In the dynamic landscape of cyber threats, the need for rapid and precise threat intelligence is paramount. GreyNoise is at the forefront, enhancing our sensor technology to deliver critical insights with unprecedented speed. Here's how our recent advancements are transforming threat detection and analysis:
GreyNoise’s new sensor framework uniquely allows us to rapidly respond and collect novel intelligence for emerging threats.
With our new capabilities, Low/Medium/High-Interaction Honeypots Personas “appear” real to internet inventory services, allowing us to bait attackers targeting specific technologies. They can also be easily deployed in key IP space used by real businesses, making them attractive targets. The use of a customized low-interaction persona for Cisco IOS XE allowed our team to rapidly (within hours or days) adjust honeypots to capture new techniques.
Using GreyNoise, the timeline for responding to actors and identifying novel exploitation techniques for emerging threats is faster, potentially reduced from weeks/months to hours and days, giving defenders a leg up against the adversaries.
CISA cites GreyNoise’s work in their post “Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities”
10/16/2023 - Privilege Escalation CVE-2023-20198 Published for Cisco IOS XE
We determine that the command injection vulnerability CVE-2021-1435 may be incorrectly attributed to exploitation activity in combination with CVE-2023-20198.
We began working with partners to respond to this emerging threat.
10/17/2023 - GreyNoise Developed Low-Interaction Cisco IOS XE Personas
We create a Cisco IOS XE persona in about 30 minutes.
We strategically deploy the low-interaction persona to a single IP in AWS, knowing that we are correctly presenting as a Cisco IOS XE device.
10/19/2023 - GreyNoise confirms that an un-tracked command injection CVE is involved
In partnership with VulnCheck, GreyNoise bisects patches and produces a PoC for CVE-2019-xxxx command injection vulnerabilities.
Between public information and private information, we accurately ascertain that CVE-2021-1435 is not involved in the active exploitation campaign.
10/23/2023 - GreyNoise collaborates with the community
GreyNoise advocates for the successful removal of CVE-2021-1435 from CISA’s KEV.
10/31/2023 - GreyNoise observes novel exploitation of CVE-2023-20198 with our new sensor
The observed payload utilizes predicted signature bypass mechanisms, as noted on 10/20
November 2023
11/01/2023 - GreyNoise shares PCAP, intelligence, and analysis with partners
Noted that we have observed novel exploitation that uses varying capitalization, _http(s), and double URL-Encoding.
Noted that the number of possible payload variations that can result in successful exploitation are massive.
Noted that for the performance of network signatures attempting to match all variations, a “behavior-first” signature can be crafted using public documentation.
HTTP POST lacking well-defined authentication methods.
11/07/2023 - GreyNoise pushes a Cisco IOS XE persona update to match additional Metasploit checks
Persona now shows as vulnerable to the Metasploit module.
Key Takeaways
In the dynamic landscape of cyber threats, the need for rapid and precise threat intelligence is paramount. GreyNoise is at the forefront, enhancing our sensor technology to deliver critical insights with unprecedented speed. Here's how our recent advancements are transforming threat detection and analysis:
GreyNoise’s new sensor framework uniquely allows us to rapidly respond and collect novel intelligence for emerging threats.
With our new capabilities, Low/Medium/High-Interaction Honeypots Personas “appear” real to internet inventory services, allowing us to bait attackers targeting specific technologies. They can also be easily deployed in key IP space used by real businesses, making them attractive targets. The use of a customized low-interaction persona for Cisco IOS XE allowed our team to rapidly (within hours or days) adjust honeypots to capture new techniques.
Using GreyNoise, the timeline for responding to actors and identifying novel exploitation techniques for emerging threats is faster, potentially reduced from weeks/months to hours and days, giving defenders a leg up against the adversaries.
CISA cites GreyNoise’s work in their post “Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities”
10/16/2023 - Privilege Escalation CVE-2023-20198 Published for Cisco IOS XE
We determine that the command injection vulnerability CVE-2021-1435 may be incorrectly attributed to exploitation activity in combination with CVE-2023-20198.
We began working with partners to respond to this emerging threat.
10/17/2023 - GreyNoise Developed Low-Interaction Cisco IOS XE Personas
We create a Cisco IOS XE persona in about 30 minutes.
We strategically deploy the low-interaction persona to a single IP in AWS, knowing that we are correctly presenting as a Cisco IOS XE device.
10/19/2023 - GreyNoise confirms that an un-tracked command injection CVE is involved
In partnership with VulnCheck, GreyNoise bisects patches and produces a PoC for CVE-2019-xxxx command injection vulnerabilities.
Between public information and private information, we accurately ascertain that CVE-2021-1435 is not involved in the active exploitation campaign.
10/23/2023 - GreyNoise collaborates with the community
GreyNoise advocates for the successful removal of CVE-2021-1435 from CISA’s KEV.
10/31/2023 - GreyNoise observes novel exploitation of CVE-2023-20198 with our new sensor
The observed payload utilizes predicted signature bypass mechanisms, as noted on 10/20
November 2023
11/01/2023 - GreyNoise shares PCAP, intelligence, and analysis with partners
Noted that we have observed novel exploitation that uses varying capitalization, _http(s), and double URL-Encoding.
Noted that the number of possible payload variations that can result in successful exploitation are massive.
Noted that for the performance of network signatures attempting to match all variations, a “behavior-first” signature can be crafted using public documentation.
HTTP POST lacking well-defined authentication methods.
