Full Report
Nominet, the U.K. domain registry that maintains .co.uk domains, has experienced a cybersecurity incident that it confirmed is linked to the recent exploitation of a new Ivanti VPN vulnerability. In an email to customers, seen by TechCrunch, Nominet warned of an “ongoing security incident” under investigation. Nominet said hackers accessed its systems via “third-party VPN […] © 2024 TechCrunch. All rights reserved. For personal use only.
Analysis Summary
# Incident Report: Nominet Compromise via Ivanti VPN Vulnerability
## Executive Summary
Nominet, the UK domain registry operator for `.co.uk` domains, confirmed an ongoing cybersecurity incident stemming from the exploitation of a third-party Ivanti VPN vulnerability. Attackers gained unauthorized access to Nominet's systems, prompting an ongoing investigation and customer notification. The primary vector appears to be the previously disclosed and actively exploited flaw in the VPN appliance managed by the organization.
## Incident Details
- Discovery Date: Unknown (Confirmed *after* the vulnerability became publicly known/exploited)
- Incident Date: Occurred around the time of active Ivanti VPN exploitation (Context suggests recent exploitation period).
- Affected Organization: Nominet (The registry for **.co.uk** domains).
- Sector: Internet Infrastructure / Domain Registry
- Geography: United Kingdom
## Timeline of Events
### Initial Access
- Date/Time: Unknown, but linked to the active exploitation window of the Ivanti VPN vulnerability.
- Vector: Exploitation of a third-party VPN appliance running Ivanti software.
- Details: Attackers utilized a known vulnerability in the Ivanti VPN equipment to gain entry into Nominet's environment.
### Lateral Movement
- Details: Not explicitly detailed in the provided text, but assumed necessary given the confirmation of an "ongoing security incident."
### Data Exfiltration/Impact
- Details: The scope of data accessed or exfiltrated is currently under investigation by Nominet.
### Detection & Response
- Details: Nominet confirmed the security incident in an email to customers. An investigation is currently underway, and external security expertise is implied by the confirmation of an incident being actively managed.
## Attack Methodology
- Initial Access: Exploitation of a zero-day or recently disclosed vulnerability (CVE) within a third-party **Ivanti VPN** appliance.
- Persistence: Unknown/Under Investigation.
- Privilege Escalation: Unknown/Under Investigation.
- Defense Evasion: Unknown/Under Investigation.
- Credential Access: Unknown/Under Investigation.
- Discovery: Unknown/Under Investigation.
- Lateral Movement: Unknown/Under Investigation.
- Collection: Unknown/Under Investigation.
- Exfiltration: Unknown/Under Investigation.
- Impact: Unauthorized access to internal systems connected via the compromised VPN infrastructure.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Scope and type of data accessed are currently being investigated.
- Operational: The organization confirmed an "ongoing security incident," indicating active operational disruption or elevated risk posture.
- Reputational: High, as Nominet manages critical national domain infrastructure.
## Indicators of Compromise
*(No specific IOCs provided in the text)*
- Network indicators: None provided.
- File indicators: None provided.
- Behavioral indicators: Unauthorized access originating from the compromised Ivanti VPN gateway.
## Response Actions
- Containment measures: Implied, as the incident is being investigated and customers notified. This likely included isolating or patching the vulnerable Ivanti VPN.
- Eradication steps: Unknown/Under Investigation.
- Recovery actions: Unknown/Under Investigation.
## Lessons Learned
- External dependency risk is significant: The reliance on third-party security appliances (like Ivanti VPN) can introduce major supply chain vulnerabilities.
- Patch Management Urgency: The incident highlights the severe risk associated with unpatched or timely secured internet-facing infrastructure, especially when Active Exploitation is known.
## Recommendations
- Immediately audit and replace/patch all third-party VPN solutions known to have critical vulnerabilities exploited in the wild.
- Enhance network segmentation to limit lateral movement capabilities should an internet-facing asset (like a VPN gateway) be compromised.
- Review procedures for rapid emergency patching of perimeter devices when major vulnerabilities affecting those technologies are disclosed.