GreyNoise Tag Roundup | August 16 - September 1

New Tags

Atlassian Confluence Server OGNL Injection Attempt [Intention: Malicious]

• CVE-2021-26084
• This IP address has been observed attempting to exploit CVE-2021-26084, an OGNL injection vulnerability in Confluence Server and Data Center.
• Sources: GitHub (1, 2), MITRE
• See it on GreyNoise Viz

Atlassian Confluence Server OGNL Injection Vuln Check [Intention: Unknown]

• CVE-2021-26084
• This IP address has been observed checking for the existence of CVE-2021-26084, an OGNL injection vulnerability in Confluence Server and Data Center.
• Sources: GitHub (1, 2), MITRE
• See it on GreyNoise Viz

Oracle WebLogic RCE CVE-2021-2109 [Intention: Malicious]

• CVE-2021-2109
• This IP address has been observed exploiting Oracle WebLogic CVE-2021-2109.
• Sources: Mitre, PacketStorm Security, GitHub
• See it on GreyNoise Viz

Seagate BlackArmor RCE Attempt [Intention: Malicious]

• CVE-2014-3206
• This IP address has been observed exploiting CVE-2014-3206, a remote code execution vulnerability in Seagate BlackArmor NAS.
• Sources: NIST, VulDB, ExploitDB
• See it on GreyNoise Viz

ASUS GT-AC2900 Auth Bypass Attempt [Intention: Malicious]

• CVE-2021-32030
• This IP address has been observed attempting to exploit CVE-2021-32030, an authentication bypass in ASUS GT-AC2900 routers.
• Sources: MITRE, Atredis
• See it on GreyNoise Viz

Apache SkyWalking GraphQL SQL Injection  [Intention: Malicious]

• CVE-2020-9483
• This IP address has been observed attempting to exploit CVE-2020-9483, a SQL injection vulnerability in Apache SkyWalking via GraphQL.
• Sources: GitHub, NVD
• See it on GreyNoise Viz

Carries HTTP Referer [Intention: Unknown]

• This IP address has been observed scanning the internet with an HTTP client that includes the Referer header in its requests.
• Sources: Firefox
• See it on GreyNoise Viz

Stores HTTP Cookies  [Intention: Unknown]

• This IP address has been observed scanning the internet with an HTTP client that supports storing Cookies.
• Sources: Firefox (1, 2)
• See it on GreyNoise Viz

Follows HTTP Redirects  [Intention: Unknown]

• This IP address has been observed scanning the internet with an HTTP client that follows redirects defined in a Location header.
• Sources: Firefox
• See it on GreyNoise Viz

RSYNC Crawler  [Intention: Unknown]

• This IP address has been observed scanning the internet and attempting to discover rsync server instances.
• Sources: Red Hat, Hacktricks.xyz
• See it on GreyNoise Viz

New Actor Tag

University of Michigan [Intention: Benign]

• Sources: Department of Electrical Engineering and Computer Science
• See it on GreyNoise Viz

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

ADB Check [Intention: Unknown]

• This IP address has been observed checking for the existence of the Android Debug Bridge protocol.
• See it on GreyNoise Viz

ADB Attempt [Intention: Malicious]

• This IP address has been observed checking for the existence of the Android Debug Bridge protocol and has requested interactivity.
• See it on GreyNoise Viz

EDITORS NOTE: This blog post has been updated as of Sep. 2 to reflect edits to the Atlassian Confluence Server OGNL Injection tags.