Chinese Hackers Actively Exploiting Ivanti VPN Vulnerability to Deploy Malware
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Security researchers have identified a critical vulnerability in Ivanti Connect Secure (ICS) VPN appliances that is being actively exploited by suspected Chinese threat actors.<\/p>\n
The vulnerability, tracked as CVE-2025-22457, is a buffer overflow flaw affecting ICS version 22.7R2.5 and earlier that can lead to remote code execution.<\/p>\n
Evidence suggests exploitation began in mid-March 2025, with attackers leveraging the vulnerability to deploy sophisticated malware strains designed for espionage operations.<\/p>\n
The attacks have been attributed to UNC5221, a suspected China-nexus espionage actor with a history of targeting edge devices through zero-day exploitations dating back to 2023.<\/p>\n
This group has demonstrated sophisticated capabilities, including the ability to reverse-engineer security patches to develop working exploits.<\/p>\n
In this campaign, they likely studied the February 2025 patch for ICS 22.7R2.6 to develop their attack methodology.<\/p>\n
Google Threat Intelligence analysts identified<\/a> that following successful exploitation, the threat actors deploy multiple malware families, including two newly discovered tools \u2013 TRAILBLAZE and BRUSHFIRE \u2013 alongside their previously documented SPAWN ecosystem of malware.<\/p>\n These tools work in concert to establish persistent access while evading detection mechanisms.<\/p>\n The vulnerability\u2019s exploitation represents a concerning evolution in UNC5221\u2019s tactics, as they transition from exclusively using zero-day vulnerabilities<\/a> to also leveraging n-day flaws in their arsenal. <\/p>\n According to security researchers, the group targets a wide range of countries and vertical sectors, demonstrating an aggressive operational tempo and extensive toolset.<\/p>\n After successfully exploiting the vulnerability, attackers deploy a sophisticated attack chain starting with a shell script dropper.<\/p>\n This initial script executes TRAILBLAZE, an in-memory dropper written in bare C using raw syscalls, designed to be minimal and stealthy.<\/p>\n TRAILBLAZE then injects the BRUSHFIRE passive backdoor<\/a> into a running The infection process creates several temporary files that store information about the target process, including:-<\/p>\n BRUSHFIRE operates by hooking the SSL_read function, allowing it to intercept encrypted communications.<\/p>\n When specific trigger strings are detected, it decrypts and executes shellcode contained in the intercepted data, sending results back through SSL_write.<\/p>\n This sophisticated technique enables attackers to maintain a persistent presence while minimizing detection risk, as they operate entirely in memory without writing malicious files to disk.<\/p>\n Security experts recommend organizations immediately upgrade affected Ivanti<\/a> Connect Secure appliances to version 22.7R2.6 or later and utilize the Integrity Checker Tool to identify any suspicious activity.<\/p>\n The post Chinese Hackers Actively Exploiting Ivanti VPN Vulnerability to Deploy Malware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nPost-Exploitation Tactics<\/strong><\/h2>\n
\/home\/bin\/web<\/code> process.<\/p>\n\/tmp\/.p: contains the PID of the \/home\/bin\/web process\n\/tmp\/.m: contains a memory map of that process\n\/tmp\/.w: contains the base address of the web binary\n\/tmp\/.s: contains the base address of libssl.so\n\/tmp\/.r: contains the BRUSHFIRE passive backdoor\n\/tmp\/.i: contains the TRAILBLAZE dropper<\/code><\/pre>\nInvestigate Real-World Malicious Links & Phishing Attacks With\u00a0Threat Intelligence Lookup<\/strong>\u00a0-\u00a0Try 50 Request for Free<\/a><\/code><\/strong><\/code><\/strong><\/p>\n