Cisa has published a malware analysis report (MAR) with associated detection analysis and signatures on a new variant of malware CISA has identified as a land. Resurge contains capabilities of the spawnchimera[1] variant of malware, including surviving restarts; However, Resurge contains distinctive commands that modify its behavior. These orders:
- Create a web shell, handle integrity checks and change the files.
- Activate the use of web shells for harvesting identification information, account creation, password reset and climbing authorizations.
- Copy the web Shell to the Ivanti execution start -up disk and handle the current Coreboot image.
Closing is associated with the exploitation of CVE-2025-0282 In Ivanti connect secure devices. CVE-2025-0282 is a vulnerability of tampon overflow based on the battery in Ivanti Connect Secure, Policy Secure and Zta Gateways. Cisa added CVE-2025-0282 to its Catalog of known exploited vulnerabilities January 8, 2025.
- For the highest level of confidence, make a factory reset.
- For cloud and virtual systems, make factory reset using an external clean image of the device.
- Reset information for identifying privileged and not privileged accounts.
- Reset passwords for all users in the field and all local accounts, such as guest, default value assistance, system, administrator and KRBTGT. The KRBTGT account is responsible for the management of Kerberos ticket requests as well as quantify and report them. The KRBTGT account must be reset twice because the account has a history of two passwords. The first reset account for the KRBTGT must be authorized to reproduce before the second reset to avoid any problem. See CISAS expulsion guidelines for networks affected by Solarwinds and Active Directory / M365 compromises for more information. Although adapted to the federal agencies of the Directorate of the Civil Executive (FCEB) compromised in the compromise of the supply chain of Solarwinds Orion 2020, the steps apply to organizations with AD Windows compromise.
- Examine access policies to temporarily revoke privileges / access to affected devices. If it is necessary not to alert the attacker (for example, for intelligence purposes), the privileges can be reduced for the affected accounts / devices to contain them.
- Reset identification information or relevant access keys if the survey reveals that access to threat actors is limited to unlimited authorizations.
- Monitor the related accounts, in particular administrative accounts, for any sign of other signs of unauthorized access.
Organizations must point out incidents and abnormal activity linked to information found in the Malicious software analysis report at the CISAS 24/7 Operations Center Report@cisa.gov or (888) 282-0870. Malware submissions can be directly made to Nextgen malware in https://malware.cisa.gov.
See the following resources for more advice:
