Ethical Hacking News
Ivanti zero-day attacks infected devices with custom malware, posing a significant threat to the security of VPN appliances. The attacks were linked to a suspected China-linked espionage and used a custom Spawn malware toolkit to spread their malware across compromised devices. System administrators are advised to take immediate action to upgrade to Ivanti Connect Secure 22.7.R2.5 or later to mitigate this risk.
Ivanti zero-day attacks used custom malware to infect VPN appliances, posing a significant security threat. A critical stack-based buffer overflow vulnerability (CVE-2025-0282) in Ivanti Connect Secure and Policy appliances was exploited by hackers. Attackers used the Spawn malware toolkit to spread malware across compromised devices, linked to suspected China-linked espionage. The vulnerability allowed attackers to disable SELinux protections, modify iptables rules, and remount drives, enabling successful malware deployment. Malware included web shells, tunnellers, SSH backdoors, and log tampering utilities, with persistence across system upgrades. A malicious component called Dryhook captured usernames and passwords, storing them in base64-encoded form for future retrieval. Patch availability reduced exposed devices from over 3,600 to around 2,800, indicating some threat actors exploited the vulnerability. System administrators are advised to perform factory resets and upgrade to Ivanti Connect Secure 22.7.R2.5 or later to mitigate the risk.
Ivanti zero-day attacks infected devices with custom malware, posing a significant threat to the security of VPN appliances. In a recent development, hackers have taken advantage of a critical stack-based buffer overflow vulnerability in Ivanti Connect Secure 22.7R2.5 and older, Ivanti Policy Secure 22.7R1.2 and older, and Ivanti Neurons for ZTA gateways 22.7R2.3 and older. The malicious actors have used the custom Spawn malware toolkit to spread their malware across compromised devices, which appears to be linked to a suspected China-linked espionage.
The vulnerability, now tracked as CVE-2025-0282, was discovered in mid-December last year. Mandiant, a cybersecurity company that recently joined forces with Google Cloud, reported that attackers started leveraging the vulnerability since then and used it to gain initial access to infected devices. The threat actors exploited the CVE-2025-0282 stack-based buffer overflow flaw to disable SELinux protections on compromised appliances, modify iptables rules to prevent syslog forwarding, and remount the drive as 'read-write'. This allowed them to deploy their malware successfully.
The attackers deployed a web shell called Phasejam on compromised components like 'getComponent.cgi' and 'restAuth.cgi', which enabled the hackers to execute commands and persistently remain on the system. The threat actors also installed tools such as Spawnmole (tunneler), Spawnsnail (SSH backdoor), and Spawnsloth (log tampering utility) using the custom Spawn malware toolkit. Unlike Phasejam, these tools are capable of persistence across system upgrades.
Another malicious component used by the attackers was called Dryhook, which captured usernames and passwords during standard authentication processes, storing them in base64-encoded form for future retrieval. The attackers also modified the upgrade script 'DSUpgrade.pm' to block real upgrades and simulate a fake upgrade process, ensuring that the malware persisted on the system.
Mandiant has shared its findings with the public, including a list of indicators of compromise (IoCs) and YARA rules to help detect suspicious activity associated with this campaign. According to Macnica researcher Yutaka Sejiyama, over 3,600 ICS appliances were exposed on the public web when Ivanti released a patch for the vulnerability. However, after the release, only about 2,800 appliances remained exposed, indicating that while some threat actors did exploit this vulnerability, not all of them did.
The security issue has significant implications for organizations using Ivanti Connect Secure VPN appliances. In light of the discovery, system administrators are advised to perform a factory reset and upgrade to Ivanti Connect Secure 22.7.R2.5 or later to mitigate the risk. Moreover, users can use the list of IoCs and YARA rules shared by Mandiant to monitor for suspicious activity on their systems.
This incident serves as a stark reminder of the importance of staying up-to-date with security patches and maintaining robust cybersecurity measures in place. As the threat landscape continues to evolve, it is crucial that organizations prioritize proactive security strategies to safeguard themselves against such vulnerabilities.
Related Information:
https://www.bleepingcomputer.com/news/security/google-chinese-hackers-likely-behind-ivanti-vpn-zero-day-attacks/
https://nvd.nist.gov/vuln/detail/CVE-2025-0282
https://www.cvedetails.com/cve/CVE-2025-0282/
Published: Thu Jan 9 20:12:22 2025 by llama3.2 3B Q4_K_M
