Cyber attackers have recently exploited a zero-day vulnerability in Ivanti Connect Secure, known as CVE-2025-0282, to infiltrate systems and deploy malicious tools like a web shell and a sophisticated remote access trojan (RAT) dubbed DslogdRAT, as reported by JPCERT/CC.
This breach highlights the ongoing and evolving risks associated with Ivanti products, which have increasingly attracted the attention of cybercriminals seeking to exploit vulnerabilities for malicious purposes. The use of such malware through unpatched security flaws underscores the critical importance for organizations to prioritize regular updates and robust monitoring to prevent potential data breaches and cyber attacks.
The attackers initially utilized a web shell coded in Perl to act as a CGI script, processing incoming HTTP requests. This web shell specifically looked for a hardcoded token in the Cookie header for validation, enabling the execution of arbitrary commands passed through a request parameter.
The deployment of DslogdRAT, a modular RAT with advanced capabilities, likely followed the establishment of the web shell. DslogdRAT operates by spawning a primary process that terminates after creating a child process responsible for decoding configuration data using a simple XOR operation with the key 0x63. This malware’s operational hours between 8:00 AM and 8:00 PM suggest an attempt to evade detection during regular business hours.
Further analysis revealed that the compromised systems also harbored SPAWNSNARE, a previously documented malware from CISA and Google, further indicating the complexity and severity of the attacks targeting Ivanti products.
While the specific ties between these attacks and the UNC5221 group linked to the SPAWN family remain unclear, the overlap suggests a potentially broader campaign exploiting Ivanti vulnerabilities. JPCERT/CC issued an additional alert for CVE-2025-22457, emphasizing the continued threat posed to Ivanti Connect Secure by cyber attackers.
The deliberate design of DslogdRAT, including its encoded configuration, communication methods, and multi-threaded architecture, showcases a strategic effort to maintain stealth and resilience on infected systems. Organizations are advised to examine indicators of compromise provided by JPCERT/CC to detect and respond effectively to these threats.
As the frequency of attacks on Ivanti infrastructure is expected to persist, proactive measures like patch management, network monitoring, and incident response planning are crucial to protect critical systems from sophisticated exploitation methods.
In conclusion, the recent exploitation of a zero-day vulnerability in Ivanti products serves as a stark reminder of the evolving threat landscape facing organizations worldwide. By staying vigilant, implementing security best practices, and prioritizing timely updates, businesses can mitigate the risks associated with cyber attacks and safeguard their sensitive data effectively.