One Article Review
| Source |  Mandiant |
|---|---|
| Identifiant | 8660057 |
| Date de publication | 2025-04-03 14:00:00 (vue: 2025-04-03 15:07:17) |
| Titre | L'acteur de menace de Chine-Nexus présumé exploitant activement la vulnérabilité sécurisée de l'Ivanti critique (CVE-2025-22457) Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457) |
| Texte | Written by: John Wolfram, Michael Edie, Jacob Thompson, Matt Lin, Josh Murchie
On Thursday, April 3, 2025, Ivanti disclosed a critical security vulnerability, CVE-2025-22457, impacting Ivanti Connect Secure (“ICS”) VPN appliances version 22.7R2.5 and earlier. CVE-2025-22457 is a buffer overflow vulnerability, and successful exploitation would result in remote code execution. Mandiant and Ivanti have identified evidence of active exploitation in the wild against ICS 9.X (end of life) and 22.7R2.5 and earlier versions. Ivanti and Mandiant encourage all customers to upgrade as soon as possible. The earliest evidence of observed CVE-2025-22457 exploitation occurred in mid-March 2025. Following successful exploitation, we observed the deployment of two newly identified malware families, the TRAILBLAZE in-memory only dropper and the BRUSHFIRE passive backdoor. Additionally, deployment of the previously reported SPAWN ecosystem of malware attributed to UNC5221 was also observed. UNC5221 is a suspected China-nexus espionage actor that we previously observed conducting zero-day exploitation of edge devices dating back to 2023. A patch for CVE-2025-22457 was released in ICS 22.7R2.6 on February 11, 2025. The vulnerability is a buffer overflow with a limited character space, and therefore it was initially believed to be a low-risk denial-of-service vulnerability. We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a complicated process, it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution. Ivanti released patches for the exploited vulnerability and Ivanti customers are urged to follow the actions in the Security Advisory to secure their systems as soon as possible. Post-Exploitation TTPs Following successful exploitation, Mandiant observed the deployment of two newly identified malware families tracked as TRAILBLAZE and BRUSHFIRE through a shell script dropper. Mandiant has also observed the deployment of the SPAWN ecosystem of malware, as well as a modified version of the Integrity Checker Tool (ICT) as a means of evading detection. Shell-script Dropper Following successful exploitation of CVE-2025-22457, Mandiant observed a shell script being leveraged that executes the TRAILBLAZE dropper. This |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | $dslog $hook1 $hook2 $hook3 $s* $s1 $s2 $s3 $s4 $s5 $s6 /bin/dsmain /data/var/cores /home/bin/web /lib/libdsupgrade /tmp/ 0282 0x464c457f 10659b392e7f5b30b375b94cae4fdca0 2023 2024 2025 21887 22457 4628a501088c31f53b5c9ddf6788e835 46805 4966 6e01ef1367ea81994578526b3bd331d6 7r2 achieve acknowledgements across actions active actively activity actor actors acts actually adc adding additional additionally address advisory aes against aggressive aligns all also among analysis analysts anomaly another any appears appliance appliances apply april apt are ascii ascii$s7 assess assesses assist assistance associated asus attributed attributes attribution author available back backdoor backdoors bare base base64 based been begins behavior being believed binary blog bom both box broader brushfire buffer by: call campaign can capabilities cave ce2b6a554ae46b5eb7d79ca5e7f440da certificates character checker checks child china christopher client code collection combines command community complicated component components compromise compromised conclusion condition: conduct conducting conf connect connections consistent contact contained contains content: contents continue continued core countries created creates critical custom customers cve cyberoam daniel data dating day decrypt deep defenders deleted deletes denial deployment description designed detailed detailing detection detects device devices dhanesh directory disable disclosed drop dropper dslogserver dspkginstall dumps during e5192258c27e712c7acf80303e68980b earlier earliest ecosystem edge edie encourage encrypt encrypting encryptor end ensure espionage evading evidence evolved except execute executed executes execution exist exploit exploitation exploited exploiting exploits extensive external extract extracting extractor families family february file filename files first fit flare flaws focus follow following forwarding found from fullword fullword$s2 funchook function furthermore gardner gateway globally google group groups gti gtig has have highlights history hook human hunting ics ict identified identify identifying image immediately impacting implant included indicators infrastructure initially inject injects inside install installer integrity intelligence internal intrusion invest investigate investigation iocs its ivanti jacob john josh kernel killed kizhakkinan knowledge later latest legitimate leveraged leveraging liblogblock libssl life like likely limited lin line linux listening local log logging low main malware mandiant map march mask matt md5 means members memory meta: michael mid minimal modified monitor murchie need netscaler network newly next nexus non not noted now obfuscation observed occurred ongoing only operational operations organizations original other outlined overflow overlaps partnership passive patch patches persistent persistently pid point possible post preload presented previous previously prior process processes publicly purpose pursuing qnap range raw read readable rebooted received recommendations recommends registered related released remote reported rest result resurge returned returns risk routers rule rules running scanner script searching second secure security see send servers service set shell shellcode should significantly soon sophisticated source space spanning spawn spawn* spawnant spawnchimera spawnmole spawnsloth spawnsnail spawnsnare spawnwave specific specifically spicer ssl stage statedump strategy string strings strings: studied subsequent success successful supplement support suspected suspicious syscalls syslog system systems tampering targeted targeting targets team tempo temporary thank them then therefore thompson threat threats through thursday tied tls tool tooling tools tracked trailblaze trojanized true ttps two uint32 unc5221 uncompressed uncovered underscores upgrade upgrading urged use used users uses using utility value various version versions verticals vmlinux vpn vsnprintf vulnerability web webshells well which who wide wild will within without wolfram would write written x00 x00/etc/busybox x00busybox x0 |
| Tags | Malware Tool Vulnerability Threat Industrial Cloud |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.