Google exposes dangerous keylogging threat hidden in popular VPNs

On January 9, 2025, Ivanti, a hardware manufacturer, announced a critical vulnerability tracked as CVE-2025-0283 affecting their VPN products, particularly Connect Secure devices. This vulnerability allows well-resourced hackers to gain complete control over network-connected devices, resulting in ongoing attacks against customers. In the aftermath of the announcement, it was reported that the hackers installed two new malware packages, named DRYHOOK and PHASEJAM, on the compromised devices. The attackers have cleverly manipulated the Connect Secure update mechanism to suppress infection warnings, simulating a legitimate upgrade process to deceive administrators. The compromised devices exhibit modifications intended to hide signs of infection. One malicious package, known as SPAWNANT, compromises the integrity checker tool (ICT) built into the VPN, which is designed to detect unauthorized additions. The attackers disguise the ICT's output to create a false sense of security. When administrators run the integrity checker, they may only see three steps, whereas the actual process has ten steps, making it necessary for admins to carefully inspect results for authenticity. The cybersecurity company Mandiant attributed the attacks to two unidentified hacker groups. In response to the threats, Ivanti urged customers to prioritize the inspection of their devices for any signs of compromise, using the indicators provided in their announcements. They further advised running the integrity checker alongside other security monitoring tools for enhanced detection of post-exploitation activity. Along with the CVE-2025-0283 vulnerability, these ongoing attacks highlight significant risks for users of Ivanti VPN solutions, emphasizing the need for immediate action to secure their networks. Security experts recommend performing a factory reset on compromised devices if infections are detected. The evolving techniques of the attackers underline the importance of maintaining up-to-date security measures and vigilance against new, sophisticated forms of malware that can undermine established security protocols. This situation serves as a stark reminder to all organizations relying on VPN technology to consistently monitor and protect their network environments from emerging threats.