Ivanti VPN Flaw Exploited to Inject Novel Backdoor; Hundreds Pwned

Threat actors continue to hammer the five security vulnerabilities that have have been recently disclosed in Ivanti VPN appliances. This week, researchers said attackers are injecting a never-before-seen backdoor for persistent remote access within target networks — so far compromising 670+ IT infrastructures in a mass-exploitation campaign.

Ivanti disclosed the vulnerability (a server-side request forgery vulnerability in the SAML component tracked as CVE-2024-21893) on Jan. 31, along with an additional new bug and fixes for two previously disclosed flaws. On Feb. 3, researchers at Orange Cyberdefense spotted a compromised Ivanti appliance infected with a novel backdoor, called "DSLog" after a legitimate logging module within the device.

"This appliance had the initial XML mitigation (API endpoints blocked) in place but not yet the second mitigation (or patch)," Cyberdefense's new advisory explained. Upon closer examination, the backdoor turned out to be "interesting" because it's controlled with a basic "API key" mechanism, the report explained. Also, it's different from previous webshells used in campaigns targeting the Ivanti bugs: 1), because the webshell does not return a status message after contact, so there is no known way to detect it directly; and 2), DSLog uses a unique hash per appliance. "This hash cannot be used to contact the same backdoor implemented in another device," the firm explained.

Cyberdefense cautioned in its report that the Ivanti Integrity Checker Tool isn't a completely accurate method of compromise detection, but it remains a useful tool.

If cyber teams can check these boxes, their systems are probably in the clear, according to the report:

"If these are true, then the device is probably free from compromise," the researchers added.

This is not the first instance of threat actors, including China-backed state cyberattackers, dropping pioneering malware on unprotected Ivanti systems. The Cyberdefense report advised that any compromised Ivanti device or potential target of Chinese threat actors should conduct a factory reset with full patching. There are some Ivanti appliance versions without an available patch, the Cyberdefense team added, in which case cyber teams are advised to apply the XML mitigation as a stopgap and continue to check back for a more permanent patch.