{"id":22399,"date":"2025-04-04T16:49:45","date_gmt":"2025-04-04T19:49:45","guid":{"rendered":"https:\/\/www.ethicalhacker.com.br\/site\/?p=22399"},"modified":"2025-04-04T16:49:46","modified_gmt":"2025-04-04T19:49:46","slug":"falha-critica-do-ivanti-utilizada-para-implantar-malware","status":"publish","type":"post","link":"https:\/\/www.ethicalhacker.com.br\/site\/2025\/04\/exploits\/falha-critica-do-ivanti-utilizada-para-implantar-malware\/","title":{"rendered":"Falha cr\u00edtica do Ivanti utilizada para implantar malware"},"content":{"rendered":"\n

Falha cr\u00edtica do Ivanti \u00e9 explorada ativamente para implantar malware TRAILBLAZE e BRUSHFIRE<\/strong><\/p>\n

A\u00a0falha cr\u00edtica no Ivanti Connect Secure (CVE-2025-22457), um\u00a0stack-based buffer overflow<\/em>\u00a0que permite\u00a0execu\u00e7\u00e3o remota de c\u00f3digo (RCE), est\u00e1 sendo ativamente explorada para distribuir os malwares\u00a0TRAILBLAZE\u00a0e\u00a0BRUSHFIRE. Segundo a Mandiant, o grupo\u00a0UNC5221\u00a0(ligado \u00e0 China) est\u00e1 por tr\u00e1s dos ataques, utilizando t\u00e9cnicas sofisticadas para evadir detec\u00e7\u00e3o e manter persist\u00eancia em sistemas comprometidos.<\/p>\n

Neste artigo, apresentaremos\u00a0dois exemplos pr\u00e1ticos de mitiga\u00e7\u00e3o usando Python, ajudando equipes de seguran\u00e7a a\u00a0detectar explora\u00e7\u00f5es\u00a0e\u00a0proteger sistemas vulner\u00e1veis.<\/p>\n

\u00a0<\/p>\n

1. Detec\u00e7\u00e3o de explora\u00e7\u00e3o ativa (an\u00e1lise de logs em tempo real)<\/strong><\/p>\n

Os invasores exploram o\u00a0CVE-2025-22457<\/strong>\u00a0para injetar comandos maliciosos. Uma forma de mitigar riscos \u00e9\u00a0monitorar logs do Ivanti Connect Secure em busca de padr\u00f5es suspeitos, como tentativas de buffer overflow ou execu\u00e7\u00e3o de comandos shell.<\/p>\n

\u00a0<\/p>\n

1. Exemplo em Python: Monitoramento de logs<\/strong><\/p>\n

\u00a0<\/p>\n

def<\/span> monitor_logs<\/span>(<\/span>log_file)<\/span>:<\/span>\n    suspicious_patterns =<\/span> [<\/span>\n        r\"buffer overflow\"<\/span>,<\/span>  \n        r\"\\.\/\\.\\.\/\\.\\.\/\"<\/span>,<\/span>  # Tentativa de path traversal  <\/span>\n        r\"wget|curl|bash -c\"<\/span>,<\/span>  # Comandos suspeitos  <\/span>\n        r\"TRAILBLAZE|BRUSHFIRE|SPAWN\"<\/span>  # IOCs conhecidos  <\/span>\n    ]<\/span>\n    \n    try<\/span>:<\/span>\n        with<\/span> open<\/span>(<\/span>log_file,<\/span> 'r'<\/span>)<\/span> as<\/span> f:<\/span>\n            f.<\/span>seek(<\/span>0<\/span>,<\/span> 2<\/span>)<\/span>  # Vai para o final do arquivo (log em tempo real)<\/span>\n            while<\/span> True<\/span>:<\/span>\n                line =<\/span> f.<\/span>readline(<\/span>)<\/span>\n                if<\/span> line:<\/span>\n                    for<\/span> pattern in<\/span> suspicious_patterns:<\/span>\n                        if<\/span> re.<\/span>search(<\/span>pattern,<\/span> line,<\/span> re.<\/span>IGNORECASE)<\/span>:<\/span>\n                            print<\/span>(<\/span>f\"[ALERTA] Atividade suspeita detectada: 
<\/span>{<\/span>line.<\/span>strip(<\/span>)<\/span>}<\/span><\/span>\"<\/span><\/span>)<\/span>\n                            # Opcional: Enviar alerta via e-mail ou SIEM<\/span>\n                time.<\/span>sleep(<\/span>0.1<\/span>)<\/span>\n    except<\/span> FileNotFoundError:<\/span>\n        print<\/span>(<\/span>f\"Arquivo de log n\u00e3o encontrado: <\/span>{<\/span>log_file}<\/span><\/span>\"<\/span><\/span>)<\/span>\n\n# Uso: monitorar logs do Ivanti (ajuste o caminho conforme necess\u00e1rio)<\/span>\nmonitor_logs(<\/span>\"\/var\/log\/ivanti\/connect_secure.log\"<\/span>)


<\/span><\/pre>\n
Como funciona?<\/strong><\/p>\n