Sunday, May 4, 2025
HomeCVE/vulnerabilityHackers Use 1000+ IP Addresses to Target Ivanti VPN Vulnerabilities

Hackers Use 1000+ IP Addresses to Target Ivanti VPN Vulnerabilities

Published on

SIEM as a Service

Follow Us on Google News

A sweeping wave of suspicious online activity is putting organizations on alert as hackers ramp up their efforts to probe vulnerabilities in Ivanti Connect Secure (ICS) and Ivanti Pulse Secure (IPS) VPN systems.

Cybersecurity firm GreyNoise has identified a dramatic nine-fold increase in suspicious scanning activity, suggesting coordinated reconnaissance that could foreshadow future exploitation.

According to GreyNoise, more than 230 unique IP addresses targeted ICS and IPS VPN endpoints on April 18 alone—a sharp escalation from the typical daily average of fewer than 30.

- Advertisement - Google News

Even more concerning, over the past 90 days, the number of unique IPs involved in similar activity soared to 1,004.

“This isn’t just isolated noise,” a GreyNoise spokesperson explained. “Spikes like this are often the prelude to more serious threats, particularly as attackers look for new vulnerabilities before they’re publicly disclosed.”

Threat Landscape

The cybersecurity firm’s analysis paints a detailed picture of the infrastructure behind these probes:

  • Malicious IPs (244 total): Many are routed through Tor exit nodes and well-known cloud or virtual private server (VPS) providers, making them difficult to track and block.
  • Suspicious IPs (634 total): These tend to use lesser-known or niche hosting platforms and less mainstream cloud infrastructure, often to avoid detection.
  • Benign IPs (126 total): Activity from these addresses is not currently associated with malicious intent.

Importantly, all identified IPs are “not spoofable,” meaning attackers are not attempting to disguise their origin—a sign of confidence or automation in their approach.

The scans are not limited to a single region. The top source countries for these scanning activities are the U.S., Germany, and the Netherlands, while the top destinations are organizations based in the U.S., Germany, and the U.K. This global footprint underscores the broad appeal of Ivanti systems as a target for cybercriminals.

Ivanti Connect Secure and Pulse Secure VPNs are widely used for enterprise remote access. Their strategic role makes them an attractive target for hackers, particularly as organizations continue to rely on remote work.

While no specific vulnerabilities (CVEs) have been publicly linked to this latest scanning campaign, past incidents show that such reconnaissance is often a harbinger of forthcoming attacks.

History shows that spikes in scanning activity often lead to active exploitation, sometimes before a new vulnerability is even discovered.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool...

Threat Actors Use AiTM Attacks with Reverse Proxies to Bypass MFA

Cybercriminals are intensifying their efforts to undermine multi-factor authentication (MFA) through adversary-in-the-middle (AiTM) attacks,...

Threat Actors Target Critical National Infrastructure with New Malware and Tools

A recent investigation by the FortiGuard Incident Response (FGIR) team has uncovered a sophisticated,...

New StealC V2 Upgrade Targets Microsoft Installer Packages and PowerShell Scripts

StealC, a notorious information stealer and malware downloader first sold in January 2023, has...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool...

Threat Actors Use AiTM Attacks with Reverse Proxies to Bypass MFA

Cybercriminals are intensifying their efforts to undermine multi-factor authentication (MFA) through adversary-in-the-middle (AiTM) attacks,...

Threat Actors Target Critical National Infrastructure with New Malware and Tools

A recent investigation by the FortiGuard Incident Response (FGIR) team has uncovered a sophisticated,...