Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released new details about RESURGE, a malicious implant used in zero-day attacks exploiting CVE-2025-0282 to breach Ivanti Connect Secure devices. [...]
Analysis Summary
# Incident Report: RESURGE Implant Exploiting Ivanti Connect Secure
## Executive Summary
Threat actors exploited a zero-day vulnerability (CVE-2025-0282) in Ivanti Connect Secure devices, installing the sophisticated RESURGE malicious implant. This implant features network-level evasion techniques, allowing it to remain dormant until actively contacted by the attacker, leading to covert, authenticated remote access. CISA has released updated analysis to help defenders identify these latent and active compromises.
## Incident Details
- Discovery Date: Initial documentation by CISA on March 28, 2025. Further analysis detailing dormancy and evasion published February 27, 2026.
- Incident Date: Exploitation as a zero-day began in mid-December 2024.
- Affected Organization: Users of Ivanti Connect Secure devices (Scope not fully disclosed but implies widespread potential exposure).
- Sector: Broadly impacts organizations utilizing Ivanti VPN appliances (likely IT, Government, Critical Infrastructure).
- Geography: Global (Attributed to threat actors linked to China).
## Timeline of Events
### Initial Access
- Date/Time: Starting mid-December 2024.
- Vector: Exploitation of zero-day vulnerability CVE-2025-0282.
- Details: Attackers breached Ivanti Connect Secure devices using the unpatched vulnerability.
### Lateral Movement
- Details: The RESURGE implant provided capabilities for post-compromise actions including creating webshells, creating new user accounts, resetting passwords, and escalating privileges. The implant contained a variant of SpawnSloth malware (_liblogblock.so_) used for log tampering to hide activity.
### Data Exfiltration/Impact
- Details: While specific exfiltrated data is not detailed, the implant's capabilities suggest credential theft and unauthorized access to internal network resources. The implant includes dropper, proxying, and tunneling capabilities.
### Detection & Response
- Detection: Initial detection led to CISA documentation in March 2025. Updated detection methodology focuses on identifying latent implants via specific network traffic characteristics (CRC32 TLS fingerprint hashing scheme and unencrypted certificate checks).
- Response Actions: CISA released updated analysis and Indicators of Compromise (IoCs) to assist system administrators in discovering and removing dormant RESURGE infections.
## Attack Methodology
- Initial Access: Exploitation of CVE-2025-0282 (Zero-day).
- Persistence: Malicious 32-bit Linux Shared Object file (`libdsupgrade.so`) surviving reboots; kernel manipulation script (`dsmain`) for boot-level persistence via firmware modification.
- Privilege Escalation: Capabilities built into the implant allow for privilege escalation.
- Defense Evasion: Passive C2 mechanism (waits for specific inbound TLS connection); network-level evasion via TLS fingerprint hashing (CRC32); log tampering via `_liblogblock.so`.
- Credential Access: Capability to create webshells for stealing credentials.
- Discovery: Not explicitly detailed, but assumed based on privilege escalation and persistence mechanisms.
- Lateral Movement: Proxying and tunneling capabilities enabled covert access.
- Collection: Implied data gathering tools accessible via the backdoor.
- Exfiltration: Tunneling capabilities suspected for data transfer.
- Impact: Establishment of covert backdoor access, modification of system firmware/filesystem.
## Impact Assessment
- Financial: Not specified.
- Data Breach: Potential compromise of device credentials and internal network data due to webshells and access mechanisms.
- Operational: Compromise of critical security appliance (Ivanti Connect Secure).
- Reputational: Damage related to the use of a zero-day vulnerability and persistent threat exposure.
## Indicators of Compromise
- Network Indicators: Attackers use a **fake Ivanti certificate** sent unencrypted during initial connection attempts, which can be used as a detection signature. The implant looks for specific inbound TLS connections identified by a **CRC32 TLS fingerprint hash**.
- File Indicators:
- `libdsupgrade.so` (Malicious implant)
- `_liblogblock.so` (SpawnSloth variant for log tampering)
- `dsmain` (Kernel extraction/firmware manipulation script)
- Behavioral Indicators: ICS device hooking the `accept()` function in the 'web' process to inspect TLS packets before they reach the web server. Establishing a **Mutual TLS session encrypted with the Elliptic Curve protocol** authenticated against a hard-coded EC CA key.
## Response Actions
- Containment: Identifying and isolating compromised Ivanti Connect Secure devices based on CISA-provided IoCs.
- Eradication: Removing the dormant RESURGE implant (`libdsupgrade.so`, associated files) and related persistence mechanisms (log tampering components, boot-level modifications).
- Recovery: Reverting system firmware/filesystem changes where possible after ensuring the implant is fully removed.
## Lessons Learned
- Zero-day exploitation (CVE-2025-0282) represents a critical initial access vector that bypasses immediate patching cycles.
- Sophisticated implants like RESURGE are designed for long-term, dormant persistence (latency), evading detection until deliberately activated by the adversary.
- Network-level evasion techniques (TLS fingerprinting, custom authentication) significantly increase the difficulty of detection via standard network monitoring tools.
## Recommendations
- Immediately hunt for known RESURGE IoCs, specifically looking for the specific TLS handshake fingerprints and unencrypted certificate communications, as the malware may be latent.
- Apply all security patches for Ivanti Connect Secure immediately upon release.
- Enhance network monitoring to inspect TLS handshake characteristics beyond encryption validation, focusing on anomalies in certificate exchange and connection initiation protocols.
- Review system firmware integrity on critical appliances following major compromises, given the implant's capability to modify boot-level persistence mechanisms.