Wednesday, February 19, 2025

Chinese Hackers Exploit Ivanti Remote Access Devices Yet Again

Another critical vulnerability has been unearthed in Ivanti’s remote access systems, and once again, it has been swiftly exploited by a sophisticated Chinese threat actor. Ivanti, known for its popular Connect Secure (ICS) and Policy Secure appliances, has found itself in the cybersecurity spotlight, struggling to defend its systems against persistent attacks.

The Never-Ending Cycle of Ivanti Vulnerabilities

Ivanti’s reputation has taken a hit over the past year due to a string of high-profile security flaws. From authentication bypasses to SQL injection vulnerabilities, the company’s devices have been repeatedly targeted by attackers.

In January 2024, two vulnerabilities in Ivanti’s ICS and Policy Secure gateways were discovered, reportedly exploited by the Chinese nexus threat group UNC5337. These attackers deployed malware specifically crafted to exploit Ivanti’s systems, underlining their deep understanding of the platform. Fast forward to today, and the same group—or one closely aligned—has returned to exploit a fresh critical flaw.

Ivanti cybersecurity vulnerability graph

Two New Flaws: One Critical, One High

The latest vulnerabilities in Ivanti’s systems are serious, though one stands out for its severity and ease of exploitation.

  1. CVE-2025-0282: This critical vulnerability, rated 9.0 on the Common Vulnerability Scoring System (CVSS), allows unauthenticated attackers to execute code with root-level privileges. Researchers have confirmed its exploitation, with malware families like SpawnAnt and SpawnSnail being deployed on compromised systems.
  2. CVE-2025-0283: While rated less severe (7.0 on the CVSS), this bug requires attackers to authenticate before exploiting a buffer overflow flaw to escalate their privileges. No known exploitation has been reported for this vulnerability so far.

These flaws affect various versions of ICS, Policy Secure, and Neurons for Zero Trust Access (ZTA) gateways, underscoring the widespread risk.

Sophisticated Malware Families at Work

UNC5337 has shown incredible sophistication in its attacks, deploying customized malware to ensure persistence and stealth. Here’s a snapshot of their toolkit:

  • SpawnAnt: Installs other malware and survives system upgrades.
  • SpawnMole: Manages communication with the attacker’s infrastructure.
  • SpawnSnail: Implements a passive backdoor for secure access.
  • SpawnSloth: Alters system logs to hide malicious activity.

Two other malware strains—DryHook and PhaseJam—have also been observed. DryHook targets user credentials, while PhaseJam uses deceptive tactics like showing fake update progress bars to maintain its hold on systems even during software updates.

Widespread Exposure and the Race to Patch

According to The ShadowServer Foundation, over 2,000 ICS devices remain vulnerable worldwide, with the majority located in the U.S., France, and Spain. Ivanti and the Cybersecurity and Infrastructure Security Agency (CISA) have released guidance to mitigate these vulnerabilities, urging organizations to:

  • Use Ivanti’s Integrity Checker Tool (ICT) to identify potential infections.
  • Apply available patches immediately.
  • Monitor internal and external networks for signs of compromise.

However, some patches for Policy Secure and ZTA gateways won’t be available until January 21. Ivanti reassures that these systems are less likely to be exploited due to their intended usage scenarios, but the delay in patch availability adds another layer of risk.

Security Teams Face Exhaustion and Pressure

The relentless cycle of vulnerabilities and patches is taking a toll on cybersecurity teams. Adam Marrè, CISO at Arctic Wolf, points out that while secure engineering is challenging, the pace at which these flaws are exploited exacerbates the stress for defenders.

Matt Lin of Mandiant echoes this sentiment, emphasizing that prompt action minimizes impact. However, the sheer effort required to assess vulnerabilities, patch systems, and respond to breaches can overwhelm organizations. Lin notes, “The toil and exhaustion defenders face cannot be underestimated.”

Joshua Garcia
Joshua Garcia
Joshua is a certified personal trainer with a degree in Kinesiology and a fitness blogger with a passion for helping others achieve their health and fitness goals. He also writes about a wide range of topics, including health and wellness, personal development, mindfulness, and sustainable living.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Share post: