Ethical Hacking News
Google has sounded the alarm on Chinese hackers exploiting a critical Ivanti VPN zero-day vulnerability, leaving millions of devices exposed to malicious attacks. In this in-depth exposé, we delve into the world of cyber espionage, tracing the threads that lead us from discovery to exploitation.
Chinese hackers are likely behind a recent wave of attacks on Ivanti VPN appliances, exploiting a critical stack-based buffer overflow flaw (CVE-2025-0282). The vulnerability has left millions of devices exposed to malicious exploitation, with far-reaching implications for data breaches and further exploitation. The attackers used a custom Spawn malware toolkit, likely part of a suspected China-linked espionage campaign tracked as UNC5337. The attack chain involves sending HTTP requests to identify ICS appliance versions, exploiting the vulnerability to gain initial access, and deploying malware. The hackers modified system files to enable command execution, installed persistence tools like Spawnmole, and used Dryhook to capture usernames and passwords. Over 3,600 ICS appliances were exposed on the public web when Ivanti released a patch for the vulnerability, but this number has since dropped to around 2,800. System administrators are advised to perform a factory reset and upgrade to Ivanti Connect Secure 22.7.R2.5 to protect against this sophisticated attack.
Google has sounded the alarm, warning that Chinese hackers are likely behind a recent wave of attacks on Ivanti VPN appliances. The critical stack-based buffer overflow flaw, tracked as CVE-2025-0282, has left millions of vulnerable devices exposed to malicious exploitation. In this exposé, we will delve into the labyrinthine world of cyber espionage, tracing the threads that lead us from the discovery of the vulnerability to the nefarious actors who have taken advantage of it.
The Vulnerability: A Critical Weakness in Ivanti Connect Secure
In early January 2025, cybersecurity firm Mandiant (now part of Google Cloud) alerted the world to a critical stack-based buffer overflow flaw in Ivanti Connect Secure 22.7R2.5 and older, Ivanti Policy Secure 22.7R1.2 and older, and Ivanti Neurons for ZTA gateways 22.7R2.3 and older. This vulnerability, tracked as CVE-2025-0282, has far-reaching implications, impacting millions of devices across various industries. The severity of the issue lies in its potential to allow attackers to execute arbitrary code, potentially leading to data breaches and further exploitation.
The Attackers: A China-Linked Espionage Campaign
Mandiant's report reveals that the attackers began exploiting the vulnerability since mid-December, leveraging a custom Spawn malware toolkit. This malicious framework is typically associated with a suspected China-linked espionage campaign tracked as UNC5337 and is likely part of a larger cluster tracked as UNC5221. The attack chain, as outlined by Mandiant, involves sending HTTP requests to specific URLs to identify ICS appliance versions, passing the requests through VPS providers or Tor networks to hide the origin.
The attackers then exploit the vulnerability to gain initial access, disabling SELinux protections and modifying iptables rules to prevent syslog forwarding. By remounting the drive as 'read-write', they allow malware deployment. The Phasejam dropper is launched, deploying a web shell to compromised components such as 'getComponent.cgi' and 'restAuth.cgi', while overwriting system files to enable command execution.
The hackers also modify the upgrade script 'DSUpgrade.pm' to block real upgrades, simulating a fake upgrade process to persist on the system. They install Spawn tools like Spawnmole (tunneler), Spawnsnail (SSH backdoor), and Spawnsloth (log tampering utility), which can persist across system upgrades. Both Spawn malware and the new threat tried to evade Ivanti's Integrity Checker Tool (ICT) by recalculating the SHA256 file hashes for the malicious files so they passed verification.
The Goal: Stealing Sensitive Information
Mandiant researchers observed the attackers archiving the database cache on a compromised appliance and staging the archived data in a directory served by the public-facing web server to enable exfiltration of the database. The hackers also use a new piece of malware called Dryhook to capture usernames and passwords during standard authentication processes, storing them in base64-encoded form for future retrieval.
The Impact: A Significant Attack Surface Exposed
According to Macnica researcher Yutaka Sejiyama, over 3,600 ICS appliances were exposed on the public web when Ivanti released a patch for the vulnerability. The number has since dropped to around 2,800, indicating that a significant portion of the attack surface remains exposed.
Defense Measures: Protecting Against This Sophisticated Attack
System administrators are advised to perform a factory reset and upgrade to Ivanti Connect Secure 22.7.R2.5, even if internal and external ICT scans find no signs of malicious activity. Mandiant has shared a list of indicators of compromise (IoCs) along with YARA rules to aid in detecting suspicious activity associated with this campaign.
In conclusion, the recent wave of attacks on Ivanti VPN appliances serves as a stark reminder of the ongoing battle between security professionals and sophisticated actors. As we navigate the complex landscape of cyber espionage, it is crucial that we remain vigilant, adopting proactive measures to protect our devices and data from such nefarious threats.
Related Information:
https://www.bleepingcomputer.com/news/security/google-chinese-hackers-likely-behind-ivanti-vpn-zero-day-attacks/
https://www.securityweek.com/exploitation-of-new-ivanti-vpn-zero-day-linked-to-chinese-cyberspies/
https://nvd.nist.gov/vuln/detail/CVE-2025-0282
https://www.cvedetails.com/cve/CVE-2025-0282/
Published: Thu Jan 9 12:34:15 2025 by llama3.2 3B Q4_K_M
