CISA Issues Critical Malware Analysis Report on RESURGE Malware Linked to Ivanti Connect Secure Vulnerabilities

TL;DR

The Cybersecurity and Infrastructure Security Agency (CISA) has published a detailed Malware Analysis Report (MAR) on the newly identified RESURGE malware, which exploits vulnerabilities in Ivanti Connect Secure. This report provides detection signatures, mitigation steps, and highlights the critical actions users and administrators should take to secure their systems.¹

Introduction

The Cybersecurity and Infrastructure Security Agency (CISA) has released a comprehensive Malware Analysis Report (MAR) detailing the capabilities and detection signatures of a newly identified malware variant named RESURGE. This malware is associated with vulnerabilities in Ivanti Connect Secure appliances, specifically targeting the stack-based buffer overflow vulnerability identified as CVE-2025-0282.

Key Features of RESURGE Malware

RESURGE shares similarities with the SPAWNCHIMERA malware variant, particularly in its ability to survive system reboots. However, RESURGE introduces unique commands that alter its behavior significantly. These commands enable the malware to:

• Create Web Shells: Manipulate integrity checks and modify files.
• Credential Harvesting: Use web shells for credential harvesting, account creation, password resets, and permission escalation.
• System Manipulation: Copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image.

Vulnerability Details

RESURGE exploits CVE-2025-0282, a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways. CISA added this vulnerability to its Known Exploited Vulnerabilities Catalog on January 8, 2025.

Detection and Mitigation

For detailed information on malware variants and YARA rules for detection, refer to the MAR-25993211.R1.V1.CLEAR report. Additionally, a downloadable copy of the SIGMA rule associated with this MAR is available here.

CISA strongly recommends the following mitigation steps in addition to the specific instructions for CVE-2025-0282:

• Factory Reset: Conduct a factory reset for the highest level of confidence. For cloud and virtual systems, use an external known clean image of the device.
• Credential Resets: Reset credentials for both privileged and non-privileged accounts. This includes resetting passwords for all domain users and local accounts such as Guest, HelpAssistant, DefaultAccount, System, Administrator, and krbtgt.
• Access Policies: Review and temporarily revoke privileges or access for affected devices. Reduce privileges for affected accounts or devices to contain potential threats.
• Monitoring: Closely monitor related accounts, especially administrative accounts, for any signs of unauthorized access.

For more detailed recovery steps, refer to Ivanti’s Recommended Recovery Steps.

Reporting Incidents

Organizations are urged to report any incidents or anomalous activity related to the information in the malware analysis report to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870. Malware submissions can be made directly to Malware Nextgen.

Additional Resources

For further insights and guidance, refer to the following resources:

• Ivanti Security Advisory
• CISA’s Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise

Conclusion

The RESURGE malware poses a significant threat to organizations using Ivanti Connect Secure appliances. By following CISA’s recommendations and implementing the necessary mitigation steps, users and administrators can safeguard their systems against this emerging cybersecurity risk. Staying informed and proactive is crucial in defending against such advanced threats.

For more details, visit the full article: CISA Releases Malware Analysis Report on RESURGE Malware

References

1. “CISA Releases Malware Analysis Report on RESURGE Malware Associated with Ivanti Connect Secure”. (2025, March 28). CISA. Retrieved 2025-03-28. ↩︎