0Day Attack On Nominet: UK Domains Under Attack.

VPN became a tool for hacking a British domain registrar.

From SecurityLab.ru
British domain registrar Nominet is investigating a possible hack of its network in which hackers exploited a zero-day vulnerability in Ivanti software.

The suspicious activity was discovered late last week through a bug in a third-party VPN service from Ivanti. The software is used by Nominet employees to remotely access systems. The attack vector was related to a zero-day vulnerability.

At this time, the company says there is no evidence of data leakage or theft. There were also no traces of backdoors or other forms of unauthorized access to the network. To enhance security, access to systems via VPN was limited. Domain registration and management systems continue to operate as normal.

Nominet, which manages more than 11 million .uk domains, as well as .wales, .pharmacy and .career domains, said the investigation was being carried out in conjunction with external experts and notifications had been issued to customers, members and relevant authorities including the UK National Cyber ​​Security Center (NCSC).

All signs point to Nominet being the first organization publicly identified as a victim of the ongoing exploitation of CVE-2025-0282 (CVSS Score: 9.0), a zero-day vulnerability affecting Ivanti Connect Secure, Policy Secure and Neurons for ZTA gateways. Ivanti and Mandiant confirmed that the attacks began in December, but the victims were not disclosed.

Mandiant discovered that this vulnerability was exploited by hackers associated with the Chinese group UNC5337. The attacks used the SPAWN malicious ecosystem, including previously unknown programs DRYHOOK and PHASEJAM. The main goals of cybercriminals are to steal credentials and install web shells to gain permanent access.

Ivanti has released patches for Connect Secure, but patches for Policy Secure and Neurons for ZTA will not be available until January 21st. The company came under fire last year for delaying updates, leaving thousands of organizations without protection. Nominet says it has already begun rolling out the fixes. Users of Ivanti products are encouraged to update their software as soon as possible.