A sharp rise in suspicious online activity is raising concerns among organizations as hackers intensify their efforts to probe Ivanti Connect Secure (ICS) and Ivanti Pulse Secure (IPS) VPN systems for vulnerabilities. Cybersecurity firm GreyNoise has reported a nine-fold increase in scanning activity, indicating a possible coordinated effort to identify weaknesses that could be exploited in future attacks.
On April 18, GreyNoise tracked more than 230 unique IP addresses targeting ICS and IPS VPN endpoints—a drastic jump from the usual daily average of fewer than 30. In the past 90 days, over 1,000 unique IPs have been involved in similar scanning activities.
“This surge isn’t just random noise,” said a GreyNoise spokesperson. “Spikes like this often signal a buildup to more severe threats, as attackers scout for vulnerabilities before they are made public.”
Analysis of the Threat Landscape
The scanning activity is being carried out by a mix of malicious, suspicious, and benign IP addresses. Among the 244 malicious IPs, many are routed through Tor exit nodes and well-known cloud or VPS providers, which makes them harder to track. The 634 suspicious IPs generally use lesser-known hosting platforms and cloud services, further complicating detection. Meanwhile, 126 benign IP addresses do not currently show any malicious intent.
One key observation is that all identified IP addresses are “not spoofable,” suggesting that the attackers are confident in their methods and may be using automated tools.
The scanning activity is not confined to any particular region. The U.S., Germany, and the Netherlands are the leading source countries, while the main targets are organizations based in the U.S., Germany, and the U.K. This global spread highlights the widespread appeal of Ivanti VPN systems among cybercriminals.
Potential Threats to Ivanti VPN Systems
Ivanti Connect Secure and Pulse Secure VPNs play a crucial role in providing remote access for enterprises. As businesses continue to rely on remote work, these VPN systems are becoming increasingly attractive targets for hackers.
Although no specific vulnerabilities (CVEs) have been linked to this scanning campaign, past incidents indicate that such reconnaissance often precedes active exploitation. History shows that increases in scanning activity frequently lead to the discovery and exploitation of new vulnerabilities, sometimes before they are even publicly disclosed.
