Source URL: https://www.theregister.com/2025/01/13/nominet_ivanti_zero_day/
Source: The Register
Title: Nominet probes network intrusion linked to Ivanti zero-day exploit
Feedly Summary: Unauthorized activity detected, but no backdoors found
UK domain registrar Nominet is investigating a potential intrusion into its network related to the latest Ivanti zero-day exploits.…
AI Summary and Description: Yes
Summary: Nominet, the UK domain registrar, is investigating a network intrusion linked to Ivanti’s zero-day vulnerabilities that have been actively exploited. The incident underscores the importance of swift vulnerability management and the risks posed by third-party software in remote access scenarios.
Detailed Description:
Nominet is addressing a significant security incident after discovering unauthorized intrusion into its network through third-party VPN software provided by Ivanti. This intrusion occurred due to the exploitation of a zero-day vulnerability, specifically CVE-2025-0282, which affects Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. Here are the critical points of discussion regarding this incident:
– **Incident Overview**:
– Nominet became aware of suspicious activity late last week and communicated to customers the potential risks linked to protected systems accessed via Ivanti’s VPN.
– Despite the breach, Nominet claims there is no evidence of data theft or unauthorized access to sensitive information.
– **Ongoing Investigation**:
– Nominet has engaged external security experts to assist in their investigation and has heightened security measures such as restricting VPN access to systems.
– The company has kept customers and relevant authorities, including the UK’s National Cyber Security Centre (NCSC), informed about the status of the investigation.
– **Exploitation Details**:
– The zero-day vulnerability was publicly disclosed by Ivanti and Mandiant, revealing that the exploitation of the vulnerability began in December 2024.
– Nominet is potentially the first organization publicly identified as a victim of this specific attack.
– **Link to Threat Actors**:
– Security firm Mandiant has linked the exploits to a threat actor cluster known as UNC5337, which has connections to previously identified groups involved in similar attacks.
– Investigators indicate that these attacks have been associated with malware families and new strains aimed at deploying backdoors or web shells for future access.
– **Response and Mitigation**:
– Ivanti has released patches for KyE Connect Secure but plans to issue fixes for Policy Secure and Neurons for ZTA Gateways later. There is an emphasis on the urgency of patching as attackers are expected to exploit these weaknesses widely.
– Nominet has confirmed that they are implementing the patches provided by Ivanti while urging other users of Ivanti services to act quickly in addressing the vulnerabilities.
Overall, this incident serves as a stark reminder of the critical nature of third-party software security, the rapid execution of vulnerability response measures, and the ongoing threats in the cybersecurity landscape. Security and compliance professionals must remain vigilant about potential vulnerabilities introduced through external services, and organizations must prioritize timely patch management and effective communication channels with their vendors.