Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an updated malware analysis report detailing new findings on... The post New CISA guidance targets persistent RESURGE implant as Ivanti Connect Secure threat continues to deepen appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Unnamed Actor Exploiting Ivanti Connect Secure (Associated with RESURGE Implant)
## Attribution & Identity
Attribution is not explicitly stated in the provided text; the focus is on the malware and CISA's response. The threat actors are implied to be sophisticated due to the nature of the implant and initial access vector.
**Associated Groups/Tools:** The implant is named **RESURGE**. It shares functionality similarities with **SPAWNCHIMERA** in creating SSH tunnels for C2.
## Activity Summary
The threat actor(s) are actively exploiting vulnerabilities in **Ivanti Connect Secure** appliances to establish persistent, covert access.
* **Initial Access:** Exploitation of Ivanti CVE-2025-0282 was observed to gain initial access.
* **Post-Exploitation:** Deployment of the RESURGE implant, designed for persistence and covert command and control.
* **Persistence:** RESURGE is engineered to remain dormant on compromised systems, evading routine scans until activated by a remote operator.
## Tactics, Techniques & Procedures
The TTPs focus heavily on network-level evasion and maintaining stealth:
* **Initial Access:** Exploiting Ivanti Connect Secure vulnerabilities (specifically mentioning **CVE-2025-0282**).
* **Implant Deployment:** Modifying files, manipulating integrity checks, and deploying a **web shell** to the Ivanti boot disk.
* **Command and Control (C2):** Establishing **Secure Shell (SSH) tunnels** for C2 communication (similar to SPAWNCHIMERA).
* **Network Evasion:** Employing sophisticated network-level evasion techniques.
* **Authentication/Encryption:** Utilizing **advanced cryptographic methods** and **forged Transport Layer Security (TLS) certificates** to facilitate covert communications.
* **Traffic Differentiation:** Distinguishing benign from malicious TLS traffic using **CRC32 fingerprint hashing**.
* **Session Control:** Implementing a **mutual TLS authentication process** to establish attacker-controlled sessions.
## Targeting
* **Sectors:** Enterprise and government networks; specifically mentioned targeting an organization within **critical infrastructure**.
* **Geography:** Not specified, but CISA guidance implies a threat to the **nation’s critical infrastructure** (US context).
* **Victims:** One file analyzed was obtained after compromising a **critical infrastructure entity's Ivanti Connect Secure device**.
## Tools & Infrastructure
* **Malware Families Used:** **RESURGE** (implant), **Web Shell**.
* **Infrastructure:** C2 relies on **SSH tunnels** and utilizes **forged TLS certificates** embedded within the malware itself for stealthy interactions.
## Implications
The RESURGE implant presents a significant, ongoing threat due to its stealth capabilities. Its ability to remain dormant and its sophisticated TLS evasion techniques mean it could be embedded and undetected on numerous compromised Ivanti Connect Secure appliances, posing risks to essential systems long after initial exploitation.
## Mitigations
* Following the enhanced technical indicators and detection guidance provided in CISA’s updated Malware Analysis Report (MAR).
* Network defenders must be vigilant regarding potential dormant RESURGE activity on Ivanti Connect Secure devices.
* Focused detection efforts must address the malware's advanced TLS evasion and mutual authentication mechanisms.