A SAML vulnerability in Ivanti appliances has led to persistent remote access and full control for opportunistic cyberattackers.

Dark Reading Staff, Dark Reading

February 13, 2024

2 Min Read
A man looking through back door window
Source: Urban Zone via Alamy Stock Photo

Threat actors continue to hammer the five security vulnerabilities that have have been recently disclosed in Ivanti VPN appliances. This week, researchers said attackers are injecting a never-before-seen backdoor for persistent remote access within target networks — so far compromising 670+ IT infrastructures in a mass-exploitation campaign.

Ivanti disclosed the vulnerability (a server-side request forgery vulnerability in the SAML component tracked as CVE-2024-21893) on Jan. 31, along with an additional new bug and fixes for two previously disclosed flaws. On Feb. 3, researchers at Orange Cyberdefense spotted a compromised Ivanti appliance infected with a novel backdoor, called "DSLog" after a legitimate logging module within the device.

"This appliance had the initial XML mitigation (API endpoints blocked) in place but not yet the second mitigation (or patch)," Cyberdefense's new advisory explained. Upon closer examination, the backdoor turned out to be "interesting" because it's controlled with a basic "API key" mechanism, the report explained. Also, it's different from previous webshells used in campaigns targeting the Ivanti bugs: 1), because the webshell does not return a status message after contact, so there is no known way to detect it directly; and 2), DSLog uses a unique hash per appliance. "This hash cannot be used to contact the same backdoor implemented in another device," the firm explained.

Cyberdefense cautioned in its report that the Ivanti Integrity Checker Tool isn't a completely accurate method of compromise detection, but it remains a useful tool.

If cyber teams can check these boxes, their systems are probably in the clear, according to the report:

  • your appliance was mitigated early on (around January 11th onward)

  • no historical ICT nor external ICT scans showed signs of compromise,

  • and no other suspicious behavior, i.e. in IOCs, logs, or alerts from security solutions was found in the rest of the infrastructure.

"If these are true, then the device is probably free from compromise," the researchers added.

This is not the first instance of threat actors, including China-backed state cyberattackers, dropping pioneering malware on unprotected Ivanti systems. The Cyberdefense report advised that any compromised Ivanti device or potential target of Chinese threat actors should conduct a factory reset with full patching. There are some Ivanti appliance versions without an available patch, the Cyberdefense team added, in which case cyber teams are advised to apply the XML mitigation as a stopgap and continue to check back for a more permanent patch.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights