GreyNoise Tag Round Up | June 7 - 18

New Tags

CVE-2020-25494

Tag: SCO OpenServer RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2020-25494, a remote command execution vulnerability in SCO OpenServer.
• Sources: NIST, Packet Storm Security
• See it on GreyNoise Viz

CVE-2021-22911

Tag: Rocket.Chat server RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2021-22911, a remote command execution vulnerability in Rocket.Chat server.
• Sources: NIST, @CsEnox (GitHub )
• See it on GreyNoise Viz

Tag: Vesta Control Panel RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit a remote command execution vulnerability in Vesta Control Panel.
• Sources: ExploitDB, Cisco Talos
• See it on GreyNoise Viz

CVE-2021-27144/46 | CVE-2021-27148/55 | CVE-2021-27158/59 | CVE-2021-27162/66 | CVE-2021-27168/69 | CVE-2021-27172

Tag: FiberHome Telnet Backdoor [Intention: Malicious]

• This IP address has been observed attempting to authenticate via telnet using one of several known backdoor accounts in FiberHome routers.
• Sources: Pierre Kim
• See it on GreyNoise Viz

Tag: LokiBot C2 Crawler [Intention: Unknown]

• This IP address has been observed crawling the Internet and attempting to discover LokiBot C2 nodes.
• Sources: CISA
• See it on GreyNoise Viz

Tag: Aerospike Crawler [Intention: Unknown]

• This IP address has been observed crawling for insecure Aerospike databases.
• Sources: GitHub [1, 2]
• See it on GreyNoise Viz

Recent Actor Tag

• ESET  [Intention: Benign]

• Sources: ESET [1, 2]
• See it on GreyNoise Viz

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: Tomcat Manager Scanner [Intention: Unknown]

• This IP address has been observed scanning the Internet for exposed Tomcat Manager instances.
• Source: Ethicaltechsupport
• See it on GreyNoise Viz