CISA has released new technical details on RESURGE, a persistent implant that exploited the CVE-2025-0282 zero-day to compromise Ivanti Connect Secure devices. The implant remains latent until a specific inbound TLS connection using CRC32 TLS fingerprinting and a forged Ivanti certificate is received, and includes components like libdsupgrade.so, a SpawnSloth variant (liblogblock.so), and dsmain for persistence and log tampering. #RESURGE #IvantiConnectSecure
Keypoints
- CVE-2025-0282 was exploited as a zero-day to deploy RESURGE on Ivanti Connect Secure appliances.
- RESURGE is a 32-bit Linux shared object (libdsupgrade.so) functioning as a passive C2 implant with rootkit, bootkit, backdoor, dropper, proxy, and tunneling capabilities.
- The implant evades network detection by waiting for specific inbound TLS connections verified with CRC32 TLS fingerprints and a forged Ivanti certificate.
- A SpawnSloth variant (liblogblock.so) is used for log tampering while dsmain enables kernel extraction and boot-level persistence by modifying firmware and filesystem contents.
- CISA advises using updated indicators of compromise (IoCs) to discover and remove dormant RESURGE infections from affected Ivanti devices.