Inside the Infrastructure: Who’s Scanning for Ivanti Connect Secure?

Between January 21st and 28th, GreyNoise sensors observed reconnaissance activity against Ivanti Connect Secure jump roughly 100x above historical baselines (nope! not a typo!! 100x!!!). What made this spike interesting wasn’t just the volume—it was the structure. We’re tracking two distinct campaigns running in parallel, each with different infrastructure, pacing, and apparent objectives. During this time, GreyNoise tracked two distinct campaigns targeting Ivanti Connect Secure’s /dana-na/auth/url_default/welcome.cgi endpoint. The campaigns share a target—CVE-2025-0282 (EPSS: 93.05%)—but diverge in infrastructure, tactics, and likely operators. Let’s look at what the infrastructure tells us. Campaign 1: The AS213790 Cluster The higher-volume campaign concentrated in AS213790, operated by Limited Network LTD. This provider has appeared in previous reconnaissance campaigns—familiar territory for threat hunters. The geographic footprint is clustered in Romania and Moldova. Over the observation window, this campaign generated: 34,172 total sessions Peak rate of 1,310 requests/hour Aggressive burst patterns The infrastructure choice suggests operators are comfortable with “noisy” providers that tolerate scanning traffic. The burst pattern indicates automated tooling running hot—someone’s racing to enumerate targets before patches deploy. (Side note: AS213790 showing up again is the network equivalent of that one neighbor’s car alarm. At some point, you stop being surprised.) Campaign 2: The Distributed Approach The second campaign took the opposite approach. Roughly 6,000 unique IPs participated, spread across multiple ASNs and geographies. No single provider dominated the traffic. This distribution pattern is consistent with: Botnet infrastructure – compromised hosts providing scanning capacity Residential proxy networks – purchased access to legitimate-appearing IPs Multi-cloud deployment – spinning up instances across providers to avoid concentration The pacing stayed lower and steadier than Campaign 1. This isn’t operators who want speed—it’s operators who want to avoid detection. Comparing the Campaigns Attribute Campaign 1 Campaign 2 Infrastructure Concentrated (AS213790) Distributed Geography Romania/Moldova Global Volume 34,172 sessions ~6,000 IPs Peak Rate 1,310/hour Lower, sustained Strategy Aggressive enumeration Methodical reconnaissance Detection Risk Higher Lower Are these the same actor with different tooling, or competing groups targeting the same vulnerability? Both scenarios are plausible. The timing overlap—both campaigns active across the same week—could indicate coordination or simply shared awareness of a high-value target. The Target: CVE-2025-0282 The campaigns converge on /dana-na/auth/url_default/welcome.cgi, the pre-exploitation version-check endpoint associated with CVE-2025-0282. With an EPSS score of 93.05%, this vulnerability ranks near the top of exploitability rankings. CVE-2025-0283 (EPSS: 0.18%) affects the same product but hasn’t generated the same level of interest. The EPSS differential makes sense. Attackers prioritize vulnerabilities with proven exploitation paths. A 93% score signals that weaponization is either available or imminent. Defender Takeaways The infrastructure analysis reinforces what the volume already suggested: this is serious reconnaissance activity, not background noise. Patch status matters now. CVE-2025-0282 exploitation is a matter of when, not if. Log review should include the target path. External requests to /dana-na/auth/url_default/welcome.cgi deserve scrutiny. Network exposure deserves reassessment. Every internet-facing Ivanti instance is potentially on a target list. Ongoing Monitoring We’re continuing to track both campaigns. As infrastructure patterns stabilize, we’ll publish IOCs for defenders to operationalize. If you’re seeing hits against this endpoint in your environment, drop us a line. Collective visibility makes everyone’s picture clearer.