Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation

Jan. 9, 2025, 9:09 a.m.

Description

A new zero-day vulnerability, CVE-2025-0282, in Ivanti Connect Secure VPN appliances has been exploited since mid-December 2024. The vulnerability allows unauthenticated remote code execution. Attackers have deployed multiple malware families, including SPAWN, DRYHOOK, and PHASEJAM, to maintain persistence, steal credentials, and evade detection. The attacks involve disabling security features, injecting web shells, blocking system upgrades, and performing network reconnaissance. Multiple threat actors may be involved, with some activity attributed to China-nexus groups UNC5337 and UNC5221. Ivanti has released patches and recommends customers use their Integrity Checker Tool and implement security measures.

External References

https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day
https://otx.alienvault.com/pulse/677f8f29ba963133e3ab9361
Tags
credential theft
ivanti
vpn
2025-01-09
phasejam
dryhook
spawnsloth
spawnant

Date

  • Created: Jan. 9, 2025, 8:56 a.m.
  • Published: Jan. 9, 2025, 8:56 a.m.
  • Modified: Jan. 9, 2025, 9:09 a.m.

Indicators

  • M_APT_Tunneler_SPAWNMOLE_1
  • M_Dropper_PHASEJAM_1
  • M_Credtheft_DRYHOOK_1
  • M_APT_Installer_SPAWNANT_1
  • M_APT_Installer_SPAWNSNAIL_1
  • 4d7f4c330cdb4c16de4327b1b82f3cbe53d20c117fffc972a2d3a47e01e0a65f
  • 0073cfe7bc582693bf543490020a510feaec1bb693b4ebb28a7595d472917a69
Download all indicators here!

Attack Patterns

  • PHASEJAM
  • DRYHOOK
  • SPAWNSLOTH
  • SPAWNSNAIL
  • SPAWNMOLE
  • SPAWNANT
  • UNC5337

Linked vulnerabilities

CVE-2023-46805

None
Published:

CVE-2024-21887

None
Published:

CVE-2025-0282

9.0
    Ivanti
  • Connect Secure
  • Neurons For Zero-Trust Access
  • Policy Secure
Published: January 8, 2025

CVE-2025-0283

7.0
    Ivanti
  • Connect Secure
  • Neurons For Zero-Trust Access
  • Policy Secure
Published: January 8, 2025