Nominet probes network intrusion linked to Ivanti zero-day exploit

UK domain registry Nominet is investigating a potential intrusion into its network related to the latest Ivanti zero-day exploits.

Nominet told customers via an email sent on January 8, which was seen by The Register: "We became aware of suspicious activity on our network late last week. The entry point was through third-party VPN software supplied by Ivanti that enables our people to access systems remotely."

Domain registration and management systems continue to operate as normal

"The unauthorized intrusion into our network exploited a zero-day vulnerability," the email added.

At present, Nominet said there is no evidence to suggest that its data has been stolen or leaked, nor have any backdoors or other forms of unauthorized access into its network been identified.

"Aided by external experts, our investigation continues, and we have put additional safeguards in place, including restricted access to our systems from VPN," it said.

"Domain registration and management systems continue to operate as normal."

The top-level domain registry looks after more than 11 million .uk domains and others such as .wales, .pharmacy, and .career. It previously delivered the UK National Cyber Security Centre's Protective Domain Name Service (PDNS) before that contract was awarded to Cloudflare in April last year.

Nominet said its ongoing investigations have now been communicated to customers, members, and the relevant authorities, including the NCSC.

"We will update you when our investigation concludes, or as necessary," it told customers via the email.

All signs point to Nominet being the first organization to be publicly identified as a victim of the ongoing exploitation of CVE-2025-0282, the zero-day vulnerability affecting Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways.

Ivanti and Mandiant, the threat intel giant drafted in to help manage the analysis of the issues, jointly disclosed the vulnerability on Wednesday. The pair noted that attacks using the vulnerability had been observed as far back as December but neither specified any victims nor the sectors they were in.

The revelation comes almost exactly a year after a similar zero-day hit the same Ivanti products in January 2024. 

The company's investigators linked the latest exploits to the activity cluster they track as UNC5337, a group with known ties to UNC5221, the culprits behind last year's attacks. Security outfit Volexity previously said that UNC5221 appears to have a China nexus, but Mandiant said there wasn't enough data to confirm attribution.

• Zero-day exploits plague Ivanti Connect Secure appliances for second year running
• Three more vulns spotted in Ivanti CSA, all critical, one 10/10
• CISA adds fresh Ivanti vuln, critical Fortinet bug to hall of shame
• Ivanti patches exploited admin command execution flaw

The information being communicated from Mandiant's investigation is that successful exploits lead to the deployment of previously known malware families (Spawn), as well as novel strains never seen before, now tracked as Dryhook and Phasejam.

Mandiant warned: "Defenders should be prepared for widespread, opportunistic exploitation, likely targeting credentials and the deployment of web shells to provide future access."

Ivanti released patches for vulnerable Connect Secure versions at the time of the zero-day disclosure, but Policy Secure and Neurons for ZTA Gateways, both of which are also affected by the two new vulnerabilities, will have to wait until January 21 for their fixes.

The vendor came under fire last year for stalling on patch development, leaving customers without a fix for weeks, supplying only a mitigation that wasn't totally effective in all cases. 

The zero-day exploitation was thought to have affected thousands of organizations in 2024, including Fortune 500 companies.

"Ivanti has made available patches to address this vulnerability which we are implementing," said Nominet. "Those also using Ivanti's VPN services are encouraged to patch their software immediately." ®