WHEN SEEING ISN'T BELIEVING Ongoing attacks on Ivanti VPNs install a ton of sneaky, well-written malware In-the-wild attacks tamper with built-in security tool to suppress infection warnings. Dan Goodin Jan 9, 2025 5:17 pm | 0 Credit: Getty Images Credit: Getty Images Story textSizeSmallStandardLargeWidth *StandardWideLinksStandardOrange* Subscribers only Learn moreNetworks protected by Ivanti VPNs are under active attack by well-resourced hackers who are exploiting a critical vulnerability that gives them complete control over the network-connected devices.Hardware maker Ivanti disclosed the vulnerability, tracked as CVE-2025-0283, on Wednesday and warned that it was under active exploitation against some customers. The vulnerability, which is being exploited to allow hackers to execute malicious code with no authentication required, is present in the companys Connect Secure VPN, and Policy Secure & ZTA Gateways. Ivanti released a security patch at the same time. It upgrades Connect Secure devices to version 22.7R2.5.Well-written, multifacetedAccording to Google-owned security provider Mandiant, the vulnerability has been actively exploited against multiple compromised Ivanti Connect Secure appliances since December, a month before the then zero-day came to light. After exploiting the vulnerability, the attackers go on to install two never-before-seen malware packages, tracked under the names DRYHOOK and PHASEJAM on some of the compromised devices.PHASEJAM is a well-written and multifaceted bash shell script. It first installs a web shell that gives the remote hackers privileged control of devices. It then injects a function into the Connect Secure update mechanism thats intended to simulate the upgrading process.If the ICS administrator attempts an upgrade, the function displays a visually convincing upgrade process that shows each of the steps along with various numbers of dots to mimic a running process, Mandiant said. The company continued:PHASEJAM injects a malicious function into the /home/perl/DSUpgrade.pm file named processUpgradeDisplay(). The functionality is intended to simulate an upgrading process that involves 13 steps, with each of those taking a predefined amount of time. If the ICS administrator attempts an upgrade, the function displays a visually convincing upgrade process that shows each of the steps along with various numbers of dots to mimic a running process. Further details are provided in the System Upgrade Persistence section.The attackers are also using a previously seen piece of malware tracked as SPAWNANT on some devices. One of its functions is to disable an integrity checker tool (ICT) Ivanti has built into recent VPN versions that is designed to inspect device files for unauthorized additions. SpawnAnt does this by replacing the expected SHA256 cryptographic hash of a core file with the hash of it after it has been infected. As a result, when the tool is run on compromised devices, admins see the following screen: A display screen stating that the ICT process has been completed. It lists three steps. While the screen is convincing at first appearance, it displays only three steps, whereas the authentic screen will display 10. Screen showing the genuine screen after ICT is completed. It lists 10 steps. Credit: Mandiant Ivanti has recommended that customers use the tool to detect infections on their devices. This advice is useful only if admins carefully inspect the results to ensure theyre genuine. Mandiant said some compromised devices were found using the tool.Ivanti also notes that the ICT is a snapshot of the current state of the appliance and cannot necessarily detect threat actor activity if they have returned the appliance to a clean state, Mandiant said. The ICT does not scan for malware or other Indicators of Compromise. Ivanti recommends that customers should run the ICT in conjunction with other security monitoring tools which have detected post-exploitation activity.In the event the tool detects an infection, Ivanti recommended admins perform a factory reset on the device.The attackers are also taking pains to hide signs of compromise on infected devices. After exploiting the vulnerability, they go on to perform the following:Clearing kernel messages using dmesg and removing entries from the debug logs that are generated during the exploitDeleting troubleshooting information packages (state dumps) and any core dumps generated from process crashesRemoving log application event log entries related to syslog failures, internal ICT failures, crash traces, and certificate handling errorsRemoving executed commands from the SELinux audit log.SPAWNANT and its supporting components can persist across system upgrades. It hijacks the execution flow of dspkginstall, a binary used during the system upgrade process, by exporting a malicious snprintf function containing the persistence mechanism.Unlike the first method described in this blog post for system upgrade persistence, SPAWNANT does not block the upgrade process. It survives the upgrade process by ensuring it's copied to the new upgrade partition. The malware also circumvents the ICT by recalculating the SHA256 hash for any maliciously modified files. SpawnAnt then generates a new RSA key pair to sign the modified manifest.The ultimate goal of the attacks is to collect data, including VPN sessions, session cookies, API keys, certificates, and credential material. Mandiant said it attributed the attacks to two unknown groups, one tracked as UNC5337. The separate UNC5221 appears to be a subgroup of UNC5337. Mandiant said both groups are China-nexus espionage actors.Anyone responsible for Connect Secure VPNs should assign the highest priority to inspect them for signs of compromise using indicators included in the two above-linked posts from Ivanti and Mandiant. Additional posts from Rapid7, Tenable, and the Cybersecurity and Infrastructure Security Agency are here, here, and here.Dan GoodinSenior Security EditorDan GoodinSenior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 0 Comments