A major chunk of the exploitation makes an attempt focusing on a newly disclosed safety flaw in Ivanti Endpoint Supervisor Cell (EPMM) might be traced again to a single IP deal with on bulletproof internet hosting infrastructure provided by PROSPERO.
Menace intelligence agency GreyNoise mentioned it recorded 417 exploitation classes from 8 distinctive supply IP addresses between February 1 and 9, 2026. An estimated 346 exploitation classes have originated from 193.24.123[.]42, accounting for 83% of all makes an attempt.
The malicious exercise is designed to use CVE-2026-1281 (CVSS scores: 9.8), one of many two important safety vulnerabilities in EPMM, together with CVE-2026-1340 that might be exploited by an attacker to realize unauthenticated distant code execution. Late final month, Ivanti acknowledged it is conscious of a “very restricted variety of prospects” who had been impacted following the zero-day exploitation of the problems.
Since then, a number of European businesses, together with the Netherlands’ Dutch Information Safety Authority (AP), Council for the Judiciary, the European Fee, and Finland’s Valtori, have disclosed that they had been focused by unknown menace actors utilizing the vulnerabilities.
Additional evaluation has revealed that the identical host has been concurrently exploiting three different CVEs throughout unrelated software program –
“The IP rotates via 300+ distinctive person agent strings spanning Chrome, Firefox, Safari, and a number of working system variants,” GreyNoise mentioned. “This fingerprint variety, mixed with concurrent exploitation of 4 unrelated software program merchandise, is in keeping with automated tooling.”
It is price noting that PROSPERO is assessed to be linked to a different autonomous system known as Proton66, which has a historical past of distributing desktop and Android malware like GootLoader, Matanbuchus, SpyNote, Coper (aka Octo), and SocGholish.
GreyNoise additionally identified that 85% of the exploitation classes beaconed house through the area title system (DNS) to substantiate “this goal is exploitable” with out deploying any malware or exfiltrating knowledge.
The disclosure comes days after Defused Cyber reported a “sleeper shell” marketing campaign that deployed a dormant in-memory Java class loader to compromised EPMM cases on the path “/mifs/403.jsp.” The cybersecurity firm mentioned the exercise is indicative of preliminary entry dealer tradecraft, the place menace actors set up a foothold to promote or hand off entry later for monetary achieve.
“That sample is important,” it famous. “OAST [out-of-band application security testing] callbacks point out the marketing campaign is cataloging which targets are susceptible slightly than deploying payloads instantly. That is in keeping with preliminary entry operations that confirm exploitability first and deploy follow-on tooling later.”
Ivanti EPMM customers are really helpful to use the patches, audit internet-facing Cell System Administration (MDM) infrastructure, evaluation DNS logs for OAST-pattern callbacks, and monitor for the /mifs/403.jsp path on EPMM cases, and block PROSPERO’s autonomous system (AS200593) on the community perimeter degree.
“EPMM compromise offers entry to system administration infrastructure for total organizations, making a lateral motion platform that bypasses conventional community segmentation,” GreyNoise mentioned. “Organizations with internet-facing MDM, VPN concentrators, or different distant entry infrastructure ought to function below the idea that important vulnerabilities face exploitation inside hours of disclosure.”
Replace
Following the publication of the story, an Ivanti spokesperson shared the under assertion with The Hacker Information –
Ivanti’s advice stays the identical: prospects who haven’t but patched ought to accomplish that instantly, after which evaluation their equipment for any indicators of exploitation that will have occurred previous to patching. Making use of the patch is the best method to forestall exploitation, no matter how IoCs change over time, particularly as soon as a POC is offered. The patch requires no downtime and takes solely seconds to use.
Ivanti has supplied prospects with high-fidelity indicators of compromise, technical evaluation at disclosure, and an Exploitation Detection script developed with NCSC-NL, and continues to help prospects as we reply to this menace.
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the newest breakthroughs, get unique updates, and join with a worldwide community of future-focused thinkers.
Unlock tomorrow’s developments in the present day: learn extra, subscribe to our publication, and change into a part of the NextTech neighborhood at NextTech-news.com
