【Japan Security Analyst Conference 2026】TeamT5 Will Give Speech on the the Massive Exploitation of Ivanti

This year, Japan Security Analyst Conference 2026 (JSAC2026) will be held on Jan. 21-23. This annual cyber security conference hosted by JPCERT/CC, aimed to bring together security analysts and provide opportunities for them to share technical knowledge related to incident response and analysis.

Our Vulnerability Researcher, Greg Chen, and Incident Response Engineer, Sharon Liu, will deliver a talk titled “Incident Response at the Edge: Unmasking the Massive Exploitation of Ivanti” from 16:10 to 16:50 on January 22.

Since April 2025, TeamT5 has been warning of large-scale exploitation campaigns against Ivanti Connect Secure VPN, in which hundreds of devices belonging to the governments and enterprises across more than 20 countries were compromised by the notorious SPAWN malware family (reference). In particular, over 40 companies’ Ivanti appliances were compromised in Japan, affecting high-value industries such as telecommunications, semiconductors, electronics, etc.

These attacks demonstrate the growing risks at the edge of enterprise networks. Despite being the backbone of remote access, VPN appliances often operate as "black boxes" —proprietary devices with only web-based maintenance access for IT. The lack of low-level shell control makes them opaque and proprietary, creating blind spots in enterprise security. Their limited visibility allows attackers to maintain long-term persistence while making these devices exceptionally hard to investigate.

This leads to the core focus of our presentation, which centers on the Ivanti VPN appliance and covers three main areas: (1) how we identify VPN devices compromised by the SPAWN malware family, (2) our methodology for investigating such black-box systems, and (3) the use of heuristic approaches beyond traditional pattern-based detection.

Ultimately, we demonstrate practical detection solutions capable of identifying the SPAWN malware families in Ivanti appliances, along with detection strategies that organizations can adopt to strengthen defenses against ongoing and future VPN-targeted attacks.

Cyber attacks occur on a daily basis, and its techniques have been constantly changing. Engineers who analyze and respond to them are required to improve their skills to keep up with the ever-changing techniques of cyber attacks. However, there are few occasions in Japan where techniques and knowledge of incident analysis and response are shared among engineers. Security analysts are expected to get together and exchange their technical expertise on incident handling to develop their strength against cyber attacks both individually and as a whole.

To achieve this goal, JPCERT/CC hosts Japan Security Analyst Conference (JSAC), the annual conference for exchanging technical information on cyber security incident analysis and response. In this conference, security analysts who handle security incidents on a daily basis are encouraged to share information with each other to deal with ever-evolving cyber attacks today and in the future.