GreyNoise says most observed exploitation activity targeting two critical Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities is being driven by a single threat actor.

## What happened

BleepingComputer reports that GreyNoise observed **417 exploitation sessions** (Feb 1–9) aimed at **two critical, unauthenticated code injection flaws** in Ivanti EPMM (remote code execution).

GreyNoise attributes **83% of the exploitation volume** to one IP address (**193.24.123.42**) hosted in a network described as *bulletproof* hosting infrastructure.

## Why it matters

- **Concentrated exploitation** often indicates an organized scanning/exploitation operation that can rapidly pivot to new targets.

- If defenders only block indicators that are already widely published, they may miss the *dominant* source of exploitation activity.

- GreyNoise also observed **OAST-style DNS callbacks** in a large share of sessions, suggesting automated "check-for-RCE" behavior commonly used by initial access brokers.

## Key technical details (as reported)

- GreyNoise saw 8 unique source IPs, with one responsible for the bulk of sessions.

- A spike was recorded on Feb 8 with 269 sessions in one day.

- The same infrastructure was observed targeting multiple vulnerabilities beyond Ivanti, indicating broad opportunistic scanning.

## What organizations should do

1. **Apply vendor hotfixes/mitigations immediately** and plan for the full patch release when available.

2. **Hunt beyond public IoC lists**: include anomaly-based detections (unexpected web requests, unusual user agents, suspicious callback behavior).

3. **Review exposed EPMM instances** and consider segmented rebuild/migration if recommended by the vendor.

Source: BleepingComputer (see link below).