised Ivanti device or potential target of Chinese threat actors should conduct a factory reset with full patching. For Ivanti appliance versions without an available patch, cyber teams are advised to apply the XML mitigation as a stopgap and continue to check back for a more permanent patch.
In conclusion, the widespread exploitation of Ivanti VPN vulnerabilities underscores the importance of promptly patching and securing enterprise systems against known vulnerabilities to prevent compromise by threat actors. It is crucial for organizations to stay vigilant and prioritize the implementation of security measures to protect their networks and infrastructure from evolving cyber threats.