On April 18, 2025, GreyNoise observed a 9X spike in suspicious scanning activity targeting Ivanti Connect Secure (ICS) or Ivanti Pulse Secure (IPS) VPN systems. 

More than 230 unique IPs probed ICS/IPS endpoints — a sharp rise from the usual daily baseline of fewer than 30. This surge may indicate coordinated reconnaissance and possible preparation for future exploitation. 

BLOCK MALICIOUS IPS

What We’re Seeing

GreyNoise has a tag tracking suspicious scanning activity for Ivanti Connect Secure systems. This tag includes IPs observed attempting to identify internet-accessible ICS/IPS systems.

Observed Spike: 234 Unique IPs on April 18, 2025

Observed Activity in Past 90 Days: 1,004 Unique IPs 

Spoofable IPs: 0% (All IPs are not spoofable)

IP Classifications: 

  • 634 Suspicious
  • 244 Malicious
  • 126 Benign

Top 3 Source Countries:

  • U.S. 
  • Germany 
  • Netherlands

Top 3 Destination Countries:

  • U.S. 
  • Germany 
  • U.K.

Infrastructure Insights

A closer look at the source infrastructure reveals a notable split in behavior:

  • Malicious IPs (those observed in other known malicious activity) are primarily using: 
    • Tor exit nodes
    • Common cloud and VPS providers with familiar names. 
  • Suspicious IPs are linked to:
    • Lesser-known or niche hosting providers. 
    • Less mainstream cloud infrastructure. 

Why This Matters

Ivanti Connect Secure has been targeted repeatedly in recent years due to its role in enterprise remote access. 

While no specific CVEs have been tied to this scanning activity yet, spikes like this often precede active exploitation. GreyNoise has previously observed similar patterns in the lead-up to the public discovery of new vulnerabilities. 

Recommended Defensive Actions

Security teams should: 

  • Review logs for suspicious probes of ICS/IPS.
  • Monitor login activity from new or suspicious IPs. 
  • Block known malicious or suspicious IPs using GreyNoise. 
  • Patch all ICS/IPS systems with the latest updates. 

GreyNoise will continue tracking this activity and will publish updates as necessary. 

— — — 

Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account