While you will be able to find a comprehensive list of all the tags created since our last round up below, the GreyNoise Research team wanted to highlight some interesting tags.
Apache Log4j RCE Attempt [Intention: Malicious]
Self Explanatory.
Backdoor Connection Attempt via WinDivert [Intention: Malicious]
This tag was created this week as a result of the research done by the Avast team.
DNS Over HTTPS Scanner [Intention: Unknown]
Relatively new technology. It's interesting because “why would you scan the internet for that?” and there's no clear motive - that we can tell.
Microsoft HTTP.sys RCE Attempt [Intention: Malicious]
Critical vulnerability in MS Windows’ http.sys kernel module.
VMware vCenter SSRF Attempt [Intention: Malicious]
Widely popular server management software.
Zoho ManageEngine ServiceDesk Plus msiexec RCE Attempt [Intention: Malicious]
A critical vulnerability in a popular help desk platform.
It has been a while since we last published a Tag Round Up! If these are helpful to you, or you have suggestions on what you would like to see, please reach out to community@greynoise.io
Antiwork Port 9100 Print Request [Intention: Unknown]
This IP address has been observed sending distinct RAW TCP/IP requests to network printers. References:
- https://en.wikipedia.org/wiki/JetDirect#Protocols
- https://web.archive.org/web/20211130181319/https://i.redd.it/d6v5i21cmr281.jpg
Backdoor Connection Attempt via WinDivert [Intention: Malicious]
This IP address has been observed attempting to send a known activation secret "CB5766F7436E22509381CA605B98685C8966F16B" for a malicious backdoor utilizing WinDivert. References:
- https://decoded.avast.io/threatintel/avast-finds-backdoor-on-us-government-commission-network/
- https://github.com/avast/ioc/blob/master/usgov-backdoor/rce_example/run_calculator_on_infected.py
DNS Over HTTPS Scanner [Intention: Unknown]
This IP address has been observed attempting to scan for responses to DNS over HTTPS (DoH) requests. References:
Generic Unix Reverse Shell Attempt [Intention: Malicious]
This IP address has been observed attempting to spawn a generic Unix reverse shell via the web request. References:
iKettle Crawler [Intention: Unknown]
This IP address has been observed crawling the Internet and attempting to discover iKettle devices. References:
InfluxDB Crawler [Intention: Unknown]
This IP address has been observed crawling the Internet and attempting to discover InfluxDB instances. References:
IRC Crawler [Intention: Unknown]
This IP address has been observed sending NICK and USER commands used to register a connection with an IRC server. References:
iSCSI Crawler [Intention: Unknown]
This IP address has been observed crawling the Internet and attempting to discover hosts that respond to iSCSI login requests. References:
- https://www.rfc-editor.org/rfc/rfc7143.html#section-11.2
- https://book.hacktricks.xyz/pentesting/3260-pentesting-iscsi
Jira REST API Crawler [Intention: Unknown]
This IP address has been observed attempting to enumerate Jira instances. References:
Apache Druid RCE Attempt [Intention: Malicious]
CVE-2021-25646
This IP address has been observed attempting to exploit CVE-2021-25646, a remote command execution in Apache Druid v0.20.0 and earlier References:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25646
- https://www.zerodayinitiative.com/blog/2021/3/25/cve-2021-25646-getting-code-execution-on-apache-druid
- https://blogs.juniper.net/en-us/threat-research/cve-2021-25646-apache-druid-embedded-javascript-remote-code-execution
Apache Log4j RCE Attempt [Intention: Malicious]
CVE-2021-44228 | CVE-2021-45046
This IP address has been observed attempting to exploit CVE-2021-44228 and CVE-2021-45046, a remote code execution vulnerability in the popular Java logging library Apache Log4j. CVE-2021-44228 affects versions 2.14.1 and earlier, CVE-2021-45046 affects versions 2.15.0 and earlier. References:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://github.com/apache/logging-log4j2/pull/608
- https://www.lunasec.io/docs/blog/log4j-zero-day-severity-of-cve-2021-45046-increased/
CentOS Web Panel RCE Attempt [Intention: Malicious]
This IP address has been observed attempting to exploit a vulnerability in CentOS Web Panel, which can lead to elevated privileges and remote code execution. References:
- https://octagon.net/blog/2022/01/22/cve-2021-45467-cwp-centos-web-panel-preauth-rce/
- https://portswigger.net/daily-swig/rce-bug-chain-patched-in-centos-web-panel
FHEM LFI [Intention: Malicious]
CVE-2020-19360
This IP address has been observed attempting to exploit CVE-2020-19360, a local file inclusion vulnerability in FHEM perl server. References:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19360
- https://github.com/EmreOvunc/FHEM-6.0-Local-File-Inclusion-LFI-Vulnerability/blob/master/README.md
GLPI SQL Injection Attempt [Intention: Malicious]
CVE-2019-10232
This IP address has been observed attempting to exploit CVE-2019-10232, an SQL injection vulnerability in GLPI service management software. References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10232
- https://www.synacktiv.com/ressources/advisories/GLPI_9.3.3_SQL_Injection.pdf
- https://github.com/glpi-project/glpi/commit/684d4fc423652ec7dde21cac4d41c2df53f56b3c
Grafana Path Traversal Attempt [Intention: Malicious]
CVE-2021-43798
This IP address has been observed attempting to exploit CVE-2021-43798, a path traversal and arbitrary file read in Grafana. References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-43798
- https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p
- https://therecord.media/grafana-releases-security-patch-after-exploit-for-severe-bug-goes-public/
Grafana Path Traversal Check [Intention: Unknown]
CVE-2021-43798
This IP address has been observed attempting to check for the presence of CVE-2021-43798, a path traversal and arbitrary file read in Grafana. References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-43798
- https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p
- https://therecord.media/grafana-releases-security-patch-after-exploit-for-severe-bug-goes-public/
HRsale LFI [Intention: Malicious]
CVE-2020-27993
This IP address has been observed attempting to exploit CVE-2020-27993, a local file inclusion vulnerability in HRsale. References:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27993
- https://www.exploit-db.com/exploits/48920
Metabase LFI Attempt [Intention: Malicious]
CVE-2021-41277
This IP address has been observed attempting to exploit CVE-2021-41277, a local file inclusion vulnerability in Metabase. References:
- https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr
- https://nvd.nist.gov/vuln/detail/CVE-2021-41277
- https://twitter.com/90security/status/1461923313819832324
Microsoft HTTP.sys RCE Attempt [Intention: Malicious]
CVE-2021-31166
This IP address has been observed attempting to exploit CVE-2021-31166, a remote code execution vulnerability in the Windows HTTP protocol stack. References:
- https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-31166
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2021-31166-rce-in-microsoft-httpsys/
- https://www.zerodayinitiative.com/blog/2021/5/17/cve-2021-31166-a-wormable-code-execution-bug-in-httpsys
Motorola Baby Monitor RCE Attempt [Intention: Malicious]
CVE-2021-3577
This IP address has been observed attempting to exploit CVE-2021-3577, a remote command execution vulnerability in Motorola Halo+ baby monitors. References:
- https://randywestergren.com/unauthenticated-remote-code-execution-in-motorola-baby-monitors/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3577
NodeBB API Token Bypass Attempt [Intention: Malicious]
CVE-2021-43786
This IP address has been observed attempting to exploit CVE-2021-43786, an unintentionally allowed master token access which can lead to remote code execution. References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-43786
- https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot
- https://portswigger.net/daily-swig/critical-vulnerabilities-in-open-source-forum-software-nodebb-could-lead-to-rce
October CMS Password Reset Scanner [Intention: Malicious]
CVE-2021-32648
This IP address has been observed attempting to exploit CVE-2021-32648, a password reset vulnerability in October CMS. References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-32648
- https://github.com/Immersive-Labs-Sec/CVE-2021-32648/blob/main/cve-2021-32648.py
TP-Link TL-WR840N RCE Attempt [Intention: Malicious]
CVE-2021-41653
This IP address has been observed attempting to exploit CVE-2021-41653, a remote command execution vulnerability in TP-Link TL-WR840N EU v5. References:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41653
- https://securityforeveryone.com/tools/tp-link-os-command-injection-cve-2021-41653
- https://github.com/ohnonoyesyes/CVE-2021-41653
VMware vCenter Arbitrary File Read Attempt [Intention: Malicious]
CVE-2021-21980
This IP address has been observed attempting to exploit CVE-2021-21980, an unauthorized arbitrary file read vulnerability in vSphere Web Client. References:
- https://www.vmware.com/security/advisories/VMSA-2021-0027.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-21980
- https://github.com/l0ggg/VMware_vCenter
VMware vCenter SSRF Attempt [Intention: Malicious]
CVE-2021-22049
This IP address has been observed attempting to exploit CVE-2021-22049, a server-side request forgery vulnerability in vSphere Web Client. References:
- https://www.vmware.com/security/advisories/VMSA-2021-0027.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-22049
- https://github.com/l0ggg/VMware_vCenter
WebSVN 2.6.0 RCE CVE-2021-32305 [Intention: Malicious]
CVE-2021-32305
This IP address has been observed scanning the Internet for devices vulnerable to CVE-2021-32305, a remote code execution vulnerability in WebSVN which utilizes a shell metacharacter in the search parameter. References:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32305
- https://packetstormsecurity.com/files/163225/Websvn-2.6.0-Remote-Code-Execution.html
Zimbra Collaboration Suite XXE Attempt [Intention: Malicious]
CVE-2019-9670
This IP address has been observed attempting to exploit CVE-2019-9670, an XXE vulnerability in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10. References:
- https://www.exploit-db.com/exploits/46693/
- https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
- https://bugzilla.zimbra.com/show_bug.cgi?id=109129
- http://www.rapid7.com/db/modules/exploit/linux/http/zimbra_xxe_rce
- http://packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.html
- https://isc.sans.edu/forums/diary/CVE20199670+Zimbra+Collaboration+Suite+XXE+vulnerability/27570/
Zoho ManageEngine ServiceDesk Plus msiexec RCE Attempt [Intention: Malicious]
CVE-2021-44077
This IP address has been observed attempting to exploit CVE-2021-44077, a remote command execution vulnerability in Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014. References:
.png)
