< ciso
brief />
Tag Banner

All news with #ivanti tag

51 articles · page 3 of 3

Legacy Flaws in Network Edge Devices Threaten Orgs Today

🔒 Enterprises' network edge devices — firewalls, VPNs, routers, and email gateways — are increasingly being exploited due to longstanding 1990s‑era flaws such as buffer overflows, command and SQL injections. Researchers tracked dozens of zero‑day exploits in 2024 and continuing into 2025 that affected vendors including Fortinet, Palo Alto Networks, Cisco, Ivanti, and others. These appliances are attractive targets because they are remotely accessible, often lack endpoint protections and centralized logging, and hold privileged credentials, making them common initial access vectors for state‑affiliated actors and ransomware groups.
read more →

it-sa Highlights: Vendor Security and Access Solutions

🔒 At it-sa vendors unveiled a slate of security, privacy and access offerings aimed at strengthening enterprise controls. Salesforce expanded its AI Agentforce into the Security Center and Privacy Center to automate threat detection, incident remediation and compliance prioritization. Ivanti reengineered Connect Secure 25.x with a security‑by‑design architecture including SELinux, WAF, secure boot and disk encryption. Additional launches included Samsung Knox mobile credentials, KOBIL mPower and a Zurich/Deutsche Telekom cyber insurance plus MDR integration.
read more →

Chinese Hackers Exploit Enterprise Network Appliances

🔒 A Chinese state-sponsored group tracked as RedNovember carried out a global espionage campaign from June 2024 to July 2025, compromising defense contractors, government agencies, and major corporations by exploiting internet-facing network appliances. The attackers rapidly weaponized disclosed flaws in devices from SonicWall, Ivanti, Cisco, F5, Sophos, and Fortinet, often within 72 hours of public exploit code. They deployed Go-based tools including Pantegana, Cobalt Strike, and SparkRAT, and relied on open-source tooling and legitimate services to obfuscate attribution and maintain persistent access.
read more →

UNC5221 Deploys BRICKSTORM Backdoor Against US Targets

🛡️ Mandiant and Google’s Threat Intelligence Group report that the China‑nexus cluster UNC5221 has delivered the Go‑based backdoor BRICKSTORM to U.S. legal, SaaS, BPO, and technology organizations, frequently exploiting Ivanti Connect Secure zero‑days. BRICKSTORM uses a WebSocket C2, offers file and command execution, and provides a SOCKS proxy to reach targeted applications. The campaign prioritizes long, stealthy persistence on appliances that lack traditional EDR coverage, enabling lateral movement and access to downstream customer environments.
read more →

CISA Details Malware Kits Used in Ivanti EPMM Attacks

🔍 CISA released a technical analysis of malware used in attacks exploiting two Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities, CVE-2025-4427 and CVE-2025-4428. The agency details two distinct malware sets that used a common web-install.jar loader and malicious listener classes to inject and execute code, exfiltrate data, and maintain persistence. Attackers targeted the /mifs/rs/api/v2/ endpoint via HTTP GET requests with a ?format= parameter, delivering segmented, Base64-encoded payloads. CISA published IOCs, YARA and SIGMA rules and advises immediate patching and treating MDM systems as high-value assets.
read more →

CISA Details Two Java Loaders Exploiting Ivanti EPMM Flaws

🔒 CISA released details of two malicious toolsets found on an organization's server after attackers chained zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). Each set contains a Java loader that installs an HTTP listener to decode, decrypt and execute arbitrary payloads and maintain persistence. CISA urges updating EPMM, monitoring for suspicious activity, and restricting access to MDM systems.
read more →

CISA Malware Analysis: Malicious Listener for Ivanti EPMM

🛡️ CISA released a Malware Analysis Report analyzing two malware families recovered from an organization compromised via CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile. The report, titled Malicious Listener for Ivanti EPMM Systems, provides indicators of compromise and detection content including YARA and SIGMA rules to support hunting and response. Recommended mitigations stress upgrading Ivanti EPMM to the latest versions and treating mobile device management systems as high-value assets with enhanced monitoring, access controls, and restrictions.
read more →

Malware Analysis: Ivanti EPMM Exploitation and Loaders

🔍 CISA analyzed malicious artifacts deployed after threat actors exploited CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (EPMM). The report details two distinct loader/listener sets written to /tmp that enable arbitrary code execution through crafted HTTP requests. CISA provides IOCs, YARA and SIGMA detection rules, and recommends immediate patching and treating MDM systems as high-value assets.
read more →

Salt Typhoon APT Expands to Netherlands, Targets Routers

🔒 Salt Typhoon, a persistent Chinese-aligned threat actor, has expanded operations into the Netherlands by compromising routers at smaller ISPs and hosting providers. Intelligence agencies report the group exploits known flaws in Ivanti, Palo Alto Networks, and Cisco devices to obtain long-term access and pivot through trusted provider links. Authorities urge organizations to audit configurations, disable management access, enforce public-key administrative authentication, remove default credentials, and keep vendor-recommended OS versions up to date to reduce exposure.
read more →

Joint Advisory Reveals Salt Typhoon APT Techniques Worldwide

🔍 Salt Typhoon, a Chinese state-aligned APT also tracked as Operator Panda/RedMike, is the subject of a joint advisory from intelligence and cybersecurity agencies across 13 countries. The report links the group to Chinese entities tied to the PLA and MSS and documents repeated exploitation of n-day flaws in network edge devices from vendors such as Ivanti, Palo Alto Networks and Cisco. It details persistence via ACL modifications, tunneled proxies, credential capture via RADIUS/TACACS+, and exfiltration over peering and BGP, and urges telecoms to hunt for intrusions, patch quickly and harden management interfaces.
read more →

Salt Typhoon Exploits Router Flaws to Breach 600 Orgs

🔒Salt Typhoon, a China-linked APT, exploited vulnerabilities in Cisco, Ivanti, and Palo Alto Networks edge devices to compromise and persistently control routers worldwide. The actors modified device configurations, created GRE tunnels, and used on-box Linux containers to stage tools and exfiltrate data. Agencies from 13 countries linked the campaign to three Chinese firms and warned of espionage impacting telecoms, government, transport, lodging, and military sectors.
read more →