Threat Overview

A recent threat report published by AlienVault reveals a critical zero-day vulnerability, CVE-2025-0282, in Ivanti Connect Secure VPN appliances. This vulnerability has been exploited since mid-December 2024, allowing unauthenticated remote code execution.

Exploited Vulnerability

* Vulnerability: CVE-2025-0282 in Ivanti Connect Secure VPN appliances

* Impact: Unauthenticated remote code execution

Used Malware Families

Attackers have deployed multiple malware families during these exploits, including:

* SPAWN: A backdoor capable of evading detection by hiding malicious processes.

* DRYHOOK: A multifunctional implant used for credential theft and privilege escalation.

* PHASEJAM: An advanced persistent threat (APT) tool designed to maintain persistence on compromised systems.

Reported Threat Actor Groups

The report mentions two China-nexus groups as potential actors involved in these attacks:

n* UNC5337, attributed to the Chinese Ministry of State Security.

* UNC5221, which has been linked to North Korea’s Lazarus Group.

Attack Tactics

Evidence suggests attackers are employing various tactics during their operations, such as:

* Disabling security features for persistence.

* Injecting web shells for remote access and command execution.

* Blocking system upgrades to prevent patch applications.

* Performing network reconnaissance to map target environments.

Recommendations

Based on the threat report, the following recommendations are suggested:

* Apply Ivanti’s released patches for CVE-2025-0282 as soon as possible.

* Use Ivanti’s Integrity Checker Tool to validate system integrity and detect unauthorized changes.

* Implement strict access controls and security measures to protect VPN appliances.

* Monitor network traffic for suspicious activity, such as unexplained spikes in outbound data transfer.

* Enhance overall cybersecurity posture with robust threat detection systems and incident response plans.

Report Details

The full threat report can be found at the following links:

* Google Cloud Blog: https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day