The Cybersecurity and Infrastructure Security Agency (CISA) has released a Malware Analysis Report (MAR) detailing a newly identified malware variant named RESURGE. This new malware exhibits capabilities similar to the SPAWNCHIMERA variant, notably its ability to survive system reboots. However, RESURGE distinguishes itself through unique commands that enable it to alter its behavior.
The analysis reveals that RESURGE is equipped with commands that can βcreate a web shell, manipulate integrity checks, and modify filesβ. These capabilities further allow the malware to βenable the use of web shells for credential harvesting, account creation, password resets, and escalating permissionsβ.
Moreover, RESURGE malware can βcopy the web shell to the Ivanti running boot disk and manipulate the running coreboot imageβ. CISAβs report indicates a strong association between RESURGE and the exploitation of CVE-2025-0282 in Ivanti Connect Secure appliances.
CVE-2025-0282 is identified as a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways. Recognizing the severity of this threat, CISA added CVE-2025-0282 to its Known Exploited Vulnerabilities Catalog on January 8, 2025.
In addition to the specific mitigation instructions for CVE-2025-0282, CISA strongly advises users and administrators to take the following actions:
βFor the highest level of confidence, conduct a factory resetβ.For cloud and virtual systems, perform a factory reset using an external known clean image.Refer to Ivantiβs Recommended Recovery Steps for detailed guidance on conducting a factory reset.βReset credentials of privileged and non-privileged accountsβ.Reset passwords for all domain users and local accounts, including Guest, HelpAssistant, DefaultAccount, System, Administrator, and krbtgt.The krbtgt account, critical for handling Kerberos ticket requests, should be reset twice due to its two-password history. The first reset must be allowed to replicate before the second reset.CISA also recommends reviewing its Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise, as the steps are applicable to organizations with Windows AD compromise.Organizations should βreview access policies to temporarily revoke privileges/access for affected devicesβ. If necessary for intelligence purposes and to avoid alerting the attacker, privileges can be reduced to contain affected accounts/devices.If the threat actorβs access is limited to non-elevated permissions, βreset the relevant account credentials or access keys.βContinuous monitoring of related accounts, especially administrative accounts, is crucial for detecting any further signs of unauthorized access.