Networks Protected by Ivanti VPNs Under Active Attack
Vulnerability Exploited by Well-Resourced Hackers
Networks protected by Ivanti VPNs are under active attack by well-resourced hackers who are exploiting a critical vulnerability that gives them complete control over network-connected devices. This vulnerability, tracked as CVE-2025-0283, is present in Ivanti’s Connect Secure VPN, and Policy Secure & ZTA Gateways.
Ivanti Discloses Vulnerability and Releases Patch
Ivanti disclosed the vulnerability on Wednesday and warned that it was under active exploitation against some customers. The company released a security patch at the same time, which upgrades Connect Secure devices to version 22.7R2.5.
Mandiant Warns of Active Exploitation
According to Google-owned security provider Mandiant, the vulnerability has been actively exploited against "multiple compromised Ivanti Connect Secure appliances" since December, a month before the vulnerability came to light. After exploiting the vulnerability, the attackers go on to install two never-before-seen malware packages, tracked under the names DRYHOOK and PHASEJAM on some of the compromised devices.
PHASEJAM Malware
PHASEJAM is a well-written and multifaceted bash shell script. It first installs a web shell that gives the remote hackers privileged control of devices. It then injects a function into the Connect Secure update mechanism that’s intended to simulate the upgrading process.
System Upgrade Persistence
PHASEJAM injects a malicious function into the /home/perl/DSUpgrade.pm file named processUpgradeDisplay(). The functionality is intended to simulate an upgrading process that involves 13 steps, with each of those taking a predefined amount of time. If the ICS administrator attempts an upgrade, the function displays a visually convincing upgrade process that shows each of the steps along with various numbers of dots to mimic a running process.
Spawnant Malware
The attackers are also using a previously seen piece of malware tracked as SPAWNANT on some devices. One of its functions is to disable an integrity checker tool (ICT) Ivanti has built into recent VPN versions that is designed to inspect device files for unauthorized additions. SpawnAnt does this by replacing the expected SHA256 cryptographic hash of a core file with the hash of it after it has been infected. As a result, when the tool is run on compromised devices, admins see the following screen:
Conclusion
The vulnerability exploited by Ivanti VPNs highlights the importance of timely patching and regular security audits. It is crucial for network administrators to ensure that their VPNs are updated with the latest patches to prevent exploitation by well-resourced hackers.
Frequently Asked Questions
Q: What is the vulnerability?
A: The vulnerability is a critical security flaw in Ivanti’s Connect Secure VPN and Policy Secure & ZTA Gateways.
Q: How is it exploited?
A: The vulnerability is exploited by installing a web shell that gives remote hackers privileged control of devices and installing malware packages.
Q: What are the malware packages used in the attack?
A: The malware packages used in the attack are DRYHOOK and PHASEJAM.
Q: What is the impact of the vulnerability?
A: The vulnerability allows hackers to gain complete control over network-connected devices, including installing malware and disabling security tools.
Q: How can I protect my network from this vulnerability?
A: You can protect your network by updating your VPNs with the latest patches and regularly conducting security audits.
