In today’s interconnected world, understanding the landscape of malicious internet cyber activity is crucial for organisations and nation states to protect their digital assets and maintain a strong security posture. To that end, researchers from GreyNoise Labs analysed the volume and type of malicious traffic observed by GreyNoise Intelligence’s planetary scale sensor network — with a hyperfocus on France — to help organisations and agencies make more informed decisions about their cybersecurity strategies.
The GreyNoise operated sensor fleet primarily sees opportunistic, mass exploitation. This view provides an up-to-the-minute view of the regular drumbeat of botnet activity, but also sheds light on when new patterns or activity surfaces, especially when there are new, emergent threats.
The term “malicious” is reserved for activity that is associated with an attempt to execute an exploit against a target system.
The data for this report looked at malicious traffic coming from or directed at France for a period of 30 days between mid-September (2023) and mid-October
During that time, GreyNoise observed 111,073 malicious exploitation attempts against French IP address space and 3,292 attacks from France being directed at other country-assigned networks.
The sections in this brief will look at the source and destination traffic in more detail and conclude with recommendations for how this information can be used to make organisations, agencies, and citizens safer.
The “Research Notes And References” section provides information on the nuances of source-country attribution.
Generally speaking, organisations and agencies can expect to see their malicious source traffic to come from either (a) countries with higher allocated and in-use IP address space, or (b) countries with internet-facing device profiles that lend themselves to be more prone to exploitation.
To see how that mix plays out, Brazil and Vietnam are in fifth and ninth place, below, during the sample period but tenth and twenty-third when it comes to available IP address space. This is due to an inordinately high number of compromised internet of things (IoT) devices, such as IP-accessible cameras, and both white-box and popular-but-regularly-vulnerable networking equipment, such as MicroTik.
This inbound country view will be dynamic if you use the GreyNoise Visualizer or API to perform future assessments. Meaning, members of the list will trade places depending on what adversary controlled infrastructure is in use within any given time period.
You can use geographic source information as one means of risk-assessing connections you see in logs or network flows to help inform blocking or incident response decisions.
The source networks these IP addresses are hosted in can be classified in many ways. For this report, we will focus our attention on the assigned category — ISP, Hosting, Mobile, Business, or Education — for these malicious connection attempts:
Of initial note is that “Mobile” is fourth on the list. Researchers in GreyNoise Labs have observed a steady up tick in mobile networks — whether it be from tethered systems or compromised Android devices — becoming the source of attack traffic. This increases the burden on defenders, since it is difficult to convince application owners to block any connections from what is around 40-50% of all incoming benign traffic to most websites and web applications. The timely nature of GreyNoise block lists may make such conversations less problematic.
Routers, exposed storage and IoT devices, and compromised laptops/desktops are a large part of why residential and small business ISPs regularly top the list. To understand why, all we need to do is look at the top “tags” (“detections” in intrusion detection and prevention nomenclature) GreyNoise sees in this French inbound traffic:
The Mirai botnet is almost always in the number one spot when it comes to malicious, opportunistic activity engaged by our adversaries. This traffic is the “heartbeat” of the internet. Not a single minute passes without members of the Mirai botnet searching for new and existing hosts to assimilate into its collective. This activity, combined with other “Worm”s, help ensure a healthy inventory that can be used in targeted attacks against your agency or organization.
The “Bruteforcer”s can also be used to build up botnet inventories, but they have a secondary nefarious purpose of working to gain Initial Access, which can be sold to bidders on attacker forums. All it takes is for an organization or individual to leave a default or misconfigured system on the internet for less than an hour to have it become part of this adversarial inventory. It is rare for targeted attack infrastructure to be used for this, quite noisy, activity. Therefore, it is strongly advised to consider blocking these attempts at the network level and checking for outbound requests to IP addresses exhibiting this behaviour.
Before we look at what systems and devices in France are targeting, we should note that of the 111,073 inbound malicious exploitation attempts, 667 (0.6%) were directed only at France during the observation period. This may indicate that organizations, such as France’s National Cybersecurity Agency of France (ANSSI) are helping to make country networks sufficiently resilient against attacks to force attackers to direct country-centric efforts elsewhere.
During the study period, GreyNoise researchers observes a mere 3,292 malicious exploitation attempts coming from French-attributed network sources.
The outbound tag distribution is nearly identical to the inbound, so we’ll avoid repetition and focus on two points of interest.
First, “Business” networks are third on the list:
This is somewhat disconcerting given the discussion in the previous section. Both ANSSI and organizations that help provide cybersecurity services to small-to-medium-sized business in France may want to consider implementing more rigorous malicious activity checks to reduce the likelihood of these networks being increasingly used in adversarial campaigns.
The next observation is that nodes under adversarial control in France seem to be aiming at ally networks, though the malicious traffic is also spread around:
This is unsurprising, as French IP address space tends to have a higher positive reputation than many other countries, so initial risk-based “trust” decisions that are part of many perimeter defence systems are more likely to let connections from France sources through.
A further, and final, positive finding for France is that they, themselves, are not in the top 20 list of country networks being assaulted by French-allocated country internet addresses. This may be a further indication of significant internal focus on tracking down and isolating malicious sources within country.
Organisations can use GreyNoise to see if they’re “part of the problem”, and agencies in France should work closely with ISPs, hosting providers, mobile carriers, and businesses to ensure France’s IP space reputation continues to trend positive.
Every GreyNoise user can use the same data provided in this report to gain hourly insights into malicious activity coming from or to organisations and agency networks in France. Those same queries can be tailored to provide timely alerts for emergent threats being targeted at, or coming from French networks. By working together, we can help reduce the number of active botnet nodes on the internet, and make the internet that much safer for the humans we’re aiming to protect.
A GreyNoise “Tag” is a signature-based detection method used to capture patterns and create subsets in our planetary-scale internet sensor data. Tags cover five primary categories: Activity, Tool, Actor, Worm, and Search Engine. These tags are not limited to CVE-based activity but also include behaviours, attribution, and unique traffic characteristics.
Activity tags cover crawlers, vulnerability checks & exploitation, authentication attempts, and other behaviours observed from interactions with GreyNoise sensors. Tool tags can include open-source scanning tools and programming language libraries, such as NMap, Nuclei, Metasploit, Paramiko, and Go HTTP. Actor tags describe the actor behind the activity, including commercial/enterprise entities, researchers, and universities. Please note that all current Actor tags denote Benign actors. This may change in the future, but GreyNoise does not presently engage in malicious actor attribution.
GreyNoise tags provide insight into IP addresses that are scanning the internet or attempting to opportunistically exploit hosts across the internet. Tag data associated with a specific IP address offers an overview of the activity that GreyNoise has observed from that IP, as well as insight into the intention of the activity originating from it.
The following GreyNoise Queries (GNQL) were used in this analysis:
These can be viewed on the GreyNoise Visualizer, or accessed via the GreyNoise API/CLI.
IANA (the Internet Assigned Numbers Authority) is charged with allocating internet address space to regional registries; and, RIPE is responsible for French address space allocations. Traffic coming from IP address space allocated to a given country does not mean that country has malicious intent. It generally means systems and devices in that country were either vulnerable to some exploit that coopted them into the service of adversaries. However, there are numerous “bulletproof hosting” companies — think of them as a “malicious Amazon AWS” or “evil Google Cloud Platform” — that regularly emerge in any given IP address space as well.
GreyNoise uses IPInfo.io for IP geolocation, autonomous system (ASN), and hosting classification metadata information. Spur is used for identifying VPN, Tor and other network classifications.
In today’s interconnected world, understanding the landscape of malicious internet cyber activity is crucial for organisations and nation states to protect their digital assets and maintain a strong security posture. To that end, researchers from GreyNoise Labs analysed the volume and type of malicious traffic observed by GreyNoise Intelligence’s planetary scale sensor network — with a hyperfocus on France — to help organisations and agencies make more informed decisions about their cybersecurity strategies.
The GreyNoise operated sensor fleet primarily sees opportunistic, mass exploitation. This view provides an up-to-the-minute view of the regular drumbeat of botnet activity, but also sheds light on when new patterns or activity surfaces, especially when there are new, emergent threats.
The term “malicious” is reserved for activity that is associated with an attempt to execute an exploit against a target system.
The data for this report looked at malicious traffic coming from or directed at France for a period of 30 days between mid-September (2023) and mid-October
During that time, GreyNoise observed 111,073 malicious exploitation attempts against French IP address space and 3,292 attacks from France being directed at other country-assigned networks.
The sections in this brief will look at the source and destination traffic in more detail and conclude with recommendations for how this information can be used to make organisations, agencies, and citizens safer.
The “Research Notes And References” section provides information on the nuances of source-country attribution.
Generally speaking, organisations and agencies can expect to see their malicious source traffic to come from either (a) countries with higher allocated and in-use IP address space, or (b) countries with internet-facing device profiles that lend themselves to be more prone to exploitation.
To see how that mix plays out, Brazil and Vietnam are in fifth and ninth place, below, during the sample period but tenth and twenty-third when it comes to available IP address space. This is due to an inordinately high number of compromised internet of things (IoT) devices, such as IP-accessible cameras, and both white-box and popular-but-regularly-vulnerable networking equipment, such as MicroTik.
This inbound country view will be dynamic if you use the GreyNoise Visualizer or API to perform future assessments. Meaning, members of the list will trade places depending on what adversary controlled infrastructure is in use within any given time period.
You can use geographic source information as one means of risk-assessing connections you see in logs or network flows to help inform blocking or incident response decisions.
The source networks these IP addresses are hosted in can be classified in many ways. For this report, we will focus our attention on the assigned category — ISP, Hosting, Mobile, Business, or Education — for these malicious connection attempts:
Of initial note is that “Mobile” is fourth on the list. Researchers in GreyNoise Labs have observed a steady up tick in mobile networks — whether it be from tethered systems or compromised Android devices — becoming the source of attack traffic. This increases the burden on defenders, since it is difficult to convince application owners to block any connections from what is around 40-50% of all incoming benign traffic to most websites and web applications. The timely nature of GreyNoise block lists may make such conversations less problematic.
Routers, exposed storage and IoT devices, and compromised laptops/desktops are a large part of why residential and small business ISPs regularly top the list. To understand why, all we need to do is look at the top “tags” (“detections” in intrusion detection and prevention nomenclature) GreyNoise sees in this French inbound traffic:
The Mirai botnet is almost always in the number one spot when it comes to malicious, opportunistic activity engaged by our adversaries. This traffic is the “heartbeat” of the internet. Not a single minute passes without members of the Mirai botnet searching for new and existing hosts to assimilate into its collective. This activity, combined with other “Worm”s, help ensure a healthy inventory that can be used in targeted attacks against your agency or organization.
The “Bruteforcer”s can also be used to build up botnet inventories, but they have a secondary nefarious purpose of working to gain Initial Access, which can be sold to bidders on attacker forums. All it takes is for an organization or individual to leave a default or misconfigured system on the internet for less than an hour to have it become part of this adversarial inventory. It is rare for targeted attack infrastructure to be used for this, quite noisy, activity. Therefore, it is strongly advised to consider blocking these attempts at the network level and checking for outbound requests to IP addresses exhibiting this behaviour.
Before we look at what systems and devices in France are targeting, we should note that of the 111,073 inbound malicious exploitation attempts, 667 (0.6%) were directed only at France during the observation period. This may indicate that organizations, such as France’s National Cybersecurity Agency of France (ANSSI) are helping to make country networks sufficiently resilient against attacks to force attackers to direct country-centric efforts elsewhere.
During the study period, GreyNoise researchers observes a mere 3,292 malicious exploitation attempts coming from French-attributed network sources.
The outbound tag distribution is nearly identical to the inbound, so we’ll avoid repetition and focus on two points of interest.
First, “Business” networks are third on the list:
This is somewhat disconcerting given the discussion in the previous section. Both ANSSI and organizations that help provide cybersecurity services to small-to-medium-sized business in France may want to consider implementing more rigorous malicious activity checks to reduce the likelihood of these networks being increasingly used in adversarial campaigns.
The next observation is that nodes under adversarial control in France seem to be aiming at ally networks, though the malicious traffic is also spread around:
This is unsurprising, as French IP address space tends to have a higher positive reputation than many other countries, so initial risk-based “trust” decisions that are part of many perimeter defence systems are more likely to let connections from France sources through.
A further, and final, positive finding for France is that they, themselves, are not in the top 20 list of country networks being assaulted by French-allocated country internet addresses. This may be a further indication of significant internal focus on tracking down and isolating malicious sources within country.
Organisations can use GreyNoise to see if they’re “part of the problem”, and agencies in France should work closely with ISPs, hosting providers, mobile carriers, and businesses to ensure France’s IP space reputation continues to trend positive.
Every GreyNoise user can use the same data provided in this report to gain hourly insights into malicious activity coming from or to organisations and agency networks in France. Those same queries can be tailored to provide timely alerts for emergent threats being targeted at, or coming from French networks. By working together, we can help reduce the number of active botnet nodes on the internet, and make the internet that much safer for the humans we’re aiming to protect.
A GreyNoise “Tag” is a signature-based detection method used to capture patterns and create subsets in our planetary-scale internet sensor data. Tags cover five primary categories: Activity, Tool, Actor, Worm, and Search Engine. These tags are not limited to CVE-based activity but also include behaviours, attribution, and unique traffic characteristics.
Activity tags cover crawlers, vulnerability checks & exploitation, authentication attempts, and other behaviours observed from interactions with GreyNoise sensors. Tool tags can include open-source scanning tools and programming language libraries, such as NMap, Nuclei, Metasploit, Paramiko, and Go HTTP. Actor tags describe the actor behind the activity, including commercial/enterprise entities, researchers, and universities. Please note that all current Actor tags denote Benign actors. This may change in the future, but GreyNoise does not presently engage in malicious actor attribution.
GreyNoise tags provide insight into IP addresses that are scanning the internet or attempting to opportunistically exploit hosts across the internet. Tag data associated with a specific IP address offers an overview of the activity that GreyNoise has observed from that IP, as well as insight into the intention of the activity originating from it.
The following GreyNoise Queries (GNQL) were used in this analysis:
These can be viewed on the GreyNoise Visualizer, or accessed via the GreyNoise API/CLI.
IANA (the Internet Assigned Numbers Authority) is charged with allocating internet address space to regional registries; and, RIPE is responsible for French address space allocations. Traffic coming from IP address space allocated to a given country does not mean that country has malicious intent. It generally means systems and devices in that country were either vulnerable to some exploit that coopted them into the service of adversaries. However, there are numerous “bulletproof hosting” companies — think of them as a “malicious Amazon AWS” or “evil Google Cloud Platform” — that regularly emerge in any given IP address space as well.
GreyNoise uses IPInfo.io for IP geolocation, autonomous system (ASN), and hosting classification metadata information. Spur is used for identifying VPN, Tor and other network classifications.