CyberSecurity news
do son@Daily CyberSecurity
//
CISA has issued a Malware Analysis Report (MAR-25993211-r1.v1) detailing a new malware variant named RESURGE, which exploits a critical vulnerability in Ivanti Connect Secure devices (CVE-2025-0282). The analysis indicates that RESURGE exhibits capabilities similar to the SPAWNCHIMERA malware, including surviving system reboots, but contains distinctive commands that alter its behavior. According to CISA, RESURGE can create web shells, manipulate integrity checks, and modify files, enabling credential harvesting, account creation, password resets, and escalating permissions.
RESURGE can also copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image, ensuring persistence and unauthorized access. CISA strongly advises organizations using Ivanti Connect Secure devices to take immediate action to mitigate this threat by applying security patches for CVE-2025-0282, monitoring network traffic for unusual SSH connections, and implementing robust logging practices to detect tampering attempts. The vulnerability, CVE-2025-0282, is a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways that could result in remote code execution.
ImgSrc: securityonline.
References :
- securityonline.info: CISA Warns of RESURGE Malware: Exploiting Ivanti Vulnerability
- Cyber Security News: The Cybersecurity and Infrastructure Security Agency (CISA) has issued a Malware Analysis Report (MAR-25993211-r1.v1) detailing the exploitation of a critical vulnerability in Ivanti Connect Secure devices (CVE-2025-0282).
- bsky.app: CISA has published a technical report on RESURGE, a web shell installed on Ivanti Connect Secure devices via CVE-2025-0282
- thehackernews.com: RESURGE Malware Exploits Ivanti Flaw with Rootkit and Web Shell Features
- securityaffairs.com: CISA warns of RESURGE malware exploiting Ivanti flaw
- Help Net Security: CISA has released indicators of compromise, detection signatures, and updated mitigation advice for rooting out a newly identified malware variant used by the attackers who breached Ivanti Connect Secure VPN appliances in December 2024 by exploiting the CVE-2025-0282 zero-day.
- : It’s the end of March 2025...of course CISOs still need to worry about Ivanti Connect Secure flaws.
- www.cybersecuritydive.com: CVE-2025-0282, a critical vulnerability that affects Ivanti’s Connect Secure, Policy Secure and ZTA Gateway products, was disclosed and patched in January.
- : CISA recommends immediate action to address malware variant RESURGE exploiting Ivanti vulnerability CVE-2025-0282
- thecyberexpress.com: CISA Details New Malware Used in Ivanti Attacks
- Sam Bent: A newly discovered malware named RESURGE is targeting Ivanti Connect Secure vulnerabilities, delivering stealth capabilities like rootkits and web shells. Tied to China-linked espionage groups.
- The Register - Security: CISA spots spawn of Spawn malware targeting Ivanti flaw
- Arctic Wolf: CVE-2025-22457: Ivanti Connect Secure VPN Vulnerable to Zero-Day RCE Exploitation
- cert.europa.eu: 2025-016: Critical Vulnerability in Ivanti Products
- securityonline.info: CVE-2025-22457: UNC5221 Exploits Ivanti Zero-Day Flaw to Deploy TRAILBLAZE and BRUSHFIRE Malware
- Help Net Security: Ivanti VPN customers targeted via unrecognized RCE vulnerability (CVE-2025-22457)
- securityaffairs.com: China-linked group UNC5221 exploited Ivanti Connect Secure zero-day since mid-March
- The Register - Security: Suspected Chinese spies right now hijacking buggy Ivanti gear – for third time in 3 years
- www.bleepingcomputer.com: Ivanti patches Connect Secure zero-day exploited since mid-March
- BleepingComputer: Ivanti has released security updates to patch a critical Connect Secure remote code execution vulnerability exploited by a China-linked espionage actor to deploy malware since at least mid-March 2025.
- Threats | CyberScoop: China-backed espionage group hits Ivanti customers again
- www.scworld.com: Mandiant warns of attacks on newly-disclosed Ivanti remote takeover threat
- The Hacker News: Critical Ivanti Flaw Actively Exploited to Deploy TRAILBLAZE and BRUSHFIRE Malware
- bsky.app: Mandiant links the exploitation of a Connect Secure vulnerability to a China-linked APT (UNC5221).
- bsky.app: Ivanti has released security updates to patch a critical Connect Secure remote code execution vulnerability exploited by a China-linked espionage actor to deploy malware since at least mid-March 2025.
- research.kudelskisecurity.com: CVE-2025-22457: Critical Ivanti Connect Secure Vulnerability
- Arctic Wolf: Ivanti disclosed a critical zero-day vulnerability, CVE-2025-22457, affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways
- Vulnerable U: The vulnerability affects many versions of Ivanti appliances and is being exploited by a Chinese actor
- darkwebinformer.com: CVE-2025-22457: April Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-22457)
Classification:
- HashTags: #Ivanti #RESURGE #MalwareAnalysis
- Company: Ivanti
- Target: US Healthcare Organizations and Hospitals
- Product: Connect Secure
- Feature: Persistence
- Malware: RESURGE
- Type: Malware
- Severity: Major