Source URL: https://www.cisa.gov/news-events/alerts/2025/03/28/cisa-releases-malware-analysis-report-resurge-malware-associated-ivanti-connect-secure
Source: Alerts
Title: CISA Releases Malware Analysis Report on RESURGE Malware Associated with Ivanti Connect Secure
Feedly Summary: CISA has published a Malware Analysis Report (MAR) with analysis and associated detection signatures on a new malware variant CISA has identified as RESURGE. RESURGE contains capabilities of the SPAWNCHIMERA[1] malware variant, including surviving reboots; however, RESURGE contains distinctive commands that alter its behavior. These commands:
Create a web shell, manipulate integrity checks, and modify files.
Enable the use of web shells for credential harvesting, account creation, password resets, and escalating permissions.
Copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image.
RESURGE is associated with the exploitation of CVE-2025-0282 in Ivanti Connect Secure appliances. CVE-2025-0282 is a stack-based buffer overflow vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways. CISA added CVE-2025-0282 to its Known Exploited Vulnerabilities Catalog on January 8, 2025.
For more information on the abovementioned malware variants and YARA rules for detection, see: MAR-25993211.R1.V1.CLEAR.
For a downloadable copy of the SIGMA rule associated with this MAR, see: AR25-087A SIGMA YAML.
CISA urges users and administrators to implement the following actions in addition to the Mitigation Instructions for CVE-2025-0282:
For the highest level of confidence, conduct a factory reset.
For Cloud and Virtual systems, conduct a factory reset using an external known clean image of the device.
See Ivanti’s Recommended Recovery Steps for more information, including how to conduct a factory reset.
Reset credentials of privileged and non-privileged accounts.
Reset passwords for all domain users and all local accounts, such as Guest, HelpAssistant, DefaultAccount, System, Administrator, and krbtgt. The krbtgt account is responsible for handling Kerberos ticket requests as well as encrypting and signing them. The krbtgt account should be reset twice because the account has a two-password history. The first account reset for the krbtgt needs to be allowed to replicate prior to the second reset to avoid any issues. See CISA’s Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise for more information. Although tailored to Federal Civilian Executive Branch (FCEB) agencies compromised in the 2020 SolarWinds Orion supply chain compromise, the steps are applicable to organizations with Windows AD compromise.
Review access policies to temporarily revoke privileges/access for affected devices. If it is necessary to not alert the attacker (e.g., for intelligence purposes), then privileges can be reduced for affected accounts/devices to “contain” them.
Reset the relevant account credentials or access keys if the investigation finds the threat actor’s access is limited to non-elevated permissions.
Monitor related accounts, especially administrative accounts, for any further signs of unauthorized access.
Organizations should report incidents and anomalous activity related to information found in the malware analysis report to CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870. Malware submissions can be made directly to Malware Nextgen at https://malware.cisa.gov.
See the following resources for more guidance:
Ivanti: Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283)
AI Summary and Description: Yes
Summary: This text discusses the recent identification of a new malware variant named RESURGE by CISA, which contains capabilities for web shell creation and credential exploitation. It highlights the associated vulnerability in Ivanti products and provides mitigation strategies to enhance information security for organizations.
Detailed Description:
– **Overview of Malware Variant**:
– CISA has announced the discovery of a malware strain dubbed RESURGE.
– RESURGE exhibits functionalities similar to the SPAWNCHIMERA variant, particularly its persistence (ability to survive system reboots).
– **Distinctive Commands and Capabilities**:
– The malware allows for:
– The creation of a web shell.
– Manipulation of integrity checks.
– Modification of files.
– Exploitation for:
– Credential harvesting.
– Account creation and password resets.
– Escalation of user permissions.
– **Exploitation of Vulnerability**:
– RESURGE is tied to the exploitation of the vulnerability CVE-2025-0282, which is classified as a stack-based buffer overflow affecting Ivanti Connect Secure appliances and associated products.
– CISA added CVE-2025-0282 to its Known Exploited Vulnerabilities Catalog, underlining its implications.
– **Mitigation Actions Recommended by CISA**:
– **Factory Resets**:
– Conduct factory resets for the highest level of confidence in remediation, with an emphasis on using a verified clean image for cloud and virtual systems.
– **Credential Resets**:
– Reset credentials for both privileged and non-privileged accounts.
– Specific instruction on resetting the krbtgt account, which requires careful handling due to its integral role in Kerberos ticket management.
– **Policy Reviews**:
– Temporarily revoke access for affected devices and assess access policies.
– Suggests subtle privilege reductions for devices/accounts to contain threats without raising alarms.
– **Monitoring and Reporting**:
– Vigilantly monitor administrative accounts for unauthorized access.
– Encourage organizations to report any incidents or unusual activity related to the findings in the report.
– **Reporting Resources**:
– Organizations advised to report incidents or anomalous activities to CISA’s 24/7 Operations Center and to submit malware examples directly through CISA’s provided avenues.
– **Further Guidance**:
– References to Ivanti’s Security Advisory for deeper understanding and response strategies regarding the identified vulnerabilities.
In summary, the text presents critical updates on a significant malware threat and articulates essential actions for mitigation, making it highly relevant for professionals in information security, compliance, and cloud security. The emphasis on swift action, reporting protocols, and detailed recovery steps highlights the urgent nature of addressing such threats in organizational environments.