DSLog (f77708f2-2a3b-4f16-b3d2-368acbc0a557)
DSLog is a webshell exploiting the Ivanti Server-Side Request Forgery vulnerability (CVE-2024-21893), providing remote access to compromised devices. Evidence of exploitation is found in Ivanti logs, where unauthenticated actors issue SAML authentication requests containing encoded commands. The script checks for modifications to the 'DSLog.pm' Perl script, used for logging events, by searching for 'HTTP_USER_AGENT'. If absent, the backdoor is injected using the 'sed' command at line 102 of the 'DSLog.pm' file.[orangecyberdefense.com February 9 2024]
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| UNC5221 (71e9b27e-8d68-4ed6-b3ab-14142558b9ff) | Tidal Groups | DSLog (f77708f2-2a3b-4f16-b3d2-368acbc0a557) | Tidal Software | 1 |