Saturday, April 26, 2025
Latest:
The Register

More Ivanti attacks may be on horizon, say experts who are seeing 9x surge in endpoint scans

TH Author

Ivanti VPN users should stay alert as IP scanning for the vendor’s Connect Secure and Pulse Secure systems surged by 800 percent last week, according to threat intel biz GreyNoise.

The team at the internet monitoring company said this is the kind of pattern that usually precedes exploitation and public disclosure of new vulnerabilities.

At any given time, the typical daily number of unique IP addresses scanning for Ivanti VPNs is under 30, and sometimes in the single digits, per GreyNoise’s data, but on April 18 this number surged to 234 probing Ivanti endpoints.

For context, over the past 90 days, 1,004 unique IPs were scanning Connect Secure and Pulse Secure endpoints, which means almost a quarter of the activity for the previous three months occurred on a single day.

Of these 1,004 IPs, 634 were designated “suspicious,” 244 were “malicious,” and 126 were “benign,” GreyNoise said.

“This surge may indicate coordinated reconnaissance and possible preparation for future exploitation,” the infosec biz stated earlier this week.

“Ivanti Connect Secure has been targeted repeatedly in recent years due to its role in enterprise remote access. 

“While no specific CVEs have been tied to this scanning activity yet, spikes like this often precede active exploitation. GreyNoise has previously observed similar patterns in the lead-up to the public discovery of new vulnerabilities.”

As customers pored over their logs for signs of VPN endpoints being targeted, The Register asked Ivanti for its take on GreyNoise’s findings. In response, Ivanti said people should have migrated from Pulse Secure appliances and Connect Secure 9.1 Rx software as it’s now out of support.

“Threat actors often exploit known vulnerabilities in end-of-life (EOL) products, which no longer receive patches or support, making them highly susceptible to N-Day attacks,” the supplier argued.

“Ivanti consistently urges customers using EOL products to upgrade to supported versions immediately to ensure systems are protected. This is an industry-wide issue, and Ivanti has taken numerous proactive steps to compel customers to move to the latest versions.”

GreyNoise, meanwhile, recommends checking for any suspicious login activity and applying the latest relevant patches.

It’s Ivanti again

While nothing is confirmed from Ivanti’s side – actual in-the-wild attacks or vulnerabilities in the process of being patched – if something were to be announced soon it may not come as much of a surprise given the vendor’s recent history with security mishaps.

In January 2025, for the second year in a row, Connect Secure was targeted by zero-day attacks. Two vulnerabilities were disclosed within a few days of the world ringing in the new year, although exploits were confirmed as early as mid-December.

Successful attacks using the more serious of the two vulnerabilities (CVE-2025-0282, 9.0) were confirmed as recently as this week by Japan’s Computer Emergency Response Team (JPCERT).

The organization said on Thursday that DslogdRAT malware was being implanted on Connect Secure appliances, but couldn’t say for sure if it was part of the same campaign as the one from January, which was attributed to the China-nexus group UNC5221.

This all followed the first Connect Secure campaign from January 2024, which was also attributed to UNC5221. It was arguably more problematic for customers than the 2025 incident, as Ivanti’s staggered patch schedule at the time left many without fixes for weeks after the initial vulnerability disclosure.

Ivanti called the security palaver “humbling” and in April that year committed to overhauling its security practices with the principle of secure-by-design at heart of it. ® 

READ MORE HERE