IT

Jan 14, 2025 nominet ivanti zeroday ukdomains cyberattack espionage

UK domain registry Nominet confirms breach via Ivanti zero-day

Nominet, the official .UK domain registry and one of the largest country code registries, has confirmed that its network was breached two weeks ago using an Ivanti VPN zero-day vulnerability.

nominet-14-01-25.png

The company manages and operates over 11 million .uk, .co.uk, and .gov .uk domain names and other top-level domains, including .cymru and .wales.

 

It also ran the U.K.'s Protective Domain Name Service (PDNS) on behalf of the country's National Cyber Security Centre (NCSC) until September 2024, protecting over 1,200 organizations and over 7 million end users.

 

Nominet is still investigating the incident but has not found evidence of any backdoors deployed on its systems, as first report by ISPreview.

 

Since it detected suspicious activity on its network, the company has reported the attack to relevant authorities, including the NCSC, and restricted access to its systems via VPN connections.

 

"The entry point was through third-party VPN software supplied by Ivanti that enables our people to access systems remotely," Nominet says in a customer notice shared with BleepingComputer.

 

"However, we currently have no evidence of data breach or leakage. We already operate restricted access protocols and firewalls to protect our registry systems. Domain registration and management systems continue to operate as normal."

 

Attacks linked to suspected Chinese hackers


While the company didn't share more information on the VPN zero-day used in the attack, Ivanti said last week that hackers have been exploiting a critical Ivanti Connect Secure zero-day vulnerability (tracked as CVE-2025-0282) to breach a limited number of customers' appliances.

 

According to cybersecurity company Mandiant (part of Google Cloud), the attackers started leveraging this vulnerability in mid-December, using the custom Spawn malware toolkit (linked to a suspected China-linked espionage group tracked as UNC5337).

 

They've also deployed new Dryhook and Phasejam malware (not currently associated with a threat group) on compromised VPN appliances.

 

Macnica researcher Yutaka Sejiyama told BleepingComputer that over 3,600 ICS appliances were exposed online when Ivanti released a patch for the zero-day on Wednesday.

 

In October, Ivanti released more security updates to fix three other Cloud Services Appliance (CSA) zero-days that were also actively exploited in attacks.

 

Update January 13, 12:17 EST: Revised to say Nominet no longer runs UK's PDNS.

 

Update January 13, 13:50 EST: After publishing the article, Ivanti sent the following statement:

 

Upon identifying the vulnerabilities through our Integrity Checker Tool (ICT), Ivanti rapidly developed and released a patch within weeks for Ivanti Connect Secure, the only product where limited exploitation has been observed.

Consistent with our commitment to supporting customers, we are working closely with Nominet and the relevant authorities to provide all necessary support. We strongly urge all customers to follow the guidance outlined in our security advisory to ensure their systems are protected.

We appreciate the trust our customers place in us. We are committed to their security and to continuously improving our products and processes, in collaboration with the broader security ecosystem.

load more

Fortinet-16-01-25.png

Hackers leak configs and VPN credentials for 15,000 FortiGate devices

Category: General|Jan 16, 2025 | Author: Admin
windows-blue-background-15-01-25.png

January Windows updates may fail if Citrix SRA is installed

Category: Microsoft|Jan 15, 2025 | Author: Admin
nominet-14-01-25.png

UK domain registry Nominet confirms breach via Ivanti zero-day

Category: IT|Jan 14, 2025 | Author: Admin
back-13-01-25.png

Phishing texts trick Apple iMessage users into disabling protection

Category: Apple|Jan 13, 2025 | Author: Admin
church-12-01-25.png

Pastor who saw crypto project in his "dream" indicted for fraud

Category: IT|Jan 12, 2025 | Author: Admin
LDAPNightmare-11-01-25.png

Fake LDAPNightmware exploit on GitHub spreads infostealer malware

Category: IT|Jan 11, 2025 | Author: Admin
Outlook-for-Windows-10-01-25.png

Microsoft to force install new Outlook on Windows 10 PCs in February

Category: Microsoft|Jan 10, 2025 | Author: Admin
proton-mail-header-09-01-25.png

Proton Mail still down as Proton recovers from worldwide outage

Category: IT|Jan 9, 2025 | Author: Admin
backdoror-web-shells-08-01-25.png

Over 4,000 backdoors hijacked by registering expired domains

Category: IT|Jan 8, 2025 | Author: Admin
cryptocurrency.png

Cryptocurrency wallet drainers stole $494 million in 2024

Category: IT|Jan 7, 2025 | Author: Admin
google-06-01-25.png

Google Chrome is making it easier to share specific parts of long PDFs

Category: Google|Jan 6, 2025 | Author: Admin
email-server-05-01-25.png

Over 3 million mail servers without encryption exposed to sniffing attacks

Category: IT|Jan 5, 2025 | Author: Admin
virus-04-01-25.png

Bad Tenable plugin updates take down Nessus agents worldwide

Category: IT|Jan 4, 2025 | Author: Admin
Chrome-extension-03-01-25.png

New details reveal how hackers hijacked 35 Google Chrome extensions

Category: Google|Jan 3, 2025 | Author: Admin
Cybersecurity-02-01-25.png

Cybersecurity Firm's Chrome Extension Hijacked to Steal Users' Data

Category: IT|Jan 2, 2025 | Author: Admin
more