Summary: On April 18, 2025, a significant 9X increase in suspicious scanning activity was recorded targeting Ivanti Connect Secure (ICS) and Ivanti Pulse Secure (IPS) VPN systems, involving over 230 unique IPs. This surge raises concerns about coordinated reconnaissance efforts potentially leading to future exploitation. Security teams are advised to take immediate defensive actions, including reviewing logs and patching their systems.
Affected: Ivanti Connect Secure (ICS) and Ivanti Pulse Secure (IPS) systems
Keypoints :
- 234 unique IPs observed probing ICS/IPS endpoints on April 18, 2025.
- Past 90 days activity recorded 1,004 unique IPs associated with probing.
- Malicious IPs primarily used Tor exit nodes and familiar cloud services.
- Security teams should monitor logs and block suspicious IPs based on GreyNoise findings.
- Historical patterns suggest this activity may precede public vulnerability discoveries.
Source: https://www.greynoise.io/blog/surge-ivanti-connect-secure-scanning-activity