February 13, 2024 at 02:15AM
Threat actors are exploiting a security flaw in Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy a backdoor called DSLog. The flaw (CVE-2024-21893) allows access to restricted resources without authentication. Orange Cyberdefense observed attacks targeting an unnamed customer and recommends factory resetting Ivanti devices to prevent continued exploitation.
Based on the meeting notes, here are the key takeaways:
1. Threat actors are leveraging a recently disclosed security flaw impacting Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy a backdoor codenamed DSLog on susceptible devices.
2. The exploit is based on a server-side request forgery (SSRF) vulnerability in the SAML module, enabling access to restricted resources without authentication.
3. There has been a surge in exploitation attempts targeting the vulnerability from over 170 unique IP addresses, with evidence of threat actors erasing access logs to cover up their tracks.
4. The backdoor codenamed DSLog is inserted into an existing Perl file and is designed to evade detection with its unique hash per appliance and web shell capabilities.
5. Orange Cyberdefense recommends that all customers factory reset their Ivanti appliances before applying the patch to prevent threat actors from gaining upgrade persistence in the environment.
These takeaways summarize the main points from the meeting notes related to the vulnerability and cyber threat discussed.