Ongoing attacks on Ivanti VPNs install a ton of sneaky, well-written malware

May Be Interested In:Australia’s richest 47 make $28 billion in a year



Networks protected by Ivanti VPNs are under active attack by well-resourced hackers who are exploiting a critical vulnerability that gives them complete control over the network-connected devices.

Hardware maker Ivanti disclosed the vulnerability, tracked as CVE-2025-0283, on Wednesday and warned that it was under active exploitation against some customers. The vulnerability, which is being exploited to allow hackers to execute malicious code with no authentication required, is present in the company’s Connect Secure VPN, and Policy Secure & ZTA Gateways. Ivanti released a security patch at the same time. It upgrades Connect Secure devices to version 22.7R2.5.

Well-written, multifaceted

According to Google-owned security provider Mandiant, the vulnerability has been actively exploited against “multiple compromised Ivanti Connect Secure appliances” since December, a month before the then zero-day came to light. After exploiting the vulnerability, the attackers go on to install two never-before-seen malware packages, tracked under the names DRYHOOK and PHASEJAM on some of the compromised devices.

PHASEJAM is a well-written and multifaceted bash shell script. It first installs a web shell that gives the remote hackers privileged control of devices. It then injects a function into the Connect Secure update mechanism that’s intended to simulate the upgrading process.

“If the ICS administrator attempts an upgrade, the function displays a visually convincing upgrade process that shows each of the steps along with various numbers of dots to mimic a running process,” Mandiant said. The company continued:

PHASEJAM injects a malicious function into the /home/perl/DSUpgrade.pm file named processUpgradeDisplay(). The functionality is intended to simulate an upgrading process that involves 13 steps, with each of those taking a predefined amount of time. If the ICS administrator attempts an upgrade, the function displays a visually convincing upgrade process that shows each of the steps along with various numbers of dots to mimic a running process. Further details are provided in the System Upgrade Persistence section.

The attackers are also using a previously seen piece of malware tracked as SPAWNANT on some devices. One of its functions is to disable an integrity checker tool (ICT) Ivanti has built into recent VPN versions that is designed to inspect device files for unauthorized additions. SpawnAnt does this by replacing the expected SHA256 cryptographic hash of a core file with the hash of it after it has been infected. As a result, when the tool is run on compromised devices, admins see the following screen:

share Share facebook pinterest whatsapp x print

Similar Content

News18
Riders Music Festival 2025: A Spectacular Celebration Of Bikes, Beats And Brotherhood – News18
James McAvoy to talk at Glasgow Film Festival
James McAvoy to talk at Glasgow Film Festival
'Make our country proud': Canada, U.S. set for New Year's Eve clash at world juniors | CBC Sports
‘Make our country proud’: Canada, U.S. set for New Year’s Eve clash at world juniors | CBC Sports
Nvidia GeForce RTX 5080 appears to leak ahead of possible CES 2025 announcement
Nvidia GeForce RTX 5080 appears to leak ahead of possible CES 2025 announcement
‘Improvement necessary’ at takeaway that serves pizzas and kebabs
‘Improvement necessary’ at takeaway that serves pizzas and kebabs
Mumbai knock KKR out of IPL, set up qualifier-II against RCB
Headline Stories: Global Events in the Spotlight | © 2025 | Daily News