### **Severe Vulnerability in Ivanti VPNs Targeted by Advanced Hackers**
In a worrying turn of events for cybersecurity experts, networks safeguarded by Ivanti VPNs are currently facing active assaults from well-funded hackers. These adversaries are taking advantage of a severe vulnerability, identified as **CVE-2025-0283**, which provides them with total control over network-connected devices. This flaw has been weaponized to execute harmful code without the need for authentication, presenting a considerable risk to the compromised systems.
—
### **Details of the Vulnerability and Its Abuse**
Ivanti, the company responsible for the Connect Secure VPN, Policy Secure, and ZTA Gateways, announced the vulnerability in a security advisory released on a Wednesday. The organization verified that the vulnerability is already under active exploitation. In conjunction with this announcement, a security patch was issued, updating Connect Secure devices to version **22.7R2.5**.
Mandiant, a security firm owned by Google, reported that the vulnerability has been actively misused since **December**, a month before its public disclosure. Attackers have been seen deploying two previously unknown malware packages, **DRYHOOK** and **PHASEJAM**, on infiltrated devices.
—
### **PHASEJAM: A Versatile Malware Tool**
PHASEJAM is an advanced bash shell script that features multiple capabilities. It initiates by installing a **web shell**, which grants attackers elevated access to devices. The malware subsequently injects a harmful function into the Connect Secure update process, mirroring a legitimate upgrade sequence to mislead administrators.
Mandiant elaborated on this deceptive procedure:
> “If the ICS administrator tries to perform an upgrade, the function presents an illusion of a genuine upgrade process that displays each of the phases along with various dot sequences to simulate a functioning process.”
This counterfeit upgrade routine is part of a larger scheme to ensure continuity and avoid detection.
—
### **SPAWNANT: Disabling Core Security Tools**
Another piece of malware, **SPAWNANT**, has been detected on some compromised devices. Its main objective is to disable Ivanti’s **Integrity Checker Tool (ICT)**, which is intended to check device files for unauthorized alterations. SPAWNANT accomplishes this by substituting the expected cryptographic hash of a crucial file with the hash of the infected variant. This deception misleads the ICT into indicating that the system remains untainted, even when it has been compromised.
—
### **Indicators of Compromise and Persistence Tactics**
The attackers have implemented extensive strategies to conceal their actions on infected devices. These strategies include:
1. **Clearing Kernel Messages**: Utilizing `dmesg` to erase traces of their activities.
2. **Eliminating Troubleshooting Data**: Disposing of state dumps and core dumps created during process failures.
3. **Altering Logs**: Removing entries from application event logs and SELinux audit logs to obliterate evidence of their intrusion.
4. **Interfering with System Upgrades**: SPAWNANT guarantees its persistence by hijacking the execution flow of the `dspkginstall` binary, associated with system upgrades. It also recalculates cryptographic hashes for maliciously altered files and creates new RSA key pairs to authorize the modified manifest.
In contrast to other persistence strategies, SPAWNANT does not obstruct the upgrade procedure but rather ensures its survival through system upgrades by transferring itself to the new upgrade partition.
—
### **Overall Objectives of the Attackers**
The leading aim of these attacks seems to be **data harvesting**. The attackers are zeroing in on sensitive data, encompassing:
– VPN sessions
– Session cookies
– API keys
– Certificates
– Credential information
Mandiant has linked these attacks to two groups, **UNC5337** and **UNC5221**, both believed to be associated with espionage activities connected to China.
—
### **Detection and Mitigation Strategies**
Ivanti has advised administrators to utilize the Integrity Checker Tool (ICT) for detecting infections on their devices. Nevertheless, this tool only proves effective if administrators thoroughly assess the results to confirm their authenticity. Mandiant cautioned that compromised devices might still pass ICT checks if the attackers have tampered with the tool’s output.
To reduce risks, Ivanti recommends the following:
1. **Use ICT Alongside Additional Security Tools**: ICT should be deployed alongside other monitoring solutions capable of identifying post-exploitation activity.
2. **Conduct a Factory Reset**: Upon detection of an infection, a factory reset is advised to return the device to a clean state.
3. **Look for Indicators of Compromise (IoCs)**: Administrators should examine IoCs offered by Ivanti and Mandiant to recognize signs of compromise.
—
### **Wider Consequences**
The exploitation of CVE-2025-0283 showcases the growing complexity of cyberattacks targeting organizational networks. The attackers’ ability to manipulate integrated security tools, mimic legitimate operations, and maintain persistence across system upgrades highlights the necessity for proactive security strategies.
Organizations utilizing Ivanti VPNs should prioritize patching their systems and performing comprehensive inspections.
