126/68 Tuesday, April 1, 2025
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a new malware strain named RESURGE, which is actively exploiting CVE-2025-0282, a vulnerability in Ivanti Connect Secure (ICS) appliances. In a recently published Malware Analysis Report (MAR), CISA highlights that RESURGE exhibits behaviors similar to SPAWNCHIMERA malware, but with distinct command sets and functionalities—such as installing web shells on the boot disk, modifying the coreboot image to maintain persistence after reboots, and evading file integrity checks.
RESURGE operates as a rootkit, dropper, backdoor, bootkit, proxy, and tunneler. It enables stealthy access through SSH tunnels using encrypted keys, allowing attackers to move undetected. CISA also discovered an associated malware file named liblogblock.so, which is a variant of SPAWNSLOTH. This component manipulates logging functionality using funchook to intercept and alter Ivanti’s logging processes, effectively concealing traces of malicious activity.
The vulnerability CVE-2025-0282 allows unauthenticated remote code execution, while a related flaw, CVE-2025-0283 (CVSS score 7.0), may be used by authenticated users to escalate privileges. Ivanti has released patches for both vulnerabilities and confirmed that the attacks appear to be limited to a specific subset of customers. No exploitation has been detected so far in Policy Secure or ZTA Gateway product lines. CISA urges administrators to apply the latest security updates and monitor systems for indicators of compromise.
