News: 1743469748

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

CISA spots spawn of Spawn malware targeting Ivanti flaw

(2025/04/01)


Owners of Ivanti’s Connect Secure, Policy Secure, and ZTA Gateway products have a new strain of malware to fend off, according to the US Cybersecurity and Infrastructure Security Agency, aka CISA.

If you haven't yet patched your vulnerable Ivanti kit, you now have one more reason to wipe and update it.

Uncle Sam dubbed the latest software nasty Resurge, and [1]warned it infects devices by exploiting [2]CVE-2025-0282 - a critical stack-overflow bug that was used by the Spawn family of malware, among others, in [3]zero-day attacks to infect organizations.

[4]

The flaw allows unauthenticated remote code execution. Nominet, the .uk domain registry, was [5]among those hit before the bug was fixed at the start of the year.

[6]

[7]

The following software is vulnerable if unpatched:

Ivanti Connect Secure before version 22.7R2.5

Ivanti Policy Secure before version 22.7R1.2, and

Ivanti Neurons for ZTA gateways before version 22.7R2.3

Resurge uses elements of Spawn, specifically the Spawn Chimera strain, and creates web shells on infected equipment allowing them to be remotely controlled. The software nasty, once on a device, can also bypass system integrity checks, modify files, harvest credentials, create accounts, reset passwords, and grant intruders elevated permissions.

Ensuring your network is completely free of Resurge is going to take a reset, and [8]installing a clean fixed version of the firmware before reconnecting to the internet, we're told. You're advised to take a backup of the device configuration before wiping and upgrading the gear.

"For the highest level of confidence, conduct a factory reset," CISA [9]advised in a March 28 update. "For Cloud and Virtual systems, conduct a factory reset using an external known clean image of the device."

[10]

CISA advised the next step is resetting passwords for all privileged and non-privileged accounts, then doing likewise for "all domain users and all local accounts, such as Guest, HelpAssistant, DefaultAccount, System, Administrator, and krbtgt."

That last account is present by default in all Microsoft Active Directory domains and is needed for the software giant’s implementation of the Kerberos authentication protocol. It has a two-password history, so users should reset the password for krbtgt twice, to make sure older creds are replaced.

[11]Ivanti endpoint manager can become endpoint ravager, thanks to quartet of critical flaws

[12]Three more vulns spotted in Ivanti CSA, all critical, one 10/10

[13]Ivanti patches exploited admin command execution flaw

[14]Fortinet: FortiGate config leaks are genuine but misleading

"We are proponents of responsible information sharing with defenders, as it is vital to build a healthier, more resilient security ecosystem," an Ivanti spokesperson told The Register .

"The patching instructions that Ivanti released on January 8, which include performing a factory reset, effectively remediate the vulnerability. We encourage all customers to follow these instructions immediately if they have not done so already, and to remain on the latest version (currently 22.7R2.6), which includes significant security enhancements."

This is the second year in succession that Ivanti has dealt with zero-day attacks. In January 2024 it [15]issued mitigation advice after miscreants found flaws in Connect Secure and Policy Secure. ®

Get our [16]Tech Resources



[1] https://www.cisa.gov/news-events/alerts/2025/03/28/cisa-releases-malware-analysis-report-resurge-malware-associated-ivanti-connect-secure

[2] https://nvd.nist.gov/vuln/detail/CVE-2025-0282

[3] https://www.theregister.com/2025/01/09/zeroday_exploits_ivanti/

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z-tk4evH73AXWV_L7pWAxAAAAQ0&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[5] https://www.theregister.com/2025/01/13/nominet_ivanti_zero_day/

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z-tk4evH73AXWV_L7pWAxAAAAQ0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z-tk4evH73AXWV_L7pWAxAAAAQ0&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[8] https://forums.ivanti.com/s/article/Recovery-Steps

[9] https://www.cisa.gov/news-events/alerts/2025/03/28/cisa-releases-malware-analysis-report-resurge-malware-associated-ivanti-connect-secure

[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z-tk4evH73AXWV_L7pWAxAAAAQ0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[11] https://www.theregister.com/2025/02/21/ivanti_traversal_flaw_poc_exploit/

[12] https://www.theregister.com/2024/12/11/ivanti_vulns_critical/

[13] https://www.theregister.com/2024/09/20/patch_up_ivanti_fixes_exploited/

[14] https://www.theregister.com/2025/01/17/fortinet_fortigate_config_leaks/

[15] https://www.theregister.com/2024/01/11/china_backed_ivanti_exploits/

[16] https://whitepapers.theregister.com/



Excerpts From The First Annual Nerd Bowl (#5)

A commercial that aired during the live ASCII broadcast of the game:

Having trouble staying awake for weeks at a time working on that latest
hack? Worried that some young punk will take over your cushy job because
you sleep too much? Don't worry, EyeOpener® brand cola is here to save
the day. You'll never feel sleepy again when you drink EyeOpener®.

Surgeon General's Warning: This product should only be used under a
doctor's immediate supervision, as it contains more caffeine than 512
cases of Coca-Cola.

Caution: When sleep does occur after about three weeks, optometrists
recommend having someone on hand to close your eyelids.

Coming soon: ExtremelyWired(tm) cola with 50% more sugar! May or may not
meet FDA approval... we're still trying.