CISA Issues Critical Malware Analysis Report on RESURGE Malware Linked to Ivanti Connect Secure Vulnerabilities
Discover the latest CISA report on RESURGE malware, its connection to Ivanti Connect Secure vulnerabilities, and essential mitigation steps for enhanced cybersecurity.
TL;DR
The Cybersecurity and Infrastructure Security Agency (CISA) has published a detailed Malware Analysis Report (MAR) on the newly identified RESURGE malware, which exploits vulnerabilities in Ivanti Connect Secure. This report provides detection signatures, mitigation steps, and highlights the critical actions users and administrators should take to secure their systems.1
Introduction
The Cybersecurity and Infrastructure Security Agency (CISA) has released a comprehensive Malware Analysis Report (MAR) detailing the capabilities and detection signatures of a newly identified malware variant named RESURGE. This malware is associated with vulnerabilities in Ivanti Connect Secure appliances, specifically targeting the stack-based buffer overflow vulnerability identified as CVE-2025-0282.
Key Features of RESURGE Malware
RESURGE shares similarities with the SPAWNCHIMERA malware variant, particularly in its ability to survive system reboots. However, RESURGE introduces unique commands that alter its behavior significantly. These commands enable the malware to:
- Create Web Shells: Manipulate integrity checks and modify files.
- Credential Harvesting: Use web shells for credential harvesting, account creation, password resets, and permission escalation.
- System Manipulation: Copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image.
Vulnerability Details
RESURGE exploits CVE-2025-0282, a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways. CISA added this vulnerability to its Known Exploited Vulnerabilities Catalog on January 8, 2025.
Detection and Mitigation
For detailed information on malware variants and YARA rules for detection, refer to the MAR-25993211.R1.V1.CLEAR report. Additionally, a downloadable copy of the SIGMA rule associated with this MAR is available here.
CISA strongly recommends the following mitigation steps in addition to the specific instructions for CVE-2025-0282:
- Factory Reset: Conduct a factory reset for the highest level of confidence. For cloud and virtual systems, use an external known clean image of the device.
- Credential Resets: Reset credentials for both privileged and non-privileged accounts. This includes resetting passwords for all domain users and local accounts such as Guest, HelpAssistant, DefaultAccount, System, Administrator, and krbtgt.
- Access Policies: Review and temporarily revoke privileges or access for affected devices. Reduce privileges for affected accounts or devices to contain potential threats.
- Monitoring: Closely monitor related accounts, especially administrative accounts, for any signs of unauthorized access.
For more detailed recovery steps, refer to Ivanti’s Recommended Recovery Steps.
Reporting Incidents
Organizations are urged to report any incidents or anomalous activity related to the information in the malware analysis report to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870. Malware submissions can be made directly to Malware Nextgen.
Additional Resources
For further insights and guidance, refer to the following resources:
- Ivanti Security Advisory
- CISA’s Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise
Conclusion
The RESURGE malware poses a significant threat to organizations using Ivanti Connect Secure appliances. By following CISA’s recommendations and implementing the necessary mitigation steps, users and administrators can safeguard their systems against this emerging cybersecurity risk. Staying informed and proactive is crucial in defending against such advanced threats.
For more details, visit the full article: CISA Releases Malware Analysis Report on RESURGE Malware