On March 28, GreyNoise observed a significant spike in activity targeting multiple edge technologies, including SonicWall, Zoho, Zyxel, F5, Linksys, and Ivanti systems. While some of these technologies are edge systems, others are primarily internal management tools.
This uptick suggests increased reconnaissance or exploitation attempts, indicating that threat actors may be probing for vulnerabilities or unpatched systems. Security teams should be aware of this trend and assess potential risks.
Observed Activity
GreyNoise telemetry indicates a marked increase in in-the-wild activity targeting these systems.
View real-time activity and block malicious IPs by navigating to the GreyNoise Visualizer’s CVE Search feature and pasting CVEs of interest.
Ivanti

SonicWall

Zoho

Zyxel

F5

Linksys

Recommended Actions
- Patch Management: Ensure that all systems are up to date with the latest security patches to mitigate known vulnerabilities.
- Network Monitoring: Closely monitor traffic — retroactively analyzing March 28 logs — for unusual patterns or activity targeting these systems.
- Threat Intelligence & Dynamic Blocking: Use GreyNoise to view real-time activity targeting these systems, and to block malicious IPs.
View real-time activity and block malicious IPs by navigating to the GreyNoise Visualizer’s CVE Search feature and pasting CVEs of interest.
— — —
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
