Hundreds of vulnerable Ivanti servers impacted by novel DSLog backdoor

BleepingComputer reports that almost 700 Ivanti servers have been compromised with the novel DSLog backdoor in attacks leveraging the server-side request forgery flaw affecting the SAML component of Ivanti Connect Secure, Policy Secure, and ZTA gateways, tracked as CVE-2024-21893. Attackers leveraged SAML authentication requests with commands allowing reconnaissance to facilitate the injection of the DSLog backdoor into the code base of an unpatched Ivanti instance that had all API endpoints blocked, according to an Orange Cyberdefense report. Any command provided through threat actors' HTTP requests could be remotely executed by DSLog, with the unique SHA256 hash within the requests also serving as a backdoor request authenticator, said researchers, who added that numerous impacted Ivanti instances had their ".access" logs removed to conceal malicious activity. With nearly 20% of the discovered Ivanti servers hit by DSLog noted to be compromised in attacks involving other vulnerabilities, organizations have been urged to immediately apply remediations to affected Ivanti systems.