Ethical Hacking News
A critical security flaw has been identified in Ivanti Connect Secure, Policy Secure, and ZTA Gateways, which has been actively exploited in the wild since mid-December 2024. The exploit leverages a stack-based buffer overflow vulnerability (CVE-2025-0282) that affects versions of the software up to 22.7R2.5.
Ivanti Connect Secure, Policy Secure, and ZTA Gateways have a critical security flaw known as CVE-2025-0282 that allows an attacker to execute arbitrary code on the compromised system. The vulnerability affects versions of the software up to 22.7R2.5 and can be exploited by disabling SELinux, preventing syslog forwarding, and remounting the drive as read-write. The malware establishes persistence on the compromised system by executing a series of scripts that drop web shells, modify log entries, and block system upgrades. Threat actors have used advanced tools and techniques to maintain persistence and communicate with their Command-and-Control servers using tunneling utilities like SPAWNMOLE. The attackers have also carried out post-exploitation activities such as internal network reconnaissance, LDAP queries, and stealing application cache databases containing sensitive information. Ivanti has acknowledged that a limited number of customers have been exploited due to CVE-2025-0282 and advises organizations to patch the vulnerability immediately.
Ivanti Flaw CVE-2025-0282: A Sophisticated Malware Ecosystem Exposes Vulnerabilities in Secure Appliances
The cybersecurity landscape has witnessed numerous high-profile exploits and vulnerabilities in recent times, with the latest revelation shedding light on a sophisticated malware ecosystem that has been actively targeting secure appliances. The culprit behind this malicious activity is none other than Ivanti's Connect Secure, Policy Secure, and ZTA Gateways, which have been exposed to a critical security flaw known as CVE-2025-0282.
CVE-2025-0282 is a stack-based buffer overflow vulnerability that affects versions of the software up to 22.7R2.5, according to Ivanti's official advisory. This vulnerability allows an attacker to execute arbitrary code on the compromised system, effectively bypassing security controls and compromising the integrity of the appliance.
The discovery of this vulnerability was attributed to Mandiant, a cybersecurity firm that specializes in threat intelligence and incident response. In their investigation, Mandiant observed the deployment of the SPAWN ecosystem of malware, which has been linked to a China-nexus threat actor dubbed UNC5337. This threat actor is assessed to be part of UNC5221 with medium confidence, indicating that the attack may not have originated from a single entity.
The exploitation of CVE-2025-0282 involves a series of steps that disable SELinux, prevent syslog forwarding, remount the drive as read-write, execute scripts to drop web shells, use sed to remove specific log entries from debug and application logs, re-enable SELinux, and remount the drive. This process allows the malware to establish persistence on the compromised system and maintain access even after a system reboot.
Furthermore, Mandiant observed that one of the payloads executed using the shell script is another shell script that runs an ELF binary responsible for launching PHASEJAM, a shell script dropper designed to make malicious modifications to the Ivanti Connect Secure appliance components. The primary functions of PHASEJAM include inserting a web shell into the getComponent.cgi and restAuth.cgi files, blocking system upgrades by modifying the DSUpgrade.pm file, and overwriting the remotedebug executable so that it can be used to execute arbitrary commands when a specific parameter is passed.
The web shell is capable of decoding shell commands and exfiltrating the results of the command execution back to the attacker, uploading arbitrary files on the infected device, and reading and transmitting file contents. This malware also establishes persistence by covertly blocking legitimate updates to the Ivanti appliance by rendering a fake HTML upgrade progress bar. On the other hand, SPAWNANT, the installer component associated with the SPAWN malware framework, can persist across system upgrades by hijacking the execution flow of dspkginstall, a binary used during the system upgrade process.
Mandiant also observed that various publicly-available and open-source tunneling utilities, including SPAWNMOLE, were used to facilitate communications between the compromised appliance and the threat actor's command-and-control (C2) infrastructure. This indicates that the attackers have access to advanced tools and techniques to maintain persistence and communicate with their Command-and-Control servers.
In addition to exploiting CVE-2025-0282, Mandiant noted that the attackers carried out various post-exploitation activities, including internal network reconnaissance using built-in tools like nmap and dig, using the LDAP service account to perform LDAP queries and move laterally within the network, including Active Directory servers, through SMB or RDP. They also stole application cache databases containing information associated with VPN sessions, session cookies, API keys, certificates, and credential material.
Moreover, Mandiant observed that a Python script named DRYHOOK was deployed to harvest credentials. While Mandiant did not provide specific information on the threat actor responsible for this activity, they noted that it is possible that multiple hacking groups are involved in the creation and deployment of SPAWN, DRYHOOK, and PHASEJAM.
In light of these findings, Ivanti has acknowledged that a limited number of customers have been exploited due to CVE-2025-0282. The company has also patched another high-severity flaw (CVE-2025-0283) that allows a locally authenticated attacker to escalate their privileges. However, there is currently no evidence that CVE-2025-0283 is being weaponized.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-0282 to the Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the patches by January 15, 2025. Ivanti advises organizations to scan their environments for signs of compromise, report any incident or anomalous activity, and take immediate action to patch these vulnerabilities.
In conclusion, the discovery of CVE-2025-0282 highlights the importance of staying vigilant against emerging threats in the cybersecurity landscape. It serves as a reminder that even the most secure appliances can be vulnerable to sophisticated malware ecosystems if not properly patched and updated. Organizations are urged to take proactive measures to address this vulnerability and protect their systems from potential attacks.
Related Information:
https://thehackernews.com/2025/01/ivanti-flaw-cve-2025-0282-actively.html
Published: Thu Jan 9 00:13:25 2025 by llama3.2 3B Q4_K_M
