CISA Releases Malware Analysis Report on RESURGE Malware Associated with Ivanti Connect Secure – Cisa.gov


Published on: 2025-03-28

Intelligence Report: CISA Releases Malware Analysis Report on RESURGE Malware Associated with Ivanti Connect Secure – Cisa.gov

1. BLUF (Bottom Line Up Front)

The Cybersecurity and Infrastructure Security Agency (CISA) has released a comprehensive malware analysis report on the RESURGE malware, which is associated with Ivanti Connect Secure. The report identifies RESURGE as a new malware variant with capabilities to alter system behavior, manipulate integrity checks, and escalate privileges. CISA provides detection signatures and mitigation strategies to address the exploitation of vulnerabilities in Ivanti Connect Secure appliances. Immediate action is recommended to mitigate risks associated with this malware.

2. Detailed Analysis

The following structured analytic techniques have been applied for this analysis:

General Analysis

The RESURGE malware variant has been identified with capabilities such as spawning the SpawnChimera malware, surviving reboots, and creating web shells for unauthorized access. The malware exploits a stack-based buffer overflow vulnerability (CVE) in Ivanti Connect Secure appliances, allowing attackers to manipulate system files and credentials. CISA’s analysis includes YARA and Sigma rules for detection and urges users to implement factory resets and credential resets as mitigation measures.

3. Implications and Strategic Risks

The exploitation of Ivanti Connect Secure appliances poses significant risks to national security and organizational integrity. The malware’s ability to escalate privileges and manipulate system files could lead to unauthorized access and data breaches. This could impact regional stability and economic interests by compromising critical infrastructure and sensitive information. Organizations using Ivanti products are at heightened risk and should prioritize implementing CISA’s recommended mitigation steps.

4. Recommendations and Outlook

Recommendations:

  • Conduct factory resets on affected devices using known clean images to eliminate malware presence.
  • Reset credentials for privileged and non-privileged accounts to prevent unauthorized access.
  • Implement CISA’s YARA and Sigma rules for enhanced detection and monitoring of RESURGE malware.
  • Review and temporarily revoke privileged access to affected devices to limit potential damage.
  • Enhance network monitoring to detect anomalous activities and unauthorized access attempts.

Outlook:

Best-case scenario: Organizations swiftly implement CISA’s recommendations, effectively mitigating the malware’s impact and preventing further exploitation.

Worst-case scenario: Delayed response leads to widespread exploitation, resulting in significant data breaches and operational disruptions.

Most likely scenario: A mixed response with some organizations successfully mitigating risks while others experience limited breaches due to incomplete implementation of recommendations.

5. Key Individuals and Entities

The report focuses on the following entities:

  • CISA
  • Ivanti

No specific individuals are mentioned in the context of this report.

CISA Releases Malware Analysis Report on RESURGE Malware Associated with Ivanti Connect Secure - Cisa.gov - Image 1

CISA Releases Malware Analysis Report on RESURGE Malware Associated with Ivanti Connect Secure - Cisa.gov - Image 2

CISA Releases Malware Analysis Report on RESURGE Malware Associated with Ivanti Connect Secure - Cisa.gov - Image 3

CISA Releases Malware Analysis Report on RESURGE Malware Associated with Ivanti Connect Secure - Cisa.gov - Image 4