Security company GreyNoise observes a significant increase in the number of scans on Ivanti VPN systems. This could indicate that a new wave of attacks is imminent.
Companies using Ivanti Connect Secure and Pulse Secure should be extra vigilant in the coming period. Ivanti’s VPN solutions have been the target of attacks multiple times this year and last year, and according to security company GreyNoise, there are indications of new problems. The company is seeing notably more activity on Ivanti endpoints.
On April 18, the company detected more than nine times the normal activity. More than 230 unique IP addresses attempted to reach these systems at that time, while normally fewer than 30 IP addresses are counted per day. Over a ninety-day period, this amounts to 1,004 IP addresses. The targets of the scans are most often companies from the United States, United Kingdom, and Germany.
Exploring
According to GreyNoise, this increased activity could indicate a coordinated reconnaissance in preparation for possible attacks. Ivanti Connect Secure systems have long been a popular target due to their role in remote access to corporate networks. Although there are currently no specific vulnerabilities (CVEs) linked to these scans, as was the case in early 2024, GreyNoise points out that similar patterns have previously preceded the discovery of new security flaws.
GreyNoise advises security teams to check log files for suspicious attempts, monitor logins from unknown IP addresses, block known suspicious IP addresses, and update ICS/IPS systems with the latest updates as quickly as possible. Via The Register, Ivanti itself advises ensuring that all devices are upgraded to supported versions.
Not So Secure
Ivanti Connect Secure has not always guaranteed a secure connection in the past. Multiple vulnerabilities caused worldwide attacks in early 2024. Ivanti received much criticism for how it handled the vulnerabilities. Patches came late.
The CEO had to publicly mea culpa and promise that the company would do better in the future. Yet, it could not avoid that a new vulnerability surfaced early this year. Ivanti and its customers can do without another security debacle like the plague.