New Tags

CVE-2009-0545, CVE-2019-12725, CVE-2020-29390

Tag: Zeroshell RCE Attempt [Intention: Malicious]

  • This IP address has been observed attempting to exploit a remote command execution vulnerability in Zeroshell.
  • Sources: NIST [1, 2, 3]
  • See it on GreyNoise Viz

Tag: Cisco Smart Install RCE Attempt [Intention: Malicious]

CVE-2021-35464

Tag: ForgeRock OpenAM Pre-Auth RCE Vuln Check [Intention: Unknown]

  • This IP address has been observed checking for the existence of CVE-2021-35464, a path traversal vulnerability in ForgeRock OpenAM which can lead to RCE.
  • Sources: PortSwigger, NIST
  • See it on GreyNoise Viz

CVE-2021-35464

Tag: ForgeRock OpenAM Pre-Auth RCE Attempt [Intention: Malicious]

  • This IP address has been observed attempting to exploit CVE-2021-35464, a path traversal vulnerability in ForgeRock OpenAM that can lead to RCE.
  • Sources: PortSwigger, NIST
  • See it on GreyNoise Viz

CVE-2021-33544 to CVE-2021-33544 (11 CVEs)

Tag: UDP Technology IP Camera Attempt [Intention: Malicious]

CVE-2021-33544, CVE-2021-33548, CVE-2021-33550 to CVE-2021-33554

Tag: UDP Technology IP Camera Check [Intention: Unknown]

CVE-2017-12149

Tag: Jboss Application Server RCE Attempt [Intention: Malicious]

  • This IP address has been observed attempting to exploit CVE-2017-12149, a remote code execution vulnerability in JBoss Application Server.
  • Sources: NIST, GitHub
  • See it on GreyNoise Viz

CVE-2021-30497

Tag: Ivanti Avalanche Path Traversal [Intention: Malicious]

  • This IP address has been observed attempting to use CVE-2021-30497, a path traversal vulnerability in Ivanti Avalanche that could lead to arbitrary file retrieval.
  • Sources:  Ivanti, SSD Disclosure
  • See it on GreyNoise Viz

Tag: Double URL Encoding [Intention: Malicious]

  • This IP address has been observed requesting double encoded URLs, a method commonly used for bypassing defensive rules and directory traversal.
  • Sources:  OWASP, Imperva
  • See it on GreyNoise Viz

Tag: Apache OFBiz Deserialization RCE [Intention: Malicious]

  • This IP address has been observed attempting to exploit CVE-2021-29200, a deserialization vulnerability in Apache OFBiz 17.12.07 and earlier that can lead to unauthenticated RCE.
  • Sources:  NIST, xz.aliyun.com, GitHub
  • See it on GreyNoise Viz

Removed Tags

These tags have been removed because they no longer exist, scan, and/or can no longer be accurately identified

  • RDP Bruteforcer
  • Windows RDP Cookie Hijacker
  • RDP Scanner

Multiple RDP tags have been deprecated in favor of RDP Crawler, which more accurately accounts for much of the behavior we see. We are currently working to create more accurate and narrowly scoped tags for RDP scanning and exploitation.

The RDP Bruteforcer tag was created around the same time as BlueKeep and aggressively assigned `malicious` intent to basic RDP connection attempts. After re-evaluating this, we feel this was incorrect and have taken actions to improve our RDP tags in general.

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: Cisco Smart Install Endpoint Scanner [Intention: Unknown]

Tag: Linksys E-Series TheMoon Worm [Intention: Malicious]

Integrations

Anomali: Now supports RIOT and the Community API.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account