Nominet, the official .UK area registry and one of many largest nation code registries, has confirmed that its community was breached two weeks in the past utilizing an Ivanti VPN zero-day vulnerability.
The corporate manages and operates over 11 million .uk, .co.uk, and .gov .uk domains and different top-level domains, together with .cymru and .wales.
It additionally runs the UK’s Protecting Area Title Service (PDNS) on behalf of the nation’s Nationwide Cyber Safety Centre (NCSC), defending greater than 1,200 organizations and over 7 million finish customers.
Nominet continues to be investigating the incident however has not discovered proof of any backdoors deployed on its techniques, as first report by ISPreview.
Because it detected suspicious exercise on its community, the corporate has reported the assault to related authorities, together with the NCSC, and restricted entry to its techniques by way of VPN connections.
“The entry level was by third-party VPN software program equipped by Ivanti that permits our folks to entry techniques remotely,” Nominet says in a buyer discover shared with BleepingComputer.
“Nonetheless, we presently haven’t any proof of information breach or leakage. We already function restricted entry protocols and firewalls to guard our registry techniques. Area registration and administration techniques proceed to function as regular.”
Assaults linked to suspected Chinese language hackers
Whereas the corporate did not share extra data on the VPN zero-day used within the assault, Ivanti mentioned final week that hackers have been exploiting a crucial Ivanti Join Safe zero-day vulnerability (tracked as CVE-2025-0282) to breach a restricted variety of prospects’ home equipment.
In response to cybersecurity firm Mandiant (a part of Google Cloud), the attackers began leveraging this vulnerability in mid-December, utilizing the customized Spawn malware toolkit (linked to a suspected China-linked espionage group tracked as UNC5337).
They’ve additionally deployed new Dryhook and Phasejam malware (not presently related to a risk group) on compromised VPN home equipment.
Macnica researcher Yutaka Sejiyama informed BleepingComputer that over 3,600 ICS home equipment have been uncovered on-line when Ivanti launched a patch for the zero-day on Wednesday.
In October, Ivanti launched extra safety updates to repair three different Cloud Providers Equipment (CSA) zero-days that have been additionally actively exploited in assaults.