Ethical Hacking News
Experts have warned Ivanti VPN users about a surge in endpoint scans that may indicate coordinated reconnaissance and preparation for future attacks, following the vendor's Connect Secure system being targeted by zero-day attacks in January 2025.
GreyNoise alerted Ivanti VPN users to remain vigilant following a significant surge in endpoint scans on Connect Secure and Pulse Secure systems. The surge in activity is reminiscent of patterns that typically precede new vulnerability disclosures, with 1,004 unique IPs scanning the systems over the past 90 days. Ivanti has emphasized the importance of upgrading to supported versions immediately to ensure systems are protected from known vulnerabilities. GreyNoise's findings come amidst concerns surrounding Ivanti's security practices and recent zero-day attacks on Connect Secure. Ivanti's endpoint manager can become an endpoint ravager due to critical flaws, with DslogdRAT malware recently implanted on Connect Secure appliances.
In a recent alert issued by threat intelligence firm GreyNoise, Ivanti VPN users have been warned to remain vigilant following a significant surge in endpoint scans on the vendor's Connect Secure and Pulse Secure systems. According to GreyNoise, this sudden increase in activity is reminiscent of patterns that typically precede new vulnerability disclosures.
GreyNoise's data revealed that over the past 90 days, 1,004 unique IPs were scanning Connect Secure and Pulse Secure endpoints, with a spike of 234 unique IP addresses on April 18 alone. Of these 1,004 IPs, 634 were designated "suspicious," 244 were "malicious," and 126 were "benign." This surge in activity has led GreyNoise to conclude that the pattern may indicate coordinated reconnaissance and possible preparation for future exploitation.
Ivanti Connect Secure has been a popular target among threat actors due to its role in enterprise remote access. While no specific CVEs have been tied to this scanning activity yet, spikes like this often precede active exploitation. Ivanti has emphasized the importance of upgrading to supported versions immediately to ensure systems are protected from known vulnerabilities in end-of-life products.
GreyNoise's findings come amidst a backdrop of concerns surrounding Ivanti's security practices. In January 2025, Connect Secure was targeted by zero-day attacks for the second year in a row. Two vulnerabilities were disclosed within a few days of the world ringing in the new year, although exploits were confirmed as early as mid-December. Successful attacks using one of the more serious vulnerabilities (CVE-2025-0282, 9.0) were recently confirmed by Japan's Computer Emergency Response Team (JPCERT).
Furthermore, Ivanti's endpoint manager can become an endpoint ravager, thanks to a quartet of critical flaws. The organization stated on Thursday that DslogdRAT malware was being implanted on Connect Secure appliances but couldn't confirm if it was part of the same campaign as the one from January 2024, which was attributed to the China-nexus group UNC5221.
Ivanti's history with security mishaps has raised concerns among users. In April 2024, the company committed to overhauling its security practices with a focus on secure-by-design at its core. Despite these efforts, Ivanti is still facing scrutiny for its handling of vulnerabilities and updates.
In light of GreyNoise's findings and the recent increase in attacks on Connect Secure, it is essential for users to take proactive steps to protect themselves. This includes reviewing logs for signs of targeted VPN endpoints, upgrading to supported versions as soon as possible, and ensuring that all systems are patched against known vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/Ivanti-VPN-Scans-Surge-Experts-Warn-of-Potential-Attacks-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/04/25/more_ivanti_attacks_may_be/
https://www.theregister.com/2025/04/25/more_ivanti_attacks_may_be/
https://forums.theregister.com/forum/all/2025/04/25/more_ivanti_attacks_may_be/
Published: Fri Apr 25 14:10:41 2025 by llama3.2 3B Q4_K_M
