Today's cybersecurity headlines are brought to you by ThreatPerspective

New Ivanti Zero-Days Exploited to Drop Malware and Launch Cobalt Strike Attacks

New Ivanti Zero-Days Exploited to Drop Malware and Launch Cobalt Strike Attacks: A recent security breach highlights the importance of vigilance in the face of emerging vulnerabilities. Threat actors exploited critical Ivanti Connect Secure (ICS) vulnerabilities to launch malicious attacks that utilized malware, DLL side-loading techniques, and in-memory Cobalt Strike. This incident underscores the need for proactive cybersecurity measures and regular vulnerability assessments to mitigate such risks effectively.

The cybersecurity landscape has witnessed another egregious breach of trust, as malicious actors have successfully exploited zero-day vulnerabilities in Ivanti Connect Secure (ICS) appliances. This development is particularly noteworthy, given the severity of the vulnerabilities involved and the manner in which they were weaponized.

The attack vector in question relies on two critical security flaws, CVE-2025-0282 and CVE-2025-22457, both of which have been previously identified as being exploitable remotely without authentication. The first vulnerability, CVE-2025-0282, was addressed by Ivanti in early January 2025, while the second vulnerability, CVE-2025-22457, was patched in April 2025.

Despite the relatively short timeframe between the disclosure of these vulnerabilities and their exploitation in the wild, researchers have been able to uncover a detailed picture of how they were used by malicious actors. According to a report published by JPCERT/CC today, the threat actors behind the attacks have utilized DLL side-loading techniques to launch MDifyLoader, which is then used to drop Cobalt Strike and subsequently carry out in-memory Cobalt Strike attacks.

MDifyLoader appears to be a custom-made loader based on an open-source project called libPeConv. It works by loading an encrypted data file, decodes the Cobalt Strike beacon payload, and runs it in memory. This is further complicated by the presence of additional tools, including a Go-based remote access tool named VShell and another network scanning utility written in Go called Fscan.

Researchers have noted that both of these tools have been used extensively by various Chinese hacking groups in recent months, which further underscores the sophistication of this particular attack vector. For instance, Fscan has been found to be executed via a loader, which is launched using DLL side-loading and is itself based on another open-source tool called FilelessRemotePE.

It's also worth noting that VShell, another tool used in these attacks, features a function that checks whether the system language is set to Chinese. The attackers repeatedly failed to execute VShell due to this feature being left enabled during deployment, which suggests that it was intended for internal testing purposes but ultimately proved detrimental to their objectives.

Upon gaining a foothold into the internal network, the attackers carried out brute-force attacks against FTP, MS-SQL, and SSH servers in an attempt to extract credentials and laterally move across the network. They also leveraged the EternalBlue SMB exploit (MS17-010) to further their objectives.

Notably, these attackers not only used MDifyLoader but also other tools to create new domain accounts, adding them to existing groups to maintain access even if previously acquired credentials were revoked. The attackers also registered their malware as a service or a task scheduler to ensure its persistence and activation at system startup or upon specific event triggers.

Researchers have emphasized that these tactics are used to avoid detection by implementing long-term access to the internal network, thereby maintaining a persistent threat presence.

This incident highlights the ever-evolving nature of cyber threats and underscores the importance of staying vigilant in the face of emerging vulnerabilities. It is imperative for organizations to maintain robust cybersecurity measures and stay abreast of the latest developments in this field to mitigate such risks effectively.

Furthermore, it's essential for IT teams to conduct thorough vulnerability assessments and implement proactive security strategies that address potential exploits before they become major issues.

In light of these findings, it is crucial that organizations prioritize cybersecurity, monitor their networks closely, and maintain a strong defense posture to safeguard against such malicious attacks in the future.