do son 
The Cybersecurity and Infrastructure Security Agency (CISA) has released a Malware Analysis Report (MAR) detailing a newly identified malware variant named RESURGE. This new malware exhibits capabilities similar to the SPAWNCHIMERA variant, notably its ability to survive system reboots. However, RESURGE distinguishes itself through unique commands that enable it to alter its behavior.
The analysis reveals that RESURGE is equipped with commands that can “create a web shell, manipulate integrity checks, and modify files“. These capabilities further allow the malware to “enable the use of web shells for credential harvesting, account creation, password resets, and escalating permissions“.
Moreover, RESURGE malware can “copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image“. CISA’s report indicates a strong association between RESURGE and the exploitation of CVE-2025-0282 in Ivanti Connect Secure appliances.
CVE-2025-0282 is identified as a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways. Recognizing the severity of this threat, CISA added CVE-2025-0282 to its Known Exploited Vulnerabilities Catalog on January 8, 2025.
In addition to the specific mitigation instructions for CVE-2025-0282, CISA strongly advises users and administrators to take the following actions:
- “For the highest level of confidence, conduct a factory reset”.
- For cloud and virtual systems, perform a factory reset using an external known clean image.
- Refer to Ivanti’s Recommended Recovery Steps for detailed guidance on conducting a factory reset.
- “Reset credentials of privileged and non-privileged accounts”.
- Reset passwords for all domain users and local accounts, including Guest, HelpAssistant, DefaultAccount, System, Administrator, and krbtgt.
- The krbtgt account, critical for handling Kerberos ticket requests, should be reset twice due to its two-password history. The first reset must be allowed to replicate before the second reset.
- CISA also recommends reviewing its Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise, as the steps are applicable to organizations with Windows AD compromise.
- Organizations should “review access policies to temporarily revoke privileges/access for affected devices”. If necessary for intelligence purposes and to avoid alerting the attacker, privileges can be reduced to contain affected accounts/devices.
- If the threat actor’s access is limited to non-elevated permissions, “reset the relevant account credentials or access keys.”
- Continuous monitoring of related accounts, especially administrative accounts, is crucial for detecting any further signs of unauthorized access.
Related Posts:
- PoC Exploit Released for Ivanti Connect Secure Flaw CVE-2025-0282 Used in Attacks
- Ivanti Connect Secure Zero-Day Threat: 2,048 Vulnerable Devices and Critical Exploitation Details Unveiled
- CVE-2025-0282 (CVSS 9.0): Ivanti Confirms Active Exploitation of Critical Flaw
- HTTP/2 Rapid Reset Attack: HTTP/2 Zero-Day Vulnerability Rocks Cybersecurity World
- CL-UNK-0979 Exploit Zero-Day Flaw in Ivanti Connect Secure to Gain Access to Networks
