Key Takeaways

  • GreyNoise has detected active exploitation by more than 90 unique threat IPs in the past 24 hours across CVEs linked to the Chinese cyber espionage group, Silk Typhoon (HAFNIUM). 
  • GreyNoise is not attributing this activity to Silk Typhoon. Rather, we have identified active exploitation of CVEs that have been linked to Silk Typhoon’s operations in prior campaigns. 
  • CVE-2021-26855, CVE-2021-44228 (Log4Shell), and CVE-2024-3400 are being actively targeted by threat actors. 
  • GreyNoise’s observations come just one day after Microsoft reported Silk Typhoon’s shift to IT supply chain targeting.
  • On Wednesday, U.S. authorities reportedly charged alleged Silk Typhoon operatives in a hacker-for-hire scheme, paying up to $75,000 per compromised inbox. 
  • The findings come as U.S. policymakers escalate scrutiny of Chinese cyber threats, with the House Select Committee on the Chinese Communist Party (CCP) holding a hearing on March 5, the same day Microsoft released its report, on the growing risks posed by Chinese state-sponsored hacking. 

GreyNoise Confirms Exploitation in the Wild

GreyNoise analyzed CVEs linked to Silk Typhoon and found three actively exploited in the past 24 hours:

  • CVE-2021-26855 – An Exchange ProxyLogon SSRF vulnerability.
  • CVE-2021-44228 – The Log4Shell vulnerability, a critical Apache Log4j RCE. 
  • CVE-2024-3400 – A PAN-OS GlobalProtect RCE. 

GreyNoise Observations: Active Exploitation in the Past 24 Hours

GreyNoise’s Global Observation Grid (GOG) confirms exploitation of these CVEs in the past 24 hours. The heatmap below shows activity over the past 45 days, and the following data reflects the last 30 days. 

CVE-2021-26855 (ProxyLogon SSRF)

BLOCK MALICIOUS IPS

Top 3 Source Countries
  • Singapore
  • France
  • United States
Top 3 Behaviors of Exploiting IPs
  • ProxyLogon SSRF Attempt
  • ADB Attempt
  • Web Crawler
IP Count
  • 52 (Past 24 Hours)
  • 2,199 (Past 30 Days)

CVE-2021-44228 (Log4Shell RCE)

BLOCK MALICIOUS IPS

Top 3 Source Countries
  • United States 
  • Iran 
  • India
Top 3 Behaviors of Exploiting IPs
  • Apache Log4j RCE Attempt
  • Web Crawler
  • TLS/SSL Crawler
IP Count
  • 31 (Past 24 Hours)
  • 453 (Past 30 Days)

CVE-2024-3400 (PAN-OS GlobalProtect RCE)

BLOCK MALICIOUS IPS

Top 3 Source Countries
  • United States 
  • Singapore 
  • Germany
Top 3 Behaviors of Exploiting IPs
  • Palo Alto PAN-OS CVE-2024-3400 RCE Attempt
  • Generic Path Traversal Attempt
  • Web Crawler
IP Count
  • 10 (Past 24 Hours)
  • 164 (Past 30 Days)

Recommended Actions

  • Apply Patches Promptly – Ensure that all affected systems are updated to remediate CVE-2021-26855, CVE-2021-44288, and CVE-2024-3400.
  • Monitor GreyNoise Intelligence – Use GreyNoise tags and filtering to detect and block IPs engaged in malicious activity related to these CVEs. 
  • Reduce Exposure – 
    • Disable unnecessary internet-facing services. 
    • Implement strong authentication (such as MFA) on all accessible systems.
    • Segment networks to restrict lateral movement in case of compromise. 

GreyNoise will continue to monitor the threat landscape and provide insights on evolving attacker tactics. 

Explore the GreyNoise Visualizer.

––– ––– ––– 

Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations. 

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account