Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation
Jan. 9, 2025, 9:09 a.m.
Tags
External References
Description
A new zero-day vulnerability, CVE-2025-0282, in Ivanti Connect Secure VPN appliances has been exploited since mid-December 2024. The vulnerability allows unauthenticated remote code execution. Attackers have deployed multiple malware families, including SPAWN, DRYHOOK, and PHASEJAM, to maintain persistence, steal credentials, and evade detection. The attacks involve disabling security features, injecting web shells, blocking system upgrades, and performing network reconnaissance. Multiple threat actors may be involved, with some activity attributed to China-nexus groups UNC5337 and UNC5221. Ivanti has released patches and recommends customers use their Integrity Checker Tool and implement security measures.
Date
Published: Jan. 9, 2025, 8:56 a.m.
Created: Jan. 9, 2025, 8:56 a.m.
Modified: Jan. 9, 2025, 9:09 a.m.
Indicators
M_APT_Tunneler_SPAWNMOLE_1
M_Dropper_PHASEJAM_1
M_Credtheft_DRYHOOK_1
M_APT_Installer_SPAWNANT_1
M_APT_Installer_SPAWNSNAIL_1
4d7f4c330cdb4c16de4327b1b82f3cbe53d20c117fffc972a2d3a47e01e0a65f
0073cfe7bc582693bf543490020a510feaec1bb693b4ebb28a7595d472917a69
Attack Patterns
PHASEJAM
DRYHOOK
SPAWNSLOTH
SPAWNSNAIL
SPAWNMOLE
SPAWNANT
UNC5337
T1562.004
T1505.003
T1021.001
T1557
T1213
T1070.004
T1105
T1190
T1133
T1078
CVE-2025-0283
CVE-2025-0282
CVE-2024-21887
CVE-2023-46805