GreyNoise Round-Up: Product Updates - June And July 2023

As we roll through the summer, GreyNoise is back from its July two-week shutdown with a bunch of fresh new improvements, including 63 new tags and a bunch of exciting new data insights for our customers to explore in our Labs API.  We’ve also updated our integrations to add support for our IP Similarity and Timeline for our Palo Alto customers.

New: Explore C2 Data, HTTP activity, and more with our Labs Beta API

We’re excited to announce the availability of our Labs API. The Labs Beta API is a data source derived from the GreyNoise sensors and platform specifically designed to uncover insights our users may find intriguing and to facilitate exciting data explorations related to emerging threats.  These APIs are in beta today; however we welcome feedback that will improve the quality of our data and suggestions on how we can add them to our product.  Here are some of the datasets you can explore today:

topC2s

Access the top 10% of possible Command and Control (C2) IP addresses, ranked by their pervasiveness, observed by GreyNoise over the previous 24 hours. Use this query to identify second-stage IP addresses that might be involved in malicious activities following the reconnaissance and initial access stages. 

topHTTPRequests

Access the top 1% of HTTP requests, ranked by their pervasiveness, observed by GreyNoise over the last seven days. Gain insights into the background radiation of the internet, exploring the patterns and trends of HTTP requests.   

topPopularIPs

Access the top 1% of IPs searched in GreyNoise, ordered by the number of users observed searching over the last 7 days. Understand commonalities in how users search within GreyNoise, gaining insights into popular IPs and their associated activities. This query uses a minimum number of IP submissions and users to build consensus before an IP can be considered available in this dataset.

noiseRank

Access the top 1% of IPs by their noise score for the last 7 days. This score is determined by comparing the pervasiveness of the number of sensors and countries that observed packets from the IP, the request rate, and the diversity of payloads and ports for which the packets were observed.  This query is intended to help rank the top noise makers compared to the quiet single-hit scanners. 

Enhancement: Create an Alert for a Tag From the Tags Action Panel

We’ve added a “Create Alert” button in the Action panel on the Tag details page to make it easy to create an alert. GreyNoise users can use this to monitor scanning activity directly from the Tags page, informing them of any new IPs scanning for tags they are interested in.

Enhancement: Copy/Search Fields On IP Details

There is now a Copy/Search button in fields on the IP details page. The previous behavior did not allow users to copy the values in the fields.

‍

You can access the Copy/Search buttons by hovering over fields such as Ports Scanned, Country, OS in the IP Details pages.

Enhancement: Analysis File Size Increased to 4MB

Previously, the Analysis Feature only accepted inputs up to 2MB.  We've increased this to 4MB, so that customers can submit larger files without getting an error. 

New and Updated Integrations

Palo Alto XSOAR (Demisto) Improvements: IP Similarity and IP Timeline Support

We updated our Palo Alto XSOAR support to include our IP Similarity and IP Timeline features, allowing users to easily find similar IP addresses, or review GreyNoise’s classification history on an IP.

To learn more about using the XSOAR Demisto enhancements for IP Similarity and Timeline, you can check out our documentation.

Tags Coverage Enhancements

In June & July, GreyNoise added 63 new tags:

56 malicious activity tags

• 2023-07-31: Metabase RCE Attempt
• 2023-07-27: Ivanti EPMM (MobileIron Core) Authentication Bypass Attempt
• 2023-07-26: D-Link DIR-859 Gena RCE Attempt
• 2023-07-26: Citrix ShareFile RCE Attempt
• 2023-07-24: Hongdian H8922 Path Traversal Attempt
• 2023-07-24: Microsemi SyncServer RCE Attempt
• 2023-07-24: SuperWebMailer RCE Attempt
• 2023-07-24: Drupal Avatar Uploader Path Traversal Attempt
• 2023-07-24: Hongdian H8922 Unauthenticated File Disclosure Attempt
• 2023-07-24: Hongdian Remote Command Injection Attempt
• 2023-07-22: TOTOLink RCE Attempt
• 2023-07-22: Yii 2 RCE Attempt
• 2023-07-21: D-Link DSL-2888A RCE Attempt
• 2023-07-21: Cisco SPA112 RCE Attempt
• 2023-07-21: GeoServer RCE Attempt
• 2023-07-21: Grafana SSRF Attempt
• 2023-07-20: Adobe ColdFusion CVE-2023-29298 Access Control Bypass Attempt
• 2023-07-20: Adobe ColdFusion CVE-2023-29300 RCE Attempt
• 2023-07-20: Artica Web Proxy Auth Bypass Attempt
• 2023-07-20: Atom CMS RCE Attempt
• 2023-07-20: Cobbler RCE Attempt
• 2023-07-20: Citrix ADC/Netscaler CVE-2023-3519 RCE Attempt
• 2023-07-18: MOVEit Transfer SQLi Attempt
• 2023-07-18: SolarView Compact 6 CVE-2022-40881 RCE Attempt
• 2023-07-17: Sunhillo SureLine RCE Attempt
• 2023-07-17: Mida eFramework RCE Attempt
• 2023-07-17: Monitorr RCE Attempt
• 2023-07-17: Nette Framework RCE Attempt
• 2023-07-17: Netsweeper RCE Attempt
• 2023-07-17: openSIS Student Information SQLi Attempt
• 2023-07-17: OpenTSDB RCE Attempt
• 2023-07-17: SpaceLogic C-Bus Home Controller RCE Attempt
• 2023-07-17: LinuxKI Toolset RCE Attempt
• 2023-06-29: Zimbra Collaboration Suite SSRF Attempt
• 2023-06-29: MOVEit Transfer DMZ SQL Injection Attempt
• 2023-06-29: Apache APISIX API Authentication Bypass Attempt
• 2023-06-29: FortiLogger Arbitrary File Upload Attempt
• 2023-06-29: HashiCorp Consul SSRF Attempt
• 2023-06-29: ZEROF SQL Injection Attempt
• 2023-06-29: Ruby Dragonfly RCE Atempt
• 2023-06-29: Roundcube Webmail RCE Attempt
• 2023-06-29: VMware Aria CVE-2023-20864 RCE Attempt
• 2023-06-29: Zimbra Collaboration Suite CVE-2020-7796 SSRF Attempt
• 2023-06-26: Zyxel NAS RCE CVE-2023-27992 Attempt  
• 2023-06-22: Hexin NGD File Upload Attempt  
• 2023-06-22: Adobe ColdFusion CVE-2021-21087 RCE Attempt  
• 2023-06-22: Advantech R-SeeNet RCE Attempt 
• 2023-06-22: Apache Struts2 CVE-2021-31805 RCE Attempt 
• 2023-06-20: FortiNAC RCE CVE-2023-33300 Attempt  
• 2023-06-20: FortiNAC RCE CVE-2023-33299 Attempt  
• 2023-06-13: FortiOS SSL-VPN RCE CVE-2023-27997 Attempt 
• 2023-06-13: VMWare Aria Operations for Networks RCE Attempt  
• 2023-06-12: MOVEit SQL Injection Attempt 
• 2023-06-08: ZTE ZXV10 H108L RCE Attempt  
• 2023-06-07: Telerik Reporting XSS Attempt  
• 2023-06-02: Oracle Glassfish Directory Traversal Attempt 

2 benign actor tags

• 2023-07-20: MJ12Bot (actor)
• 2023-06-21: 1and1 Crawler

5 unknown tags

• 2023-07-26: Ivanti EPMM (MobileIron Core) Scanner
• 2023-06-09: Odoo XSS Check 
• 2023-06-07: Geoserver SQL Injection Check  
• 2023-06-07: l9tcpid internet scanning
• 2023-06-02: MOVEit Transfer Scanner  

All GreyNoise users can monitor scanning activity we’ve seen for a tag by creating an alert informing them of any new IPs scanning for tags they are interested in.

Notable Security Research and Detection Engineering Blogs:

• Progress’ MOVEit Transfer Critical Vulnerability | GreyNoise Blog 
• Observed In The Wild: New Tag For CVE-2023-20887 — VMWare Aria Operations for Networks
• Three New Tags For ColdFusion (2 🏷️) and Citrix (1 🏷️)
• Will the real Citrix CVE-2023-3519 please stand up?
• Introducing CVE-2023-24489: A Critical Citrix ShareFile RCE Vulnerability   

Don't have a GreyNoise account? Sign-up for free.