GreyNoise says it is the kind of activity that typically precedes new vulnerability disclosures

Ivanti VPN users should stay alert as IP scanning for the vendor's Connect Secure and Pulse Secure systems surged by 800 percent last week, according to threat intel biz GreyNoise.

The team at the internet monitoring company said this is the kind of pattern that usually precedes exploitation and public disclosure of new vulnerabilities.

At any given time, the typical daily number of unique IP addresses scanning for Ivanti VPNs is under 30, and sometimes in the single digits, per GreyNoise's data, but on April 18 this number surged to 234 probing Ivanti endpoints.

For context, over the past 90 days, 1,004 unique IPs were scanning Connect Secure and Pulse Secure endpoints, which means almost a quarter of the activity for the previous three months occurred on a single day.

Of these 1,004 IPs, 634 were designated "suspicious," 244 were "malicious," and 126 were "benign," GreyNoise ...