By rssfeeds-admin 
The malware is built to survive restarts, steal credentials, and hold its ground long after the initial breach.
The main attack vector is CVE-2025-0282, a stack-based buffer overflow vulnerability that affects Ivanti Connect Secure, Policy Secure, and ZTA Gateways.
In a stack-based buffer overflow, an attacker sends more data than a memory buffer can hold, which corrupts nearby memory and allows them to run their own code on the target device.
CISA officially added CVE-2025-0282 to its Known Exploited Vulnerabilities Catalog on January 8, 2025, following active exploitation that was first observed in December 2024.
Ivanti Connect Secure and related products are widely used as secure remote access gateways in enterprises and government agencies.
CISA analysts identified RESURGE after examining three files recovered from a critical infrastructure organization’s Ivanti Connect Secure device, where threat actors had already leveraged CVE-2025-0282 to gain their first foothold.
Alongside RESURGE, researchers found a variant of SPAWNSLOTH, a log-tampering tool designed to erase evidence of intrusion from Ivanti device logs, and a custom binary named “dsmain” that bundles BusyBox utilities to decrypt and repackage coreboot images.
Together, these three components form a well-rounded attack toolkit — one piece gains entry, one cleans the trail, and one rebuilds the system’s core to keep the door open.
RESURGE builds directly on SPAWNCHIMERA, a known malware from the SPAWN family that was already capable of surviving system reboots.
The RESURGE file, identified as “libdsupgrade.so,” introduces three additional commands that push its capabilities well beyond its predecessor.
CISA described it as a rootkit, dropper, backdoor, bootkit, proxy, and tunneler all rolled into one, meaning a single file gives the attacker nearly everything they need to take full control of a compromised device.
The reach of this threat is considerable. Because Ivanti Connect Secure acts as a VPN gateway for thousands of organizations, a successful compromise can expose an entire enterprise network from the inside.
Once RESURGE takes hold, attackers can harvest credentials, create unauthorized user accounts, reset passwords, and escalate their own privileges — all without triggering the kind of alerts that would normally flag a breach.
How RESURGE Stays Hidden and Holds On
What makes RESURGE especially hard to remove is the level at which it digs into a compromised system.
The malware inserts itself into the “ld.so.preload” file, which forces it to load at startup before nearly every other process on the device.
This early-stage loading position gives the malware direct control over the system from the moment the device powers on, making it invisible to most standard scanning tools.
Beyond boot-level persistence, RESURGE also sets up a web shell — a lightweight script used as a remote command interface — and copies it directly to the Ivanti running boot disk.
It then modifies the coreboot image, which starts up the device, embedding code at a layer deep enough to survive most software reinstalls.
CISA’s updated analysis revealed that RESURGE uses forged TLS certificates and a CRC32 fingerprint hashing scheme to separate ordinary traffic from attacker commands.
Regular traffic is forwarded to the real Ivanti web server, while only attacker-controlled connections trigger the malware’s actions, keeping it silent and concealed during normal operations.
CISA urges affected organizations to perform a factory reset as the most reliable step for clearing the infection. Cloud and virtual systems should use a verified external clean image.
All account credentials, both privileged and non-privileged, must be reset, and the krbtgt account managing Kerberos authentication should be reset twice due to its two-password history.
Organizations should temporarily revoke access for affected devices, review access policies, and closely monitor administrative accounts for signs of unauthorized activity.
Any suspicious behavior should be reported to CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post CISA Warns of RESURGE Malware Exploiting 0-Days to Breach Ivanti Connect Secure Devices appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.