PRNewswire
Taipei [Taiwan], April 24: Asia Pacific threat intelligence leading brand TeamT5 detected that the China-nexus APT group exploited the critical vulnerability in Ivanti Connect Secure VPN appliances to infiltrate multiple entities around the globe. The victims include nearly 20 different industries across 12 countries. TeamT5 believes that the actor still maintained control over the victim’s network at the time of analysis. We urge enterprises and organizations to take a comprehensive investigation.
Ivanti High-Risk Vulnerability Exposes Systems to Potential Takeover by Attackers
TeamT5’s analysis assessed with high confidence that the actor was exploiting the vulnerabilities of Ivanti Connect Secure VPN appliances to launch attacks around the globe. The actor possibly exploited CVE-2025-0282 or CVE-2025-22457 to conduct initial access.
Both CVE-2025-0282 and CVE-2025-22457 are stack buffer overflow vulnerabilities in Ivanti Connect Secure VPN with a CVSS score of 9.0. Successful exploitation allows the threat actor to achieve remote code execution, leading to intrusion of the internal network and malware implantation.
In the attack, the actor deployed a shared weapon among Chinese threat groups, SPAWNCHIMERA. SPAWNCHIMERA is developed specifically for Ivanti Connect Secure VPN and has all the functionalities of the notorious SPAWN family, including SPAWNANT (installer), SPAWNMOLE (socks5 tunnler), SPAWNSNAIL (SSH backdoor), and SPAWNSLOTH (log wiper).
Moreover, TeamT5’s analysis suggests that other threat actors might also obtain the vulnerability information and start campaigns targeting Ivanti VPN appliances. We have observed massive exploitation attempts against Ivanti VPN appliances since April. Although most exploitation attempts failed, many Ivanti VPN appliances became paralyzed and unstable.
Widespread Impact Across Countries and Industries Calls for Urgent System Review
TeamT5 points out that the victim countries include Austria, Australia, France, Spain, Japan, South Korea, Netherlands, Singapore, Taiwan, the United Arab Emirates, the United Kingdom, and the United States. The targeted industries include Automotive, Chemical, Conglomerate, Construction, Information Security, Education, Electronics, Financial Institution, Gambling, Government, Intergovernmental Organizations (IGOs), Information Technology, Law Firm, Manufacturing, Materials, Media, Non-Governmental Organizations (NGOs), Research Institute, and Telecommunication.
TeamT5 strongly recommends that affected organizations conduct a thorough incident investigation. Given the versatile TTPs of the actor, such as multi-layers of C2 infrastructure, evasion of monitor mechanism, and the usage of log wiper, without additional technical support, it would be a challenge to detect the actor’s malicious traces inside the network.
About TeamT5
TeamT5 consists of top cyber threat analysts. Leveraging our geographic and cultural advantages, we have the best understanding of cyber attackers in Asia Pacific. TeamT5 is frequently invited to share insights at top cybersecurity conferences. Our threat intelligence research expertise and solutions are recognized as the 2023-2024 Company of the Year Award in Taiwanese Threat Intelligence by Frost & Sullivan.
Based on our research in malware & Advanced Persistent Threat (APT), we provide cyber threat intelligence reports and anti-ransomware solutions to clients in the USA and Asia Pacific region. Clients include government agencies, financial business, and high tech enterprises.
Website: https://teamt5.org/en/
(ADVERTORIAL DISCLAIMER: The above press release has been provided by PRNewswire. ANI will not be responsible in any way for the content of the same)