Friday, January 17, 2025

Chinese Threat Actor UNC5337 Exploits Ivanti Vulnerability Yet Again

A Chinese-linked cyber group, UNC5337, has resurfaced, exploiting yet another critical vulnerability in Ivanti’s remote access devices. Despite the vendor’s public pledge to embrace secure-by-design principles, this marks yet another chapter in a series of cybersecurity challenges.

A Year of Repeat Offenses

Ivanti’s struggle with vulnerabilities has been ongoing, leaving IT administrators perpetually on edge. Last year alone, the company dealt with major issues like SQL injection flaws, authentication bypasses, and critical bugs in its suite of appliances, including Virtual Traffic Manager and Endpoint Manager. The timeline was peppered with emergency patches and rising anxiety.

The UNC5337 group, believed to have ties to another Chinese entity, UNC5221, exploited significant flaws in Ivanti’s Connect Secure (ICS) and Policy Secure gateways as early as January last year. And now, the group is back, taking advantage of a fresh critical flaw in ICS that also impacts Policy Secure and Neurons for Zero Trust Access (ZTA) gateways.

“This isn’t about ease of exploitation,” says Arctic Wolf CISO Adam Marrè. “It’s a testament to the sophistication of UNC5337. Secure engineering is tough, but even following best practices doesn’t make systems unhackable.”

Ivanti Connect Secure vulnerability cybersecurity breach

The Latest Vulnerabilities

Ivanti’s newest challenges are embodied in two vulnerabilities:

  1. CVE-2025-0283: A high-severity buffer overflow bug scoring 7.0/10 on the CVSS scale. This flaw could allow attackers to escalate privileges on devices but requires authentication.
  2. CVE-2025-0282: A critical flaw rated 9.0/10 on the CVSS scale. This vulnerability enables remote code execution without authentication, making it a higher threat. Security researchers from watchTowr reverse-engineered an exploit for this vulnerability, uncovering its potential after comparing patched and unpatched ICS versions.

UNC5337 has been exploiting CVE-2025-0282 since mid-December, using tools from its “Spawn” malware family. These include SpawnAnt for malware persistence, SpawnSnail as a backdoor, and SpawnSloth for log tampering. Researchers also found two unrelated malware tools, DryHook and PhaseJam, used to steal credentials and maintain persistence.

A Closer Look at the Tools of Exploitation

DryHook, a Python-based script, targets credentials stored on devices, while PhaseJam demonstrates a more creative approach. The bash shell script simulates a fake update process, showing administrators a convincing progress bar while quietly thwarting legitimate updates. This sleight of hand ensures the malware’s survival even through attempts to secure the system.

“It’s an ingenious way to trick administrators,” says Mandiant consultant Matt Lin. “These tools show a deep understanding of Ivanti’s systems.”

The Widespread Impact

According to data from The ShadowServer Foundation, more than 2,000 ICS instances remain vulnerable, primarily in the U.S., France, and Spain. The numbers reflect the challenges organizations face in keeping up with urgent patches and updates.

ShadowServer Foundation’s findings paint a stark picture:

  • The U.S. has the highest number of potentially affected devices.
  • France and Spain follow, highlighting the global reach of this vulnerability.

What Comes Next?

Ivanti, alongside the Cybersecurity and Infrastructure Security Agency (CISA), has issued guidance on mitigating CVE-2025-0282. Their recommendations include running Ivanti’s Integrity Checker Tool (ICT) to detect infections and applying patches immediately. However, there’s a caveat: while ICS patches are available, those for Policy Secure and ZTA gateways won’t arrive until January 21.

In a statement, Ivanti emphasized their rapid response. “Our ICT tool was instrumental in identifying exploitation as it happened, enabling us to quickly develop and release a fix,” a company spokesperson said. “We urge organizations to use ICT and monitor their systems closely.”

Marrè and Lin both underline the importance of swift action. However, Marrè also notes the strain on IT teams: “Fixing these vulnerabilities might mean downtime, which organizations often resist. But neglecting updates only increases risk.”

Lessons Learned and Lingering Questions

While Ivanti continues to address these vulnerabilities, the broader cybersecurity community faces mounting pressure. Administrators must not only patch vulnerabilities but also assess whether their systems were breached. If so, incident response efforts kick into high gear, creating a ripple effect across organizations.

“The exhaustion among defenders is real,” Lin adds. “These vulnerabilities don’t just demand technical fixes. They disrupt workflows, strain resources, and put teams through immense pressure.”

Ivanti’s challenges underscore a universal truth: even with secure-by-design principles, the battle against advanced threat actors like UNC5337 is far from over.

Harper Jones
Harper Jones
Harper is an experienced content writer specializing in technology with expertise in simplifying complex technical concepts into easily understandable language. He has written for prestigious publications and online platforms, providing expert analysis on the latest technology trends, making his writing popular amongst readers.

LEAVE A REPLY

Please enter your comment!
Please enter your name here