UK domain registry Nominet confirms breach via Ivanti zero-day
3 mins read

UK domain registry Nominet confirms breach via Ivanti zero-day

geekfeed0Tagged , , , , , , , , ,

Nominet, the official .UK domain registry and one of the largest country code registries, has confirmed that its network was breached two weeks ago using an Ivanti VPN zero-day vulnerability.

The company manages and operates over 11 million .uk, .co.uk, and .gov .uk domain names and other top-level domains, including .cymru and .wales.

UK
UK

It also ran the U.K.’s Protective Domain Name Service (PDNS) on behalf of the country’s National Cyber Security Centre (NCSC) until September 2024, protecting over 1,200 organizations and over 7 million end users.

Nominet is still investigating the incident but has not found evidence of any backdoors deployed on its systems, as first report by ISPreview.

Since it detected suspicious activity on its network, the company has reported the attack to relevant authorities, including the NCSC, and restricted access to its systems via VPN connections.

“The entry point was through third-party VPN software supplied by Ivanti that enables our people to access systems remotely,” Nominet says in a customer notice shared with GeekFeed.

“However, we currently have no evidence of data breach or leakage. We already operate restricted access protocols and firewalls to protect our registry systems. Domain registration and management systems continue to operate as normal.”

Nominet customer notice
Nominet customer notice

Attacks linked to suspected Chinese hackers

While the company didn’t share more information on the VPN zero-day used in the attack, Ivanti said last week that hackers have been exploiting a critical Ivanti Connect Secure zero-day vulnerability (tracked as CVE-2025-0282) to breach a limited number of customers’ appliances.

According to cybersecurity company Mandiant (part of Google Cloud), the attackers started leveraging this vulnerability in mid-December, using the custom Spawn malware toolkit (linked to a suspected China-linked espionage group tracked as UNC5337).

They’ve also deployed new Dryhook and Phasejam malware (not currently associated with a threat group) on compromised VPN appliances.

Macnica researcher Yutaka Sejiyama told GeekFeed that over 3,600 ICS appliances were exposed online when Ivanti released a patch for the zero-day on Wednesday.

In October, Ivanti released more security updates to fix three other Cloud Services Appliance (CSA) zero-days that were also actively exploited in attacks.

Update January 13, 12:17 EST: Revised to say Nominet no longer runs UK’s PDNS.

Update January 13, 13:50 EST: After publishing the article, Ivanti sent the following statement:

Upon identifying the vulnerabilities through our Integrity Checker Tool (ICT), Ivanti rapidly developed and released a patch within weeks for Ivanti Connect Secure, the only product where limited exploitation has been observed. Consistent with our commitment to supporting customers, we are working closely with Nominet and the relevant authorities to provide all necessary support. We strongly urge all customers to follow the guidance outlined in our security advisory to ensure their systems are protected.

We appreciate the trust our customers place in us. We are committed to their security and to continuously improving our products and processes, in collaboration with the broader security ecosystem.

Leave a Reply

Your email address will not be published. Required fields are marked *

Website https://geekfeed.net

Related Posts