Ongoing Vulnerabilities in Ivanti Connect Secure Targeted by Cyber Attackers
Japan’s cyber defense community has once again alerted organizations about persistent vulnerabilities in Ivanti Connect Secure. Despite the availability of a patch for over three months, these flaws remain actively exploited.
Continued Exploitation of Ivanti Connect Secure Vulnerabilities
In April, the Japanese Computer Emergency Response Team (JPCERT/CC) issued a critical advisory regarding significant flaws in Ivanti Connect Secure. These vulnerabilities, tracked under CVE-2025-0282 and CVE-2025-22457, have been instrumental in deploying malware variants such as DslogdRAT and SPAWNCHIMERA.
Since the initial findings, JPCERT has tracked ongoing exploitation attempts, uncovering additional malware variants, including one that implements a cobalt strike beacon via a loader utilizing DLL side-loading. This highlights not just the seriousness of the issue but also the evolving tactics employed by cybercriminals.
Understanding the Mechanics of the Latest Malware
The recent loader linked with these attacks is derived from the open-source project libPeConv. Utilizing the RC4 stream cipher, this loader is designed for swiftly decrypting data files. The decryption key is generated from the MD5 hash of specific executable files, emphasizing the attackers’ intent to obfuscate their methods. This multi-file execution requirement—comprising the executable, loader, and data file—demonstrates a sophisticated level of planning by the attackers.
Another significant remote access trojan identified in these attacks is known as "vshell." While its GitHub repository has been taken down, malicious actors continue to deploy a specific version (4.6.0) of the Windows executable. Notably, this RAT incorporates a function that checks the system’s language and proceeds only if it’s not set to Chinese, suggesting targeted intent.
Newly Discovered Payloads Employed in the Attacks
The third payload recognized in these cyber incursions is "Fscan," an open-source network scanning tool developed in Go. Like the previous payloads, Fscan is disseminated through DLL side-loading, indicating a consistent pattern in how attackers are executing their strategies.
Attackers’ Post-Exploitation Tactics
JPCERT/CC provided additional insights into the tactics employed by attackers after gaining internal network access. They have been observed executing brute-force attacks on various servers, including Active Directory (AD), FTP, MSSQL, and SSH. Following access, attackers scanned internal systems and exploited the well-known SMB vulnerability MS17-010.
After obtaining compromised credentials, lateral movement across effected systems was achieved using RDP and SMB. This movement included creating new domain accounts, adding them to existing groups for persistent access, and registering malware as services or scheduled tasks to ensure execution upon system startup.
To evade detection by Endpoint Detection and Response (EDR) systems, attackers have been using a loader based on FilelessRemotePE. This method of executing malware through legitimate files enables them to bypass Event Tracing for Windows (ETW) logging in ntdll.dll, further complicating detection efforts.
Broader Implications and Targeted Entities
While Ivanti devices are prevalent in the private sector, they also find use within government agencies, rendering them valuable targets for cybercriminals. Notably, previous vulnerabilities in Ivanti systems have affected significant entities, including the US Cybersecurity and Infrastructure Security Agency and multiple organizations in Australia.
JPCERT/CC has warned that these attacks have persisted since late December 2024 and are likely to continue, especially those directed at VPN devices like Ivanti Connect Secure.
The Call to Action
In light of ongoing threats, it is crucial for organizations that utilize Ivanti Connect Secure to apply the available patches and institute best practices for cybersecurity. The continued exploitation of these vulnerabilities underscores the importance of vigilance and proactive measures in protecting sensitive systems and data.
