On March 28, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a Malware Analysis Report (MAR) on RESURGE malware, which is associated with the product Ivanti Connect Secure.
According to the MAR, “RESURGE contains capabilities of the SPAWNCHIMERA malware variant, including surviving reboots; however, RESURGE contains distinctive commands that alter its behavior. These commands:
- Create a web shell, manipulate integrity checks, and modify files.
- Enable the use of web shells for credential harvesting, account creation, password resets, and escalating permissions.
- Copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image.”
To address the vulnerability, CISA recommends that users and administrators:
- Consider a factory reset.
- Follow Ivanti’s recommended recovery steps.
- Reset credentials of all accounts.
- Reset passwords for all domain users and local accounts.
- Review access policies to temporarily revoke access for affected devices.
- Reset account credentials or access keys.
- Monitor related accounts, especially administrative accounts.
- Report incidents and anomalous activity to CISA.
The MAR is an important read for any businesses using Ivanti Connect Secure, Policy Secure, and ZTA Gateways.