RESURGE Malware Highlights the Growing Problem of Dormant Threats
RESURGE Malware Highlights the Growing Problem of Dormant Threats
There’s something unsettling about malware that can lie dormant on your network for months, waiting for the right moment to activate. This week’s security news brings us face-to-face with exactly that scenario, along with some interesting developments in AI security and a stark reminder about the fragility of internet freedom.
The RESURGE Wake-Up Call
CISA’s latest warning about RESURGE malware should make anyone running Ivanti Connect Secure devices take a hard look at their environment. What makes this particularly concerning isn’t just that attackers exploited CVE-2025-0282 in zero-day attacks—it’s that the malicious implant can remain completely silent on compromised devices.
Think about the implications here. You could have patched the vulnerability, run your scans, and declared victory, all while RESURGE sits quietly in the background. This isn’t theoretical; we’re seeing real-world deployments where the malware establishes persistence and then goes dark, potentially for months.
The challenge this creates for our detection strategies is significant. Traditional indicators of compromise become useless when the compromise is designed to be invisible. We need to shift our thinking from “what’s happening now?” to “what could be hiding in our environment that we haven’t seen yet?”
AI Security: Promising but Not Perfect
Meanwhile, the cybersecurity world is still digesting the implications of Claude Code’s introduction. Despite the stock market excitement, researchers are finding that the reality is more nuanced than the initial hype suggested.
This feels familiar, doesn’t it? Every time a new AI security tool launches, we see the same pattern: massive expectations followed by the sobering realization that there’s no silver bullet. Claude Code shows genuine promise for identifying security vulnerabilities in code, but it’s not going to replace human expertise or fundamentally change how we approach application security overnight.
What’s particularly interesting is how the market reacted before security professionals had time to properly evaluate the technology. It’s a reminder that we need to be the voice of reason when new security technologies emerge, helping our organizations separate genuine innovation from marketing noise.
FreePBX Infections Expose Common Vulnerabilities
The news about 900 Sangoma FreePBX instances being infected with web shells hits on a problem we see repeatedly: post-authentication vulnerabilities that organizations underestimate.
The attackers exploited a command injection vulnerability in the endpoint manager’s interface. On the surface, “post-authentication” might sound less severe—after all, an attacker needs valid credentials first. But in practice, these vulnerabilities can be devastating, especially when they’re found in systems that often have elevated privileges or access to sensitive network segments.
FreePBX systems are particularly attractive targets because they’re often deployed with default credentials or weak authentication, and they typically have network access that makes them perfect pivot points. The scale of this attack—900 instances—suggests that many organizations either weren’t aware of the vulnerability or hadn’t prioritized patching because of the post-authentication requirement.
Air-Gapped Networks Aren’t Air-Gapped
Perhaps the most technically fascinating story this week involves ScarCruft’s new campaign using Zoho WorkDrive and USB malware to breach air-gapped networks. The North Korean threat actor has developed a sophisticated toolkit that includes a backdoor using Zoho WorkDrive for command-and-control communications and an implant that leverages removable media.
This Ruby Jumper campaign demonstrates something we’ve suspected for years: true air-gapping is nearly impossible to maintain in practice. Someone always needs to transfer files, update software, or move data between the “isolated” network and the outside world. ScarCruft has built their entire attack chain around exploiting these necessary connections.
The use of Zoho WorkDrive is particularly clever. It’s a legitimate cloud service that’s unlikely to be blocked by most organizations, and the traffic patterns probably look innocuous to network monitoring tools. Combined with USB-based malware that can hop across air gaps, it creates a complete bridge between isolated networks and external command infrastructure.
Iran’s Internet Shutdown: A Security Perspective
Finally, Bruce Schneier’s analysis of Iran’s two-tiered internet shutdown offers a sobering look at how governments can weaponize internet infrastructure. This wasn’t just blocking social media—it was a total communications shutdown that lasted longer than almost any in history.
From a security perspective, this raises uncomfortable questions about the resilience of our own communication systems. If a government can effectively isolate an entire country’s population from global communications, what does that mean for incident response, threat intelligence sharing, and basic business continuity during a crisis?
The technical mechanisms Iran used to implement this shutdown also provide a roadmap that other authoritarian regimes will undoubtedly study and adapt. We need to think seriously about how to build more resilient communication channels that can survive not just technical failures, but deliberate government interference.
The Common Thread
Looking across all these stories, there’s a common theme: the security challenges we face are becoming more sophisticated and more patient. Whether it’s dormant malware, AI tools that require careful evaluation, attackers who bridge air gaps, or governments that can isolate entire populations, we’re dealing with threats that operate on longer timescales and with more strategic thinking than ever before.