CISAβs updated analysis reveals RESURGE malware remains dormant on compromised Ivanti Connect Secure devices, enabling stealthy, persistent access that evades routine detection. The malware exploits CVE-2025-0282 and leverages advanced ECC encryption, forged TLS certificates, SSH tunnels, and traffic fingerprinting to maintain covert command-and-control, prompting CISA to urge patching and proactive threat hunting. #RESURGE #IvantiConnectSecure
Keypoints
- RESURGE can remain dormant on Ivanti Connect Secure devices and activate only when a remote actor connects.
- The malware exploits CVE-2025-0282 to gain access and establish long-term persistence.
- It uses ECC, forged TLS certificates, SSH tunnels, TLS fingerprinting, and CRC32 hashing to hide and authenticate C2 traffic.
- RESURGE modifies files, manipulates integrity checks, and deploys web shells to the Ivanti boot disk, complicating detection and removal.
- CISA advises applying CVE-2025-0282 mitigations, using updated indicators of compromise, and conducting proactive patching and threat hunting beyond automated scans.
Read More: https://thecyberexpress.com/resurge-malware-remains-active/