Ethical Hacking News
Ongoing attacks on Ivanti VPNs pose a significant threat to network security due to a recently disclosed critical vulnerability. Hackers are exploiting the vulnerability to install malware packages that can persist across system upgrades, allowing them to collect sensitive data from compromised devices. This article provides an in-depth look at the vulnerability and the tactics used by attackers.
Vulnerability CVE-2025-0283 in Ivanti Connect Secure VPN and Policy Secure & ZTA Gateways allows attackers to execute malicious code with no authentication required. Attackers have installed two malware packages, DRYHOOK and PHASEJAM, on compromised devices since December 2024. Mandiant reported that attackers are taking pains to hide signs of compromise on infected devices. SPAWNANT malware can persist across system upgrades by hijacking the execution flow of a binary used during system upgrades. The ultimate goal is to collect data, including VPN sessions and API keys, attributed to China-nexus espionage actors.
In a recent announcement, hardware maker Ivanti disclosed a critical vulnerability in their Connect Secure VPN and Policy Secure & ZTA Gateways that has been actively exploited by well-resourced hackers. The vulnerability, tracked as CVE-2025-0283, allows attackers to execute malicious code with no authentication required, posing a significant threat to network security.
According to Google-owned security provider Mandiant, the vulnerability has been actively exploited against multiple compromised Ivanti Connect Secure appliances since December 2024. After exploiting the vulnerability, attackers install two never-before-seen malware packages, tracked under the names DRYHOOK and PHASEJAM on some of the compromised devices. PHASEJAM is a well-written and multifaceted bash shell script that first installs a web shell giving remote hackers privileged control of devices. It then injects a malicious function into the Connect Secure update mechanism intended to simulate an upgrading process.
The attackers are also taking pains to hide signs of compromise on infected devices. After exploiting the vulnerability, they clear kernel messages using dmesg and remove entries from the debug logs generated during the exploit. They delete troubleshooting information packages (state dumps) and any core dumps generated from process crashes. Additionally, they remove log application event log entries related to syslog failures, internal ICT failures, crash traces, and certificate handling errors.
Furthermore, SPAWNANT malware can persist across system upgrades by hijacking the execution flow of dspkginstall, a binary used during the system upgrade process, by exporting a malicious snprintf function containing the persistence mechanism. Unlike other methods for system upgrade persistence, SPAWNANT does not block the upgrade process but survives it by ensuring it's copied to the new upgrade partition. The malware also circumvents the ICT by recalculating the SHA256 hash for any maliciously modified files and generates a new RSA key pair to sign the modified manifest.
The ultimate goal of these attacks is to collect data, including VPN sessions, session cookies, API keys, certificates, and credential material. Mandiant attributed the attacks to two unknown groups, one tracked as UNC5337, and a subgroup of UNC5337, both appearing to be China-nexus espionage actors.
Ivanti has recommended that customers use the tool to detect infections on their devices. However, this advice is useful only if admins carefully inspect the results to ensure they're genuine. Mandiant also noted that the ICT is a snapshot of the current state of the appliance and cannot necessarily detect threat actor activity if they have returned the appliance to a clean state.
In the event the tool detects an infection, Ivanti recommended admins perform a factory reset on the device. It's essential for anyone responsible for Connect Secure VPNs to assign the highest priority to inspect them for signs of compromise using indicators included in the posts from Ivanti and Mandiant. Additional posts from Rapid7, Tenable, and the Cybersecurity and Infrastructure Security Agency provide further information on this critical vulnerability.
Related Information:
Published: Thu Jan 9 20:00:01 2025 by llama3.2 3B Q4_K_M
