Get A Quote
ICS Threat Report: Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation

Threat Overview

A recent threat report published by AlienVault reveals a critical zero-day vulnerability, CVE-2025-0282, in Ivanti Connect Secure VPN appliances. This vulnerability has been exploited since mid-December 2024, allowing unauthenticated remote code execution.

Exploited Vulnerability

* Vulnerability: CVE-2025-0282 in Ivanti Connect Secure VPN appliances

* Impact: Unauthenticated remote code execution

Used Malware Families

Attackers have deployed multiple malware families during these exploits, including:

* SPAWN: A backdoor capable of evading detection by hiding malicious processes.

* DRYHOOK: A multifunctional implant used for credential theft and privilege escalation.

* PHASEJAM: An advanced persistent threat (APT) tool designed to maintain persistence on compromised systems.

Reported Threat Actor Groups

The report mentions two China-nexus groups as potential actors involved in these attacks:

n* UNC5337, attributed to the Chinese Ministry of State Security.

* UNC5221, which has been linked to North Korea’s Lazarus Group.

Attack Tactics

Evidence suggests attackers are employing various tactics during their operations, such as:

* Disabling security features for persistence.

* Injecting web shells for remote access and command execution.

* Blocking system upgrades to prevent patch applications.

* Performing network reconnaissance to map target environments.

Recommendations

Based on the threat report, the following recommendations are suggested:

* Apply Ivanti’s released patches for CVE-2025-0282 as soon as possible.

* Use Ivanti’s Integrity Checker Tool to validate system integrity and detect unauthorized changes.

* Implement strict access controls and security measures to protect VPN appliances.

* Monitor network traffic for suspicious activity, such as unexplained spikes in outbound data transfer.

* Enhance overall cybersecurity posture with robust threat detection systems and incident response plans.

Report Details

The full threat report can be found at the following links:

* Google Cloud Blog: https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day

 

Discover more from ESSGroup

Subscribe to get the latest posts sent to your email.

essadmin
09 Jan 2025
Comment 0
Categoty: 
  • CTI News

    • Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    News & Blog

    Related Blog

    Lorem Ipsum is simply dummy text of the printing and typesetting
    industry. Lorem Ipsum has been the industry's

    Empowering communities through knowledge, collaboration, and open dialogue. Join us in making a difference!


    Programs

    Menu

    Usefull Links

    Menu

    Contact

    Copyright ©2024 ESSGroup. All Rights Reserved

    Discover more from ESSGroup

    Subscribe now to keep reading and get access to the full archive.

    Continue reading