One of the UK’s largest country code registries, Nominet, confirms that it suffered a data breach incident after unknown hackers exploited an Ivanti VPN zero-day vulnerability.
The affected entity is an official UK domain registrant that administers and controls more than 11 million [.]uk, [.]co[.]uk, and [.]gov[.]uk domain names, as well as additional top-level domains such as [.]cymru and [.]wales.
Moreover, until September last year, it managed the UK’s Protective Domain Name Service (PDNS) on behalf of the NCSC, which covered at least 1,200 firms and over 7 million end users. At the moment, Nominet is still assessing the situation, but a report claimed no proof of any backdoors installed on its systems.
Since detecting unusual activity on its network, the company has notified the appropriate authorities about the attack and blocked access to its systems through VPN connections.
Additionally, the UK domain registrant explained that the entry point of the attack was third-party VPN software provided by Ivanti, which allows our employees to access systems remotely.
The entity also implemented firewalls and restricted access protocols to protect its registry systems. It also claimed that its domain registration and management services usually function.
Chinese hackers are the alleged Nominet hackers.
Nominet did not provide details about the VPN zero-day utilised in the assault. On the other hand, Ivanti stated last week that hackers have been exploiting a severed Ivanti Connect Secure zero-day vulnerability to compromise a limited number of customers’ appliances.
Investigations showed that threat actors started exploiting this vulnerability in mid-December, utilising the proprietary Spawn malware toolkit. This malware has alleged connections to the suspected Chinese espionage gang dubbed UNC5337.
These hackers have also installed the new Dryhook and Phasejam malware strains on compromised VPN appliances. According to researchers, approximately 3,600 ICS appliances were exposed online when Ivanti provided a patch for the zero-day bug.
In October last year, Ivanti also provided additional security patches to address three other Cloud Services Appliance (CSA) zero-days that are actively exploited in attacks.
Potentially affected parties should be vigilant with their digital presence as these attacks will likely continue due to the motivation of cyberespionage gangs.
