Ethical Hacking News
The exploitation of Ivanti Connect Secure vulnerabilities by attackers has resulted in the deployment of MDifyLoader malware, which executes In-Memory Cobalt Strike attacks. Understanding this incident can help organizations strengthen their defenses against such sophisticated threats.
The cybersecurity landscape has seen a significant escalation in recent times with threat actors exploiting vulnerabilities.Attackers exploited CVE-2025-0282 and CVE-2025-22457 to drop malware and execute In-Memory Cobalt Strike attacks.MDifyLoader used DLL side-loading techniques, leveraging VShell and Fscan, which have been adopted by Chinese hacking groups.The attackers carried out brute-force attacks on FTP, MS-SQL, and SSH servers to extract credentials and move laterally across the network.Ivanti encourages customers to stay on the latest version of their solutions to benefit from security enhancements and patching of vulnerabilities.Organizations must prioritize regular updates, robust network monitoring, and advanced threat detection capabilities to counter emerging risks.
The cybersecurity landscape has witnessed a significant escalation in recent times, with threat actors leveraging vulnerabilities in various systems to launch sophisticated attacks. A recent incident highlights the exploitation of Ivanti Connect Secure (ICS) appliances by attackers who have weaponized CVE-2025-0282 and CVE-2025-22457 to drop malware known as MDifyLoader and execute In-Memory Cobalt Strike attacks.
According to a report published by JPCERT/CC, researchers have observed MDifyLoader being used in conjunction with these vulnerabilities, which were previously identified and patched by Ivanti. The attackers exploited the critical security flaw in ICS (CVE-2025-0282) to gain unauthenticated remote code execution, while CVE-2025-22457 was used for a stack-based buffer overflow that could be exploited to execute arbitrary code.
The use of DLL side-loading techniques is noteworthy in this incident. MDifyLoader uses an encoded Cobalt Strike beacon payload and leverages VShell and Fscan, both Go-based remote access tools and network scanning utilities respectively. These tools have been adopted by various Chinese hacking groups in recent months, underscoring the evolving nature of cyber threats.
Fscan has been found to be executed by means of a loader based on the open-source tool FilelessRemotePE. The attackers repeatedly failed to execute VShell due to its language-checking function being left enabled during deployment. This behavior suggests that the attackers likely intended for internal testing but did not realize the implications of enabling this feature in their malware.
The attackers carried out brute-force attacks against FTP, MS-SQL, and SSH servers in an attempt to extract credentials and laterally move across the network. These actions suggest a high level of sophistication on the part of the threat actors, who used new domain accounts created during the initial exploitation and added them to existing groups to maintain persistence.
The attackers registered their malware as a service or a task scheduler to ensure it would run at system startup or upon specific event triggers. This behavior indicates that they aimed to create a persistent presence within the network to execute their malicious payload without interruption.
In response to this incident, Ivanti has emphasized the importance of customers staying on the latest version of their solutions to benefit from important security enhancements and patching of vulnerabilities such as CVE-2025-22457. The company encourages all users to remain up-to-date with the latest patches to minimize risk.
The exploitation of vulnerabilities in critical systems like Ivanti Connect Secure appliances highlights the urgent need for organizations to prioritize regular updates, robust network monitoring, and advanced threat detection capabilities. As threats evolve at an unprecedented rate, security teams must stay vigilant and adapt their strategies to counter emerging risks.
Related Information:
https://www.ethicalhackingnews.com/articles/Ivanti-Flaws-Exploited-to-Drop-Malware-and-Launch-In-Memory-Cobalt-Strike-Attacks-ehn.shtml
https://thehackernews.com/2025/07/ivanti-zero-days-exploited-to-drop.html
https://nvd.nist.gov/vuln/detail/CVE-2025-0282
https://www.cvedetails.com/cve/CVE-2025-0282/
https://nvd.nist.gov/vuln/detail/CVE-2025-22457
https://www.cvedetails.com/cve/CVE-2025-22457/
Published: Tue Jul 22 06:15:17 2025 by llama3.2 3B Q4_K_M
