GreyNoise has observed Grafana path traversal attempts preceding the coordinated SSRF surge on March 9, indicating attackers may be using Grafana as a foothold for deeper exploitation. While direct attribution is unclear, the timing suggests a multi-phase attack strategy, where attackers first map exposed infrastructure before escalating their attacks.
Grafana path traversal vulnerabilities have in the past been used to access configuration files and internal network details. The timing of this activity, followed closely by SSRF exploitation, suggests attackers may be using reconnaissance techniques to identify high-value targets before launching further attacks. While the direct relationship between these events remains unconfirmed, the pattern aligns with potentially more coordinated activity than initially reported.
GreyNoise will continue tracking this activity and providing updates if new patterns emerge.
GreyNoise Detects Unusual SSRF Exploitation Trends Across Multiple CVEs
Among other things, attackers leverage SSRF for:
GreyNoise is flagging a sharp increase in SSRF exploitation occurring on March 9 across multiple Server-Side Request Forgery (SSRF) vulnerabilities:
GreyNoise has identified active exploitation attempts against the following flaws. Click on the links to see real-time exploitation activity and block malicious IPs.
GreyNoise has identified the following ten countries as having the greatest exploitation activity in the past 6 months across all reported SSRF flaws:
Additional countries seeing early SSRF exploitation, with spikes dating back to December 2024, are: Hong Kong, South Korea, Australia, France, Taiwan, Qatar, and Slovakia.
Only two countries have been targeted in the past 24 hours:
Organizations should take immediate steps to ensure they are not exposed:
— — —
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
Cisco Talos recently uncovered a sophisticated attack campaign targeting Japanese organizations through CVE-2024-4577, a critical PHP-CGI remote code execution flaw with 79 exploits available. While Talos focused on victimology and attacker tradecraft, GreyNoise telemetry reveals a far wider exploitation pattern demanding immediate action from defenders globally.
According to Cisco Talos, the threat actor exploited PHP-CGI installations on Windows systems to deploy Cobalt Strike beacons and conduct post-exploitation activities using the TaoWu toolkit. Key indicators include:
GreyNoise data confirms that exploitation of CVE-2024-4577 extends far beyond initial reports. Attack attempts have been observed across multiple regions, with notable spikes in the United States, Singapore, Japan, and other countries throughout January 2025.
GreyNoise’s Global Observation Grid (GOG) — a worldwide network of honeypots — detected 1,089 unique IPs attempting to exploit CVE-2024-4577 in January 2025 alone. While initial reports focused on attacks in Japan, GreyNoise data confirms that exploitation is far more widespread, with significant activity observed in:
More than 43% of IPs targeting CVE-2024-4577 in the past 30 days are from Germany and China.
In February, GreyNoise detected a coordinated spike in exploitation attempts against networks in multiple countries, suggesting additional automated scanning for vulnerable targets.
Organizations with internet-facing Windows systems exposing PHP-CGI — especially those in these newly identified targeted regions — should follow the guidance provided by Cisco Talos and perform retro-hunts to identify similar exploitation patterns.
Identify and block malicious IPs actively targeting CVE-2024-4577.
Read the Cisco Talos report here.
GreyNoise analyzed CVEs linked to Silk Typhoon and found three actively exploited in the past 24 hours:
GreyNoise’s Global Observation Grid (GOG) confirms exploitation of these CVEs in the past 24 hours. The heatmap below shows activity over the past 45 days, and the following data reflects the last 30 days.
GreyNoise will continue to monitor the threat landscape and provide insights on evolving attacker tactics.
Explore the GreyNoise Visualizer.
––– ––– –––
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
On March 3, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming their exploitation in the wild.
GreyNoise provided visibility into these vulnerabilities before their addition to KEV, giving defenders an early advantage.
Hitachi Vantara Pentaho BA Server Vulnerabilities
Observed activity is identical across both CVEs:
Progress WhatsUp Gold Path Traversal Vulnerability
GreyNoise tagged these vulnerabilities before KEV inclusion, reinforcing the importance of real-time attack intelligence.
— — —
Further analysis has refined the understanding of the scale and nature of Eleven11bot. Key clarifications:
GreyNoise analyzed a list of 1,400 IPs provided by Censys, identifying 1,042 of them engaging in scanning and exploitation attempts. These were primarily embedded systems that typically do not initiate outbound internet communication, reinforcing their likely compromise.
While initial infection estimates were high, the activity observed in GreyNoise suggests that a subset of these devices are actively participating in Mirai-related behavior. Because these IPs are unlikely to change dynamically (e.g., through DHCP), they may continue to be involved in future Mirai botnet activity.
A newly discovered global cyber threat is rapidly expanding, infecting tens of thousands of internet-connected devices to launch powerful cyberattacks. Nokia Deepfield’s Emergency Response Team (ERT) has identified a new botnet, tracked as Eleven11bot, which they estimated has compromised over 30,000 devices, primarily security cameras and network video recorders (NVRs).
According to DeepField, Eleven11bot has been used in distributed denial of service (DDoS) attacks against telecom providers and gaming platforms, with some attacks lasting multiple days and causing widespread disruptions. Jérôme Meyer, a security researcher tracking the botnet, described it as “one of the largest known DDoS botnet campaigns observed since the invasion of Ukraine in February 2022.”
Following Deepfield’s findings, Censys provided GreyNoise with a list of 1,400 IPs that appear to be linked to Eleven11bot due to the configuration of the endpoint devices and the banners matching what Deepfield identified in their research. GreyNoise has observed 1,042 IPs actively hitting our sensors in the past 30 days.
Key findings from our data:
While GreyNoise does not speculate on attribution, this increase in botnet activity comes just two days after the U.S. administration reasserted its “maximum pressure” campaign on Iran, imposing new economic sanctions.
GreyNoise data indicates that the botnet is involved in malicious activities. Observations from GreyNoise show that the botnet is engaging in actions presumably aimed at expanding its operations, including:
GreyNoise has identified 305 IP addresses actively carrying out malicious attacks linked to the botnet.
SOC teams, vulnerability management professionals, and threat hunters can track the botnet’s live activity using GreyNoise:
A list of IPs associated with this botnet is available below:
189.146.95.172, 109.177.122.31, 89.138.147.184, 151.235.34.214, 5.236.26.32, 219.68.208.58, 188.136.145.85, 188.0.252.252, 85.185.86.123, 85.64.144.30, 37.209.250.184, 46.100.167.242, 187.222.16.246, 93.117.22.12, 201.103.21.250, 49.49.196.236, 85.204.92.18, 5.235.246.3, 188.208.56.221, 85.65.233.119, 92.246.144.41, 89.44.129.106, 121.121.120.83, 187.140.192.47, 2.177.119.45, 85.204.208.71, 212.33.220.19, 94.248.157.238, 118.100.14.226, 1.34.208.234, 185.143.205.205, 187.145.119.33, 94.236.212.196, 2.183.103.157, 184.82.165.29, 140.228.114.78, 151.235.209.217, 181.91.50.105, 5.232.132.134, 94.69.204.29, 151.235.218.159, 89.44.178.47, 5.239.203.128, 96.56.153.66, 5.236.31.85, 201.124.214.125, 223.197.242.106, 129.122.190.112, 5.237.218.185, 47.40.192.65, 31.46.51.89, 31.25.135.70, 92.16.149.88, 93.117.25.45, 2.181.122.131, 5.236.4.240, 188.136.145.211, 212.230.233.242, 79.129.204.249, 186.179.190.223, 2.177.94.45, 151.232.164.183, 2.180.168.37, 109.125.132.22, 37.255.231.24, 5.239.201.165, 178.238.205.215, 93.117.4.125, 5.237.211.203, 85.204.91.53, 185.161.39.100, 37.255.202.86, 91.215.63.71, 2.185.147.45, 80.44.4.218, 188.208.62.96, 103.16.202.12, 201.110.173.252, 46.167.130.169, 94.236.208.50, 89.144.164.205, 5.236.5.8, 5.239.201.208, 2.181.125.1, 151.235.251.145, 66.79.103.47, 111.70.42.18, 175.182.30.205, 195.181.92.230, 2.181.122.167, 2.187.30.159, 151.235.225.234, 185.179.170.128, 45.64.9.50, 2.183.92.21, 5.239.194.245, 5.235.255.11, 114.79.139.86, 103.213.2.195, 51.148.68.216, 2.183.85.111, 103.168.95.100, 37.148.26.127, 123.252.30.158, 189.111.108.196, 189.130.110.67, 195.181.89.153, 213.170.113.103, 85.105.224.110, 85.75.90.215, 121.123.48.140, 95.76.175.162, 91.92.238.206, 151.235.246.135, 178.238.205.7, 2.189.32.234, 5.232.208.113, 78.38.50.13, 151.235.165.4, 2.183.103.167, 94.183.34.57, 151.235.222.49, 89.34.176.50, 37.255.229.225, 75.176.59.51, 151.247.255.155, 5.237.245.216, 151.235.171.145, 185.99.213.108, 93.117.24.248, 2.183.84.97, 121.122.76.121, 85.204.81.30, 212.33.216.93, 119.63.252.244, 177.82.53.144, 5.235.229.227, 89.144.181.119, 151.235.190.139, 151.247.176.26, 2.180.66.200, 151.247.255.247, 187.131.55.220, 93.118.132.89, 93.117.21.63, 201.17.188.158, 185.155.15.213, 94.183.167.204, 201.138.15.112, 37.6.224.129, 188.136.147.176, 195.181.88.185, 85.204.209.154, 89.44.134.251, 94.183.49.104, 46.167.147.56, 5.235.245.163, 2.189.220.6, 2.181.117.54, 151.235.251.24, 212.33.214.217, 151.235.199.20, 80.178.101.235, 189.147.165.51, 220.134.49.77, 5.239.194.91, 195.181.95.232, 89.132.5.70, 92.26.231.102, 121.121.217.80, 121.121.138.216, 151.235.203.13, 89.144.185.223, 151.235.237.239, 106.1.144.120, 63.143.94.171, 159.192.253.252, 68.237.32.174, 151.235.215.52, 142.189.195.120, 151.247.177.116, 121.121.185.142, 217.24.158.182, 2.180.61.219, 89.44.134.113, 89.144.177.1, 5.235.241.26, 77.127.1.199, 2.182.205.80, 2.183.86.125, 93.117.9.179, 93.173.99.106, 201.138.108.135, 151.235.185.112, 82.137.225.93, 5.232.25.254, 5.239.211.129, 89.151.143.129, 94.183.71.123, 66.79.101.150, 2.180.200.177, 2.183.117.7, 41.75.110.81, 5.237.209.186, 31.215.79.124, 89.44.132.159, 178.238.205.171, 217.24.144.115, 45.80.100.91, 141.149.50.170, 2.180.153.175, 195.181.88.149, 185.145.9.81, 46.100.165.9, 85.204.82.198, 5.235.201.75, 109.125.137.19, 85.185.223.52, 118.67.38.71, 46.100.63.67, 151.235.195.235, 89.44.177.151, 220.132.212.32, 189.133.6.176, 5.239.214.253, 2.85.193.200, 2.183.99.153, 5.235.244.117, 47.18.219.178, 2.188.249.61, 85.204.212.250, 79.131.53.200, 46.100.71.145, 222.154.255.94, 93.117.19.101, 187.131.11.211, 2.187.21.254, 151.235.235.44, 85.204.216.11, 201.124.11.143, 85.204.212.173, 5.236.4.37, 5.236.26.159, 2.181.165.22, 86.122.111.157, 78.38.49.93, 80.210.22.1, 218.210.35.204, 151.235.183.146, 151.235.249.130, 37.156.8.153, 121.121.194.43, 5.235.254.98, 5.236.26.135, 188.0.248.66, 211.51.2.142, 49.205.214.42, 93.117.1.16, 151.235.248.13, 5.235.253.190, 94.183.66.171, 187.236.0.124, 2.181.174.246, 185.145.9.91, 2.183.89.62, 189.146.49.218, 212.33.215.219, 2.179.178.61, 45.227.182.70, 187.202.253.3, 212.33.221.178, 88.227.24.153, 93.173.82.201, 124.120.109.25, 5.232.215.149, 91.81.250.29, 91.140.9.194, 2.180.128.35, 185.153.19.82, 81.213.125.57, 85.204.216.82, 96.246.97.171, 207.68.254.110, 5.239.205.61, 217.172.112.173, 5.239.211.57, 2.84.151.60, 86.101.165.44, 110.78.152.13, 179.233.2.126, 223.205.106.141, 5.235.254.226, 94.183.223.246, 2.183.82.177, 151.235.224.111, 185.214.38.245, 177.32.50.202, 93.117.30.74, 91.138.231.182, 80.41.187.85, 195.181.92.73, 42.200.101.249, 94.183.39.190, 46.167.139.58, 151.235.215.166, 213.14.135.196, 2.180.227.174, 213.255.192.133, 62.38.192.91, 5.235.252.173, 5.26.198.252, 162.247.30.77, 78.186.137.34, 37.255.240.146, 85.204.222.227, 5.236.3.21, 93.117.18.132, 93.117.21.38, 195.181.88.44, 89.44.178.187, 49.158.178.14, 180.75.76.186, 188.136.146.183, 2.187.28.140, 5.236.27.49, 85.204.92.157, 201.111.57.181, 5.235.200.231, 188.136.145.156, 68.114.79.238, 190.70.203.65, 2.181.181.162, 89.44.177.52, 187.189.119.70, 14.192.239.183, 89.44.180.82, 93.117.5.58, 1.34.190.33, 46.167.142.60, 110.78.143.218, 119.203.80.160, 187.153.251.86, 151.235.237.248, 151.235.193.90, 123.205.137.2, 67.248.45.251, 195.181.84.56, 46.117.201.231, 109.122.236.65, 5.235.224.94, 95.9.243.32, 5.237.200.221, 94.52.221.36, 142.190.101.154, 5.237.218.129, 46.167.128.78, 5.235.247.46, 2.183.81.97, 2.180.115.134, 2.180.48.78, 189.226.255.168, 58.136.192.226, 189.144.217.55, 5.235.200.240, 93.69.92.102, 93.117.24.86, 120.151.233.95, 86.16.32.174, 217.219.132.8, 69.114.91.81, 5.235.205.108, 5.232.6.185, 217.24.149.149, 79.12.134.200, 155.93.138.70, 189.164.69.177, 73.155.56.206, 93.117.15.45, 186.22.8.134, 2.180.120.161, 85.130.151.235, 175.139.19.110, 151.235.250.51, 187.228.70.80, 201.137.43.131, 177.130.45.117, 89.44.135.156, 217.24.151.249, 151.235.191.176, 151.235.173.15, 175.136.64.28, 5.238.149.232, 5.235.224.121, 2.180.209.135, 122.118.49.210, 217.172.113.244, 85.185.21.106, 1.34.19.189, 85.204.221.45, 177.243.176.6, 151.235.196.18, 31.25.130.35, 188.136.145.134, 66.79.101.50, 217.24.154.7, 1.34.103.28, 201.103.44.104, 39.52.9.123, 5.235.192.12, 151.235.209.39, 103.21.223.123, 5.239.195.94, 85.130.174.180, 188.0.251.172, 31.120.75.59, 58.136.145.71, 5.239.199.51, 195.181.81.190, 175.145.228.109, 121.123.81.221, 2.183.104.53, 110.78.141.81, 24.47.40.46, 31.171.223.253, 2.177.57.197, 93.67.124.116, 189.190.82.24, 71.71.129.146, 121.121.184.196, 2.183.86.140, 85.130.237.70, 151.235.251.125, 5.237.224.16, 68.132.85.87, 2.183.102.202, 2.183.84.147, 76.30.30.53, 216.158.152.171, 2.180.167.109, 2.179.74.143, 189.130.182.115, 93.117.7.9, 37.255.200.202, 2.177.160.228, 217.24.149.39, 46.167.149.243, 187.170.118.148, 85.204.220.227, 2.187.8.244, 93.117.20.253, 151.239.92.236, 46.100.61.124, 66.79.98.48, 151.235.199.42, 85.204.92.166, 80.191.189.91, 72.80.79.252, 89.243.14.23, 109.122.228.133, 5.237.245.37, 184.178.59.222, 2.183.119.159, 85.204.83.117, 201.123.134.124, 187.234.229.230, 2.180.56.252, 131.100.136.93, 2.179.167.151, 151.235.182.64, 5.239.206.19, 5.237.243.159, 203.73.166.3, 189.223.218.108, 37.255.197.113, 2.183.103.77, 195.181.90.120, 95.5.11.129, 151.235.183.69, 95.80.169.14, 189.251.16.220, 187.235.152.211, 79.130.180.251, 78.188.109.187, 109.110.130.251, 177.94.244.81, 77.49.205.38, 5.237.225.225, 103.217.134.123, 2.189.17.59, 80.252.51.71, 2.177.58.228, 93.117.30.209, 151.235.187.184, 189.131.146.104, 84.42.41.2, 5.237.211.166, 79.129.48.124, 189.146.209.177, 151.235.240.75, 2.180.113.51, 5.235.220.196, 2.183.103.180, 114.33.109.103, 110.77.170.51, 85.204.214.71, 94.183.108.176, 94.183.152.218, 85.15.44.159, 189.164.38.239, 2.182.209.245, 67.242.148.242, 171.6.97.135, 195.181.39.41, 98.0.212.169, 94.66.106.97, 5.236.27.28, 188.208.57.217, 5.239.204.228, 2.187.8.64, 59.120.97.125, 23.243.134.140, 151.247.208.75, 93.117.24.75, 109.186.33.241, 93.118.97.114, 195.181.93.58, 195.181.83.209, 79.129.169.250, 86.105.196.226, 189.223.229.214, 187.147.245.234, 217.24.151.88, 2.187.9.162, 5.239.202.12, 84.241.0.19, 93.117.15.208, 219.92.33.224, 2.181.164.16, 93.119.95.2, 2.189.32.169, 95.38.24.35, 168.210.206.226, 93.117.11.255, 5.235.224.145, 189.222.221.227, 2.182.204.206, 203.106.189.215, 218.35.170.14, 51.194.49.200, 85.204.91.192, 5.235.239.145, 178.238.205.244, 109.122.231.77, 5.235.195.149, 189.238.78.99, 5.232.147.159, 5.236.27.100, 78.188.91.209, 94.183.165.81, 49.205.178.192, 2.178.108.180, 188.0.250.116, 5.235.251.230, 91.138.228.157, 188.211.204.134, 188.208.58.177, 5.232.123.11, 2.183.86.177, 87.203.214.185, 70.119.153.165, 217.24.158.32, 185.143.205.198, 151.235.206.231, 212.50.187.72, 219.95.75.69, 85.204.90.28, 181.164.73.16, 217.24.149.253, 189.234.249.162, 60.248.49.68, 5.235.246.82, 5.237.242.162, 187.104.138.93, 85.96.205.145, 89.44.135.176, 5.235.237.14, 37.255.210.207, 216.232.6.27, 93.117.18.15, 189.149.95.6, 89.44.129.32, 188.208.63.235, 1.10.255.254, 2.180.112.180, 94.183.187.127, 178.238.205.188, 219.95.76.180, 175.139.73.202, 76.171.86.84, 41.38.151.102, 121.121.114.108, 187.250.45.91, 151.235.183.211, 78.182.13.6, 5.235.112.248, 85.204.93.87, 46.117.134.28, 217.24.152.228, 2.182.204.88, 5.238.239.127, 5.236.93.20, 93.117.28.92, 123.252.63.8, 2.181.123.33, 31.130.186.229, 94.183.121.207, 177.128.21.82, 212.33.214.210, 5.232.149.229, 151.235.249.162, 5.232.148.106, 93.117.1.99, 37.26.33.239, 85.185.23.81, 14.43.138.61, 111.95.173.139, 46.100.60.41, 5.235.231.230, 89.144.181.125, 2.183.83.95, 151.235.38.33, 5.235.193.27, 37.255.228.49, 46.65.212.7, 183.82.114.10, 159.250.32.219, 94.21.67.157, 5.237.227.252, 178.238.204.238, 35.129.112.115, 188.0.255.34, 159.192.112.133, 2.180.112.125, 151.235.247.197, 212.56.152.72, 5.80.48.238, 2.180.130.55, 185.129.239.186, 5.29.135.63, 46.167.158.137, 74.141.247.68, 72.252.155.77, 151.235.199.189, 189.165.255.1, 151.235.201.10, 93.117.29.181, 79.130.195.166, 151.235.32.249, 188.208.60.42, 189.129.154.117, 195.181.84.72, 5.239.9.236, 159.20.101.73, 85.204.223.66, 2.183.116.135, 195.181.80.60, 122.117.232.247, 5.235.188.153, 88.214.8.82, 93.69.95.145, 93.117.18.204, 5.237.245.34, 93.117.17.94, 93.117.23.199, 2.184.54.148, 189.133.90.196, 2.183.84.226, 2.187.9.19, 217.119.134.247, 5.237.198.211, 2.183.108.192, 94.183.22.231, 195.181.85.175, 72.89.228.221, 76.91.240.41, 115.133.40.94, 2.182.204.203, 151.235.184.46, 2.187.26.4, 94.183.34.86, 151.235.222.195, 2.189.16.32, 89.139.22.16, 187.194.13.216, 89.44.177.203, 72.226.55.118, 182.53.50.7, 109.122.228.83, 5.237.196.153, 2.181.171.176, 2.182.210.187, 2.180.233.57, 5.160.164.157, 85.204.94.54, 93.117.27.212, 189.136.228.166, 89.139.50.53, 93.117.6.114, 181.188.89.136, 39.61.142.37, 195.181.91.79, 188.152.71.244, 151.235.205.206, 73.166.225.156, 88.247.58.129, 5.239.195.231, 5.239.204.48, 188.208.61.152, 2.180.182.232, 2.183.83.58, 182.18.254.74, 188.136.134.40, 93.117.28.135, 189.144.150.208, 2.181.180.194, 5.235.188.131, 217.24.148.254, 85.204.89.202, 151.235.205.254, 2.183.88.135, 187.154.193.97, 93.117.9.189, 2.183.101.128, 85.185.222.126, 151.235.182.175, 188.125.133.68, 105.184.84.151, 93.117.11.231, 85.204.211.4, 217.24.144.179, 85.204.87.184, 2.183.103.205, 177.11.198.142, 5.235.213.64, 151.235.251.107, 5.202.130.176, 2.187.11.222, 61.221.204.130, 87.70.72.26, 66.79.102.2, 141.237.201.205, 2.183.92.19, 114.34.70.104, 151.235.170.230, 5.235.236.126, 5.239.201.116, 195.181.82.66, 85.204.211.240, 2.187.23.176, 5.235.255.99, 91.92.239.53, 74.62.19.2, 5.237.221.66, 151.235.242.250, 151.235.193.214, 217.24.152.220, 187.250.51.93, 89.144.181.147, 71.87.234.14, 189.60.254.220, 121.122.103.7, 2.179.166.242, 68.193.40.235, 94.183.137.181, 195.181.85.67, 151.235.4.177, 120.158.143.49, 2.179.65.208, 2.180.125.74, 82.81.33.192, 151.247.253.126, 2.183.82.51, 95.212.144.172, 189.151.199.249, 59.126.81.229, 24.189.118.45, 99.217.21.63, 217.24.152.64, 89.41.42.145, 88.247.3.244, 94.192.45.51, 2.191.22.175, 78.38.124.97, 2.189.158.98, 2.179.65.167, 80.191.13.230, 217.180.231.219, 151.235.247.155, 212.33.219.110, 5.175.151.103, 85.204.213.152, 73.19.30.201, 187.226.51.72, 171.4.1.158, 5.237.196.108, 94.183.169.64, 92.249.235.62, 2.189.16.98, 58.136.221.25, 5.235.190.102, 103.239.251.223, 2.180.198.137, 85.204.216.61, 5.235.197.52, 85.204.88.42, 84.241.11.121, 60.49.64.12, 184.82.211.44, 95.38.144.106, 93.118.104.232, 5.236.29.201, 151.235.190.49, 175.145.96.123, 149.106.153.111, 93.117.19.218, 187.199.123.56, 178.164.145.153, 183.89.196.233, 24.193.72.244, 210.186.19.215, 188.0.253.216, 5.232.208.195, 5.160.160.237, 121.122.89.29, 118.163.126.240, 2.176.110.80, 2.187.9.147, 39.38.140.158, 93.117.26.79, 93.117.2.114, 95.6.66.197, 46.100.170.220, 165.255.49.16, 149.100.174.16, 185.170.236.138, 2.183.120.150, 172.114.252.162, 5.235.218.39, 2.180.90.95, 2.183.105.236, 95.77.150.198, 189.131.172.161, 201.103.87.55, 185.143.205.169, 5.160.164.190, 5.202.243.183, 5.239.205.155, 217.24.159.181, 5.198.232.224, 188.208.60.80, 180.75.9.47, 5.235.241.96, 201.106.100.165, 5.239.214.5, 67.81.227.18, 5.239.195.191, 5.235.247.184, 5.237.198.49, 93.117.21.125, 89.44.182.23, 177.193.59.18, 188.0.255.13, 151.235.180.152, 151.235.245.195, 88.248.19.4, 150.129.144.141, 91.92.238.223, 188.0.249.188, 59.126.116.185, 85.75.64.133, 185.11.69.162, 178.252.142.190, 85.185.23.45, 85.204.222.76, 187.195.64.11, 93.118.96.117, 2.183.85.115, 212.33.217.6, 188.0.252.15, 151.205.164.197, 2.180.132.190, 2.180.93.85, 212.33.222.199, 2.181.175.157, 5.235.245.125, 151.235.240.13, 85.204.223.125, 182.235.184.57, 151.235.231.223, 89.144.177.4, 182.53.238.86, 185.147.40.132, 151.235.32.60, 85.204.219.152, 2.189.17.148, 200.74.91.155, 2.183.105.184, 5.232.129.134, 221.166.171.189, 176.12.64.65, 195.181.90.168, 2.183.87.222, 93.117.21.139, 2.181.247.128, 5.236.13.168, 2.181.120.208, 5.190.253.247, 85.204.90.242, 2.187.8.145, 2.180.106.81, 2.183.82.141, 5.239.192.50, 187.250.70.157, 2.183.118.51, 85.204.87.208, 187.211.77.132, 2.180.252.8, 217.24.158.130, 89.138.140.44, 212.33.221.97, 5.239.177.164, 78.187.37.146, 188.0.252.49, 151.235.240.41, 46.6.15.156, 119.42.71.249, 5.160.164.177, 171.5.117.144, 2.176.12.95, 151.235.181.0, 178.248.203.165, 121.121.122.140, 94.183.151.242, 5.239.192.112, 2.183.110.56, 2.183.119.252, 220.133.105.205, 2.183.121.254, 14.192.239.250, 35.141.220.32, 151.235.215.103, 5.232.8.156, 5.232.140.10, 2.183.95.77, 189.102.4.119, 2.180.180.49, 151.235.161.213, 2.183.89.173, 187.235.101.174, 93.117.11.116, 94.183.235.37, 150.129.144.144, 110.77.170.232, 5.236.26.193, 96.246.230.97, 185.82.167.140, 93.117.30.230, 5.237.227.23, 217.24.155.60, 188.208.60.114, 2.180.91.177, 217.24.156.21, 187.195.104.61, 189.226.172.99, 93.117.8.229, 2.183.103.48, 93.117.26.123, 5.237.238.167, 14.137.65.139, 176.66.117.117, 2.187.29.119, 189.225.58.80, 37.156.24.141, 189.222.54.234, 217.24.154.169, 212.33.217.203, 2.180.233.54, 175.142.46.139, 201.137.105.24, 187.195.66.122, 2.183.95.126, 151.235.197.243, 2.191.20.163, 5.235.192.85, 88.228.151.17, 94.183.37.23, 212.33.220.113, 2.180.205.91, 89.144.171.3, 188.136.146.28, 84.241.43.45, 2.180.17.65, 85.204.212.174, 111.248.15.189, 213.191.186.66, 58.136.106.47, 5.235.249.92, 2.187.29.157, 201.123.230.175, 37.148.74.5, 31.14.209.135, 151.235.171.255, 217.24.144.246, 208.80.139.41, 2.187.29.105, 201.124.125.87, 2.177.147.234, 5.235.226.137, 2.176.138.214, 60.48.51.21, 5.232.26.41, 88.250.67.183, 2.179.189.80, 2.183.111.129, 5.237.208.231, 68.192.201.223, 2.185.209.42, 109.186.73.105, 187.145.163.235, 178.238.204.98, 89.144.178.54, 189.241.206.39, 85.204.222.133, 201.110.155.87, 2.185.150.143, 2.181.78.175, 187.145.174.214, 2.181.34.17, 189.146.101.63, 94.183.223.172, 2.183.112.141, 114.34.229.150, 121.123.189.11, 72.12.173.190, 2.177.91.98, 5.160.164.169, 151.235.202.107, 175.144.158.57, 115.135.43.140, 210.186.17.196, 185.75.204.0, 2.186.115.59, 91.92.121.171, 108.185.72.100, 94.183.158.220, 195.181.81.154, 5.235.230.127, 151.235.241.21, 31.204.239.127, 94.183.195.49, 181.91.50.241, 195.228.99.217, 121.122.90.43, 118.170.40.214, 85.64.142.148, 93.117.17.102, 2.182.206.251, 151.235.230.111, 5.239.213.73, 170.0.18.244, 71.93.3.7, 217.24.152.236, 2.178.103.79, 46.167.145.103, 151.235.235.134, 83.235.179.174, 2.183.108.227, 66.79.100.26, 89.44.130.122, 85.185.237.214, 114.35.64.31, 93.117.5.40, 195.181.86.117, 2.183.83.85, 85.204.81.0, 217.24.147.195, 188.0.250.133, 187.73.28.29, 2.187.20.145, 85.204.93.20, 151.235.212.180, 5.237.210.87, 2.181.180.156, 187.194.201.193, 200.150.163.194, 186.179.223.20, 201.121.6.112, 2.182.212.9, 151.235.205.88, 2.180.72.49, 213.57.249.148, 88.232.160.120, 195.181.86.95, 5.235.218.172, 108.5.110.97, 189.235.70.129, 217.172.113.32, 103.69.29.170, 213.165.184.131, 5.202.243.65, 94.183.33.217, 61.2.105.70, 123.195.179.167, 189.132.111.39, 2.187.20.77, 2.180.153.163, 178.36.96.217, 89.44.130.45, 151.235.188.92, 5.236.31.104, 5.232.213.61, 105.246.14.119, 94.65.248.215, 94.183.223.153, 67.84.124.42, 78.189.28.7, 2.187.22.106, 78.187.87.138, 195.181.83.210, 210.186.107.47, 174.166.16.176, 5.235.252.8, 27.72.113.179, 89.44.134.104, 95.81.97.59, 184.82.116.10, 93.117.23.12, 61.223.78.139, 2.179.177.19, 118.232.89.51, 43.240.7.122, 85.204.89.254, 217.24.159.111, 93.172.163.102, 94.183.115.88, 79.10.140.140, 5.237.227.161, 207.254.166.51, 36.233.54.118, 94.64.157.103, 184.82.186.156, 5.232.159.199, 5.235.193.73, 109.120.219.165, 5.235.112.60, 189.146.195.2, 217.24.145.208, 78.189.224.232, 175.139.56.231, 45.226.133.169, 94.53.135.14, 2.181.165.217, 80.191.189.159, 5.235.205.222, 185.143.205.76, 5.237.242.155, 151.235.212.152, 46.167.151.49, 85.105.113.212, 5.235.240.129, 2.183.86.113, 92.25.135.138, 185.218.200.27, 200.18.125.134, 159.20.106.121, 1.161.150.91, 185.166.229.157, 2.183.91.152, 94.183.217.152, 188.0.249.156, 121.122.118.70, 5.239.211.111, 49.48.130.16, 37.148.62.216, 173.49.75.75, 108.35.94.159, 96.74.21.214, 80.11.129.246, 212.120.199.220, 151.247.210.28, 217.24.159.197, 103.16.46.227, 189.236.14.228, 2.177.173.184, 2.181.112.215, 151.239.94.216, 189.133.36.154, 1.34.203.141, 171.4.83.120, 2.183.108.128, 89.132.6.94, 151.235.232.7, 24.171.213.14, 37.255.244.105, 89.240.115.67, 5.239.202.126, 185.124.159.76, 184.82.144.171, 36.227.89.44, 106.1.5.195, 104.173.137.198, 110.78.152.154, 85.74.6.79, 2.183.80.10, 37.6.217.0, 134.236.115.108, 151.235.221.135, 5.235.188.57, 89.231.35.33, 2.183.118.226, 2.190.132.169, 151.235.253.83, 122.116.133.57, 24.169.5.172, 50.113.46.209, 2.183.101.176, 60.53.224.111, 5.232.10.201, 188.208.59.162, 201.121.169.133, 2.183.123.130, 195.181.84.247, 5.29.140.145, 180.75.5.202, 5.235.189.44, 196.50.194.85, 2.180.13.47, 5.235.239.230, 5.237.242.173, 185.153.208.104, 85.204.91.215, 108.184.9.187, 85.105.116.37, 89.139.36.0, 2.177.229.120, 2.177.202.114, 67.81.205.204, 179.62.127.73, 59.15.150.137, 100.2.171.189, 5.236.24.103, 46.167.147.144, 46.100.71.220, 151.235.175.122, 93.117.12.64, 5.232.24.211, 2.189.220.98, 151.233.48.234, 2.181.120.193, 37.148.16.232, 60.50.2.228, 86.124.75.141, 47.181.47.106, 5.235.234.174, 151.235.208.114, 2.183.87.75, 93.117.14.163, 72.43.148.85, 151.235.236.156, 2.180.126.254, 5.237.244.13, 151.235.223.61, 187.168.133.119, 2.189.220.254, 93.117.0.21, 151.233.53.26, 184.22.130.239, 137.119.111.130, 186.218.123.202, 178.131.8.104, 121.141.164.171, 159.20.96.195, 93.117.8.92, 5.237.213.108, 2.183.111.160, 89.44.176.167, 94.183.116.28, 5.235.246.35, 2.180.235.99, 37.148.29.41, 49.204.124.148, 5.235.193.254, 86.181.168.97, 95.45.93.241, 85.185.223.121, 151.235.186.114, 5.204.37.113, 46.100.69.183, 2.180.74.223, 220.132.162.224, 195.181.81.52, 223.206.121.91, 115.132.5.52, 37.148.14.254, 173.3.133.68, 91.92.183.238, 187.234.68.66, 39.52.36.253, 66.79.98.39, 2.180.122.103, 211.250.18.251, 45.59.58.192, 219.89.205.132, 93.173.111.134, 85.204.93.48, 5.237.213.70, 93.117.14.194, 89.144.189.185, 5.235.250.211, 2.187.33.36, 5.235.242.118, 66.79.102.171, 80.210.31.150, 85.204.88.118, 2.183.87.46, 111.243.142.54, 185.75.204.181, 93.172.26.242, 5.239.207.190, 217.24.148.61, 151.235.205.52, 2.183.106.212, 2.180.103.67, 5.235.251.64, 2.180.84.176, 5.58.31.53, 80.210.57.45, 201.138.164.225, 187.155.29.83, 5.235.243.106, 213.149.184.35, 189.136.41.104, 84.241.63.126, 85.185.21.156, 46.176.58.132, 85.204.222.105, 217.119.134.178, 5.236.7.208, 201.121.133.204, 2.183.105.2, 5.232.21.31, 151.235.243.112, 185.82.166.192, 188.116.226.138, 217.24.159.236, 5.232.212.143, 2.180.249.69, 2.180.224.168, 195.181.89.241, 76.175.230.13, 180.176.42.219, 103.225.138.3, 88.248.253.99, 2.189.18.57, 89.44.135.126, 79.129.161.175, 175.137.10.255, 46.100.165.75, 46.100.60.154, 221.156.100.230, 5.235.202.13, 104.33.88.36, 151.235.221.167, 2.183.107.153, 188.208.62.67, 189.251.6.24, 2.238.193.71, 5.235.195.173, 5.237.239.111, 151.235.211.29, 5.236.25.129, 151.235.165.137, 2.183.99.231, 189.235.184.238, 5.239.202.33, 189.238.38.8, 93.117.25.34, 89.144.179.31, 217.218.249.223, 93.117.24.204, 5.235.253.209, 2.180.103.138, 101.108.154.28, 14.192.239.152, 5.239.176.110, 85.204.85.232, 85.204.92.109, 46.100.71.4, 93.117.18.0, 121.122.114.229, 159.192.253.205, 98.148.153.127, 2.233.120.114, 5.235.197.156, 151.235.229.11, 223.205.103.58, 189.157.233.22, 78.188.231.62, 195.181.88.14, 187.233.187.246, 93.117.1.41, 2.181.112.50, 217.24.148.23, 5.237.206.192, 217.24.150.38, 2.187.21.52, 212.33.219.157, 85.204.95.4, 93.117.14.3, 105.242.109.188, 5.160.164.26, 195.74.245.44, 85.204.91.140, 119.42.115.88, 151.235.167.7, 197.87.218.4, 2.183.120.111, 185.176.33.41, 2.178.97.29, 91.138.234.26, 184.82.115.240, 79.127.2.188, 112.169.68.208, 78.38.41.244, 151.235.192.159, 5.202.84.19, 209.131.253.45, 2.181.127.121, 108.170.68.134, 5.239.211.210, 93.117.13.29,
GreyNoise recommends the following steps to protect against the botnet and similar cyber threats:
GreyNoise continues to track real-time scanning and attack activity from the botnet. We will provide further updates if new information arises.
Track the botnet in real time — see if your network is a target. Navigate to the GreyNoise Analysis feature, paste the IPs above into the search bar, and download the CSV of malicious IPs for immediate blocking actions.
— — —
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
In 2024, attackers didn’t just exploit vulnerabilities — they automated them at scale, turning the internet into a playground for mass exploitation.
GreyNoise observed widespread internet scanning and exploitation attempts across thousands of IPs, showing how attackers are scaling operations faster than defenders can respond.
The GreyNoise 2025 Mass Internet Exploitation Report provides a detailed breakdown of how mass exploitation evolved in 2024, which vulnerabilities were most targeted, and how CISOs and security professionals can stay ahead in 2025.
This report confirms that mass exploitation is not just a zero-day problem — it’s a persistent issue across both new and old vulnerabilities.
“Mass exploitation isn’t just about zero-days — it’s about attackers industrializing vulnerability exploitation at scale,” said Andrew Morris, Founder and Chief Architect at GreyNoise. "They care less about CVSS scores or KEV lists. They scan the entire internet — it’s quick and cheap to do — they find what’s exposed, and go after it immediately. This report shows just how fast and unpredictable mass exploitation really is — and why security teams need real-time intelligence to keep up.”
Attackers aren’t just targeting newly disclosed vulnerabilities — many of the most exploited CVEs in 2024 are years old, proving that security teams must rethink patching priorities.
GreyNoise tracked the most frequently observed vulnerability exploitation attempts across the internet in 2024. Some of the most targeted vulnerabilities included:
These vulnerabilities were frequently targeted throughout 2024, often in large-scale scanning campaigns, botnet-building operations, or ransomware-driven attacks.
The 2025 Mass Internet Exploitation Report confirms that:
— — —
Noah Stone contributed to this writeup in collaboration with GreyNoise Research. Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
A major leak of internal chat logs from the Black Basta ransomware group has revealed 62 CVEs discussed by the group — offering a glimpse into the vulnerabilities considered for exploitation by one of the most active ransomware operators. The list, first compiled by VulnCheck, underscores how attackers continue to target publicly known vulnerabilities long after disclosure.
To assess real-world impact, GreyNoise analyzed internet-wide exploitation activity for these vulnerabilities. Our data confirms that 23 of these CVEs are actively being exploited, including in enterprise software, security appliances, and widely used applications.
Below we see that 23 of the 62 CVEs mentioned in Black Basta’s leaked chat logs have been targeted within the past 30 days.
The CVEs are:
A subset of the CVEs targeted within the past 30 days have been targeted within the past 24 hours. These include:
Organizations should immediately assess their exposure to the actively exploited CVEs from this blog and take the following steps:
The following 62 CVEs were identified in Black Basta’s leaked chat logs by VulnCheck. Organizations can use this list to assess their exposure.
GreyNoise will continue monitoring exploitation trends in real time. Stay updated by following GreyNoise’s threat intelligence reports, platform updates, and by visiting the GreyNoise visualizer.
— — —
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
.png)
Recent analyses have highlighted that Salt Typhoon, a Chinese state-sponsored cyber espionage group, has been actively targeting Cisco devices. The group employs various tactics, including the use of legitimate login credentials and, in some instances, exploiting known vulnerabilities such as CVE-2018-0171.
Between December 2024 and January 2025, Salt Typhoon reportedly leveraged CVE-2023-20198 and CVE-2023-20273 to compromise five additional telecom networks, including entities in the United States.
GreyNoise’s global observation grid (GOG) has detected malicious exploitation attempts against two Cisco vulnerabilities linked to these attacks:
GreyNoise will continue monitoring for changes in exploitation patterns and provide updates as new intelligence emerges. Stay ahead of exploitation attempts by leveraging GreyNoise’s real-time intelligence.
Important: These CVEs were referenced in recent Salt Typhoon reports, but we are NOT attributing this activity to Salt Typhoon — only confirming that exploitation is occurring.
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
CISA added CVE-2025-0108 to its Known Exploited Vulnerabilities (KEV) catalog.
GreyNoise has observed active exploitation attempts targeting a newly disclosed authentication bypass vulnerability, CVE-2025-0108, affecting Palo Alto Networks PAN-OS. This high-severity flaw allows unauthenticated attackers to execute specific PHP scripts, potentially leading to unauthorized access to vulnerable systems.
GreyNoise can confirm active exploitation of CVE-2025-0108.
Organizations relying on PAN-OS firewalls should assume that unpatched devices are being targeted and take immediate steps to secure them.
Defenders should take the following steps immediately:
GreyNoise will continue tracking this threat as it evolves. Stay ahead of exploitation attempts by leveraging GreyNoise’s real-time intelligence.
GreyNoise has identified a significant spike in exploitation activity targeting two vulnerabilities — one already flagged by government agencies as a top target, and another flying under the radar despite real-world attacks increasing.
Both vulnerabilities highlight a growing concern in how organizations prioritize patching:
GreyNoise has observed a rapid increase in exploit attempts for both vulnerabilities over the past 10 days.
Observed Exploitation Attempts for CVE-2022-47945 (ThinkPHP LFI)
Observed Exploitation Attempts for CVE-2023-49103 (ownCloud GraphAPI)
Attackers are actively scanning and targeting these vulnerabilities yet only one is included in KEV, raising questions about how security teams are prioritizing threats.
Block Known Malicious IPs Now: CVE-2023-49103, CVE-2022-47945
The difference in how these two CVEs are being treated highlights a broader challenge in vulnerability management.
Attackers are making their priorities clear. See live exploitation trends now for CVE-2023-49103 and CVE-2022-47945.
2025-01-29 Update
After identifying a significant overlap between IPs exploiting CVE-2024-40891 and those classified as Mirai, the team investigated a recent variant of Mirai and confirmed that the ability to exploit CVE-2024-40891 has been incorporated into some Mirai strains.
GreyNoise is observing active exploitation attempts targeting a zero-day critical command injection vulnerability in Zyxel CPE Series devices tracked as CVE-2024-40891. At this time, the vulnerability is not patched, nor has it been publicly disclosed. Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration. At publication, Censys is reporting over 1,500 vulnerable devices online.
CVE-2024-40891 is very similar to CVE-2024-40890 (observed authentication attempts, observed command injection attempts), with the main difference being that the former is telnet-based while the latter is HTTP-based. Both vulnerabilities allow unauthenticated attackers to execute arbitrary commands using service accounts (supervisor and/or zyuser).
VulnCheck disclosed CVE-2024-40891 to their partners as "Zyxel CPE Telnet Command Injection" on August 1, 2024, but as of this writing, the CVE has not yet been officially published by the vendor, nor have they published an advisory. Last week, researchers from GreyNoise collaborated with VulnCheck to verify the accuracy of the detection, ensuring that the traffic is linked to this CVE specifically. GreyNoise researchers created a tag for this issue on January 21, 2025, and worked with VulnCheck to coordinate this disclosure. Ordinarily, disclosure would be coordinated with the vendor, but due to the large number of attacks, we decided to publish this immediately.
GreyNoise users can track live exploitation patterns, including attacker IP addresses, for this CVE here.
.png)
Over 15,000 Fortinet FortiGate firewalls have been exposed in a breach, leaving thousands with exposed login interfaces vulnerable to exploitation. GreyNoise has identified hundreds of these devices actively being weaponized by attackers for malicious purposes, providing defenders with a real-time view into their behavior and intent.
This breach, tied to CVE-2022-40684 — an authentication bypass vulnerability disclosed in late 2022 — has created new opportunities for attackers to exploit these devices. While patches have been available since October 2022, thousands of firewalls remain exposed as of January 2025, continuing to pose a serious risk.
But this breach isn’t just about exposure — it's about the active exploitation happening right now. In this blog, GreyNoise reveals how attackers are leveraging these devices in real time and provides critical insights to help defenders respond effectively.
GreyNoise specializes in observing and classifying internet activity in real time. Our global observation grid tracks attacker behaviors by monitoring interactions with thousands of our sensors worldwide. Unlike sources that focus on theoretical risks or exposure, GreyNoise reveals the actual behaviors of these compromised devices as they interact with our sensors.
Of the 15,000+ affected IPs, according to Censys around 4,600 are still exposing their FortiGate web login interfaces, down from over 5,000 at the time of a Censys blog detailing the figures. The below chart illustrates the steady decline.
1. In this Case, Interaction with GreyNoise’s Sensors = Harmful Intent
Firewalls hitting GreyNoise’s sensors are behaving abnormally.
2. Behavioral Breakdown and List of Compromised IPs
GreyNoise classifies observed activity into three categories. Here’s the breakdown for the 366 Fortinet IPs:
This activity is not new. GreyNoise has observed compromised Fortinet devices exhibiting harmful behaviors over several years, as shown below. The timeline highlights both the first and most recent sightings of these devices interacting with our sensor network.
To help defenders — particularly firewall administrators — take immediate action, we’re sharing a list of the 366 Fortinet IPs interacting with our sensor network, updated as of January 28:
Download the full list of observed IPs here. This information may change; to view a dynamic list of all IPs interacting with our network, navigate to the GreyNoise Analysis Tab:
Paste the 15,000+ affected IPs:
Click “ANALYZE,” and explore the results:
3. Threat Trends: What Attackers are Doing
Tags assigned to these devices reveal active reconnaissance or exploitation activity originating from compromised Fortinet systems:
4. Geographic Distribution
These compromised devices originate from multiple regions worldwide. The top 10 hotspots are:
This global spread underscores how widely Fortinet firewalls are deployed and how attackers are leveraging them for malicious purposes.
1. Audit Your IPs and CIDRs
2. Monitor Your Infrastructure for Compromise
1. Patch and Secure Your Devices
2. Block Compromised Fortinet IPs
With GreyNoise, organizations can monitor their external-facing IPs, reduce noise in their threat landscape, and focus their defenses on the most immediate and significant risks. In the case of Fortinet firewalls, if it’s hitting GreyNoise sensors, it’s already up to no good.
Take control of your external threat landscape today. Use GreyNoise to monitor malicious activity, track behaviors in real time, and protect your organization. Add your IPs or CIDRs to GreyNoise’s alerts now.
Cybersecurity professionals face mounting pressure to stay ahead of attackers. From zero-days to targeted campaigns, the need for actionable intelligence is clear — but not every team requires a dedicated threat intelligence feed. That’s why GreyNoise created this unbiased, vendor-neutral white paper: to help security professionals navigate the complexity, assess their true needs, and make informed decisions about the type of threat intelligence feed that’s right for them.
Before investing, it’s essential to ask:
This vendor-neutral, practical white paper offers clear, unbiased guidance to help you:
Not every organization requires a dedicated threat intelligence feed. For some, embedded feeds integrated into firewalls or SIEMs are sufficient. For others, targeted adversaries, complex environments, or sector-specific threats demand a more tailored approach.
This guide cuts through the noise to help you make an informed decision, whether you’re enhancing an existing setup or exploring new options.
This isn’t a sales pitch. It’s a strategic resource to help you assess your needs, evaluate options, and build a proactive cyber defense strategy tailored to your organization.
Download the guide now to get clarity on whether a threat intelligence feed is the right move for your team
This is a follow-up from our October, 2022 post — Sensors and Benign Scanner Activity
Throughout the year, GreyNoise tends to focus quite a bit on the “naughty” connections coming our way. After all, that’s how we classify IP addresses as malicious so organizations can perform incident triage at light speed, avoid alert fatigue, and get a leg up on opportunistic attackers by using our IP-based block-lists.
At this time of year, we usually take some time to don our Santa hats and review the activities of the “nice” (a.k.a., “benign”) sources that make contact with our fleet.
Scanning the entire internet now drives both cybersecurity attack strategies and defense tactics. Every day, multiple legitimate organizations perform mass scanning of IPv4 space to gather data about exposed services, vulnerabilities, and general internet health. In November 2024, we deployed 24 new GreyNoise sensors across diverse network locations to study the behavior and patterns of these benign scanners.
When organizations deploy new internet-facing assets, they typically experience a flood of inbound connection attempts within minutes. While many security teams focus on malicious actors, understanding benign scanning activity is equally crucial for several reasons:
We positioned 24 freshly baked sensors across five separate autonomous systems and eight distinct geographies and began collecting data on connection attempts from known benign scanning services. We narrowed the focus down to the top ten actors with the most tags in November. The analyzed services included major players in the internet scanning space, such as Shodan, Censys, and BinaryEdge, along with newer entrants like CriminalIP and Alpha Strike Labs.
Today, we’ll examine these services' scanning patterns, protocols, and behaviors when they encounter new internet-facing assets. Understanding these patterns helps security teams better differentiate between routine internet background noise and potentially malicious reconnaissance activity. There’s a “Methodology” section at the tail end of this post if you want the gory details of how the sausage was made.
We’ll first take a look at the fleet size of the in-scope benign scanners.
The chart below plots the number of observed IP addresses from each organization for the entire month of November vs. the total tagged interactions from those sources (as explained in the Methodology section). Take note of the tiny presence of both Academy for Internet Research and BLEXBot, as you won’t see them again in any chart. While they made the cut for the month, they also made no effort to scan the sensors used in this study.
As we’ll see, scanner fleet size does not necessarily guarantee nimbleness or completeness when it comes to surveying services on the internet.
The internet scanner/attack surface management (ASM) space is pretty competitive. One area where speed makes a difference is how quickly new nodes are added to the various inventories. All benign scanners save for ONYPHE (~9 minutes) and CriminalIP (~17 minutes) hit at least one of the target sensors within five minutes of the sensor coming online.
BinaryEdge and ONYPHE display similar dense clustering patterns, with significant activity bursts occurring around the 1-week mark. Their sensor networks appear to capture a high volume of unique IP contacts, forming distinctive cone-shaped distributions that suggest systematic scanning behavior.
Censys and Bitsight exhibit comparable behavioral patterns, though Bitsight’s first contacts appear more concentrated in recent timeframes. This could indicate a more aggressive or efficient scanning methodology for discovering new hosts.
ShadowServer shows a more dispersed pattern of first contacts, with clusters forming across multiple time intervals rather than concentrated bursts. This suggests a different approach to host discovery, possibly employing more selective or targeted scanning strategies.
Alpha Strike Labs and Shodan.io demonstrate sparser contact patterns, indicating either more selective scanning criteria or potentially smaller sensor networks. Their distributions show periodic clusters rather than continuous streams of new contacts.
CriminalIP presents the most minimal contact pattern, with occasional first contacts spread across the timeline. This could reflect a highly selective approach to host identification or a more focused scanning methodology.
The above graph also shows just how extensive some of the scanner fleets are (each dot is a single IP address making contact with one of the sensors; dot colors distinguish one sensor node from another).
If we take all that distinct data and whittle it down to count which benign scanners hit the most sensors first, we see that ONYPHE is the clear winner, followed by Censys — demonstrating strong but more focused scanning capabilities — with BinaryEdge coming in third.
The chart below digs a bit deeper into the first contact scenarios. We identified the very first contacts to each of the 24 sensor nodes from each benign scanner. ONYPHE shows a concentrated burst of activity in the 6-12 hour window, while Bitsight’s contacts are more evenly distributed throughout the observation period. Censys demonstrates a mixed pattern, with clusters in the early hours followed by sporadic contacts. ShadowServer exhibits a notably consistent spread of first contacts across multiple time windows.
BinaryEdge’s pattern suggests coordinated scanning activity, with tight groupings of contacts that could indicate automated discovery processes. Alpha Strike Labs shows a selective, possibly more targeted approach to first contact, while CriminalIP has minimal but distinct touchpoints. Shodan rounds out the observation set with periodic contacts that suggest a methodical scanning approach.
While speed is a critical competitive edge, coverage may be an even more important one. It’s fine to be the first to discover, but if you’re not making a comprehensive inventory, are you even scanning?
We counted up all the ports these benign scanners probed over the course of a week. Censys leads the pack with an impressive 36,056 ports scanned, followed by ShadowServer scanning 19,166 ports, and Alpha Strike Labs covering 14,876 ports.
ONYPHE, Shodan, and even both BinaryEdge and Bitsight seem to take similar approaches when it comes to probing for services on midrange and higher ports. All of them, save for CriminalIP, definitely know when you’ve been naughty and tried to hide some service outside traditional port ranges.
Before moving on to our last section, it is important to remind readers that we are only showing a 7-day view of activity. Some scanners, notably Censys, have much broader port coverage than a mere 55% of port space. The internet is a very tough environment to perform measurements in. Routes break, cables are cut, and even one small connection hiccup could mean a missed port hit. Plus, it’s not very nice to rapidly clobber a remote node that one is not responsible for.
The vast majority of benign contacts have no real payloads. Some of them do make checks for specific services or for the presence of certain weaknesses. When they do, the GreyNoise Global Observation Grid records a tag for that event. We wanted to see just how many tags these benign scanners sling our way.
Given ShadowServer’s mission, it makes sense that they’d be looking for far more weaknesses than the other benign scanners. The benign scanner organizations that also have an attack surface management (ASM) practice will also usually perform targeted secondary scans for customers who have signed up for such inspections.
We hope folks enjoyed this second look at what benign scanners are up to and what their strategies seem to be when it comes to measuring the state of the internet.
If you have specific questions about the data or would like to see different views, please do not hesitate to contact us in our community Slack or via email at research@greynoise.io.
Sensors were deployed between 2024-11-19 and 2024-11-26 (UTC) across five autonomous systems and in the IP space of the following countries:
The in-scope benign actors (based on total tag hits across all of November):
Both Palo Alto’s Cortex Expanse and ByteSpider were in the original top ten, but were removed as candidates. Each of those services are prolific/noisy (one might even say “rude”), would have skewed the results, and made it impossible to compare the performance of these more traditional scanners. Furthermore, while ByteSpider may be (arguably) benign, it has more of a web crawling mission that differs from the intents of the services on the rest of the actor list.
We measured the inbound traffic from the in-scope benign actors for a 7-day period.
Unfortunately, neither Academy for Internet Research and BLEXBot reached out and touched these 24 new sensor nodes, therefore have no presence in the results.
Attackers are increasingly capitalizing on newly disclosed vulnerabilities within hours of proof-of-concept (PoC) code becoming public. This shrinking timeline leaves defenders with little time to react. A recent example is the rapid response to two Mitel MiCollab vulnerabilities — CVE-2024-41713 (authentication bypass) and CVE-2024-35286 (SQL injection). On December 5, GreyNoise was ready. The same day the PoC went public, GreyNoise began observing attacker activity, demonstrating the speed at which threat actors exploit new information.
The following screenshots from GreyNoise’s Visualizer show unique IP addresses associated with attacker activity following the PoC release. These spikes coincide with the deployment of detection tags, providing a clear picture of how quickly attackers respond to new exploit information.
Leveraging our IP blocklists, GreyNoise customers can immediately block IPs targeting these vulnerabilities.
The chart below shows unique IP addresses probing for CVE-2024-41713 on December 5, immediately after the PoC release. This activity demonstrates attacker interest, highlighting how quickly attackers act on new exploit opportunities. For defenders, this means prioritizing visibility and mitigation immediately after public disclosures.
While the SQL injection vulnerability showed limited activity, it’s important to monitor for potential escalation. Even low activity levels can indicate attackers testing the waters, making proactive mitigation essential.
Both vulnerabilities have been addressed by Mitel:
By applying these patches, organizations can reduce their exposure to attacker activity.
The divergence between predicted exploit likelihood and real-world attacker behavior highlights the necessity for real-time threat intelligence. Predictive models like EPSS currently list both CVEs at 0% likelihood of exploitation, yet GreyNoise’s data provides concrete evidence of attacker activity. This underscores a critical reality: attackers act on opportunities as soon as they arise, often outpacing static predictions.
With GreyNoise, defenders can:
Organizations leveraging Mitel MiCollab should act quickly:
The Mitel MiCollab vulnerabilities demonstrate the importance of rapid response in cybersecurity. While defenders cannot always predict when attackers will act, real-time visibility ensures they can respond effectively to reconnaissance or exploitation efforts as they emerge. GreyNoise’s ability to deploy detection tags on the same day as the PoC release exemplifies its commitment to staying ahead of attackers. This readiness is crucial in a world where the window between disclosure and active attacker activity continues to shrink. By detecting reconnaissance or exploitation efforts within hours, GreyNoise gives defenders the critical lead time needed to respond effectively.
The insights in this blog were made possible by GreyNoise’s Global Observation Grid, a network of internet-facing, primary sensors that passively observe and analyze global attack traffic. GreyNoise recently announced significant enhancements to its sensor and data pipeline technology that deliver deeper insights and broader coverage into cyber threats, equipping security teams with actionable intelligence to better detect, prioritize, and respond to emerging and resurgent threats.
Stay ahead of emerging threats with GreyNoise’s real-time intelligence. Contact us today to learn how we can help protect your organization from evolving vulnerabilities.
Over 220 cybersecurity professionals recently shared what they believe to be the most undervalued skill in our industry: the ability to communicate effectively. This revelation came from a Storm⚡️Watch podcast poll and the ensuing discussion highlighted just how critical this "soft skill" truly is.
The crew shared stories that will resonate with anyone who's had to bridge the gap between technical complexity and business reality. Emily, coming from incident response, learned the hard way that executives care less about IOCs and more about how security issues translate to lost deals and damaged relationships. Himaja developed her communication approach by studying how reporters digested her technical reports, using their follow-up questions as a compass for future messaging.
The help desk trenches proved to be an excellent training ground for Kimber, who discovered that success often meant quickly determining whether someone needed visual aids or step-by-step instructions. This adaptability served her well in product management, where she learned that sometimes you need to let people vent before any productive conversation can occur.
Glenn's journey from academia to a customer-facing vendor role emphasized that becoming an effective communicator isn't accidental. It requires intentional effort and constant refinement, especially when dealing with audiences ranging from fresh-faced students to grant-wielding researchers.
The shift to remote work has only amplified the importance of clear communication. Text-heavy platforms like Slack have introduced new challenges in conveying nuance and managing generational differences in communication styles. The solution isn't just about choosing the right words — it's about knowing when to escalate from text to voice, how to distill complex reports into actionable insights, and finding the right balance between professional and personable.
In an industry stereotypically populated by technical "lone wolves", the reality is that cybersecurity's effectiveness hinges on collaboration and relationship building. Whether you're convincing executives to fund critical defenses or helping colleagues understand emerging threats, the ability to connect, explain, and persuade is as crucial as any technical skill.
The path to improved communication isn't about memorizing presentation techniques or mastering email templates. It's about developing emotional intelligence, learning to read your audience, and adapting your message while maintaining its essential truth. In the end, cybersecurity professionals may wield sophisticated tools, but our most powerful asset is the ability to make complex ideas accessible and actionable.
There are many more insights from the full discussion. It’s well-worth a listen.
Critical infrastructure powers the systems we rely on every day — electricity, clean water, transportation. But what happens when these systems are exposed to the internet, left vulnerable to remote attacks? As a new Censys report reveals, this is the growing reality, with 145,000 industrial control systems (ICS) exposed, including thousands of unsecured human-machine interfaces (HMIs).
These findings highlight a growing problem: internet-exposed HMIs, designed to make critical systems manageable, are becoming prime targets for attackers. Often unprotected, these interfaces give malicious actors direct access to operations making the implications profound — not just for cybersecurity professionals, but for society at large.
The Censys report uncovers significant exposure:
Real-world examples in the report, such as attacks in Pennsylvania and Texas, illustrate how attackers used exposed HMIs to manipulate water systems. These cases didn’t require advanced ICS expertise — just access to an insecure HMI.
For years, ICS security has focused on protecting specialized protocols like Modbus and DNP3. But the Censys report highlights the growing risk posed by low-hanging fruit like HMIs and remote access points, which attackers can exploit to bypass more complex systems entirely.
During the Summer of 2024, GreyNoise set up sensors emulating internet-connected HMIs to understand the attack traffic they receive. The results reinforce the urgency of securing these systems:
These findings align with the Censys report, demonstrating that HMIs and remote access points are critical insecurities that need immediate attention.
The Censys report and GreyNoise findings are clear: defending ICS environments requires a shift in focus. Here are key steps to take:
The exposures highlighted in the Censys report aren’t a technical problem — they’re societal. Critical infrastructure is the backbone of our modern world, and the risks posed by exposed systems are too great to ignore. The time to act is now: secure the basics, monitor for threats with real-time intelligence, and close the gaps attackers are exploiting.
GreyNoise is dedicated to expanding our visibility into ICS/OT environments by growing our fleet of sensors and profiles. As we enhance our coverage in 2025, we aim to provide even deeper insights to help defenders stay ahead of emerging threats. Contact us to learn more.
A newly released report by Sophos reveals a sophisticated multi-year APT (Advanced Persistent Threat) campaign that exploited network perimeter devices, using both new and older vulnerabilities to infiltrate high-value targets. Beginning in 2018, the campaign’s actors leveraged advanced tactics, techniques, and procedures to target internet-facing devices belonging to government and critical infrastructure entities, and other high-value targets. The campaign demonstrates that APT actors are increasingly focusing on network perimeters — especially unpatched, internet-facing devices like VPNs, routers, and other edge infrastructure — as prime entry points for further compromise.
“This campaign is a wake-up call about just how serious the threat to edge devices really is,” said Andrew Morris, Founder and Chief Architect at GreyNoise Intelligence. “Attackers are getting in through overlooked devices, deploying rootkits at the firmware level, and persisting on everything from routers to security cameras to HVAC systems and digital signage. And here’s the thing: detecting this kind of persistence today is incredibly tough. Major device platform vendors have entire teams dedicated to rooting out these threats on PCs, and it’s still a struggle. So, imagine trying to detect and defend against this level of sophistication on an embedded device like a router or a modem — almost no chance.”
At GreyNoise, we observe perimeter-focused attacker behavior across a range of vulnerabilities, both new and resurgent, providing us with a unique view of these threats as they unfold. This blog unpacks key strategic insights from the campaign, explains why network perimeter exploitation should be a top security focus, and provides actionable steps to help security teams stay one step ahead. We’ll explore some of the actively probed CVEs associated with this campaign, the ongoing risks of unpatched devices, and practical ways to mitigate exposure using real-time intelligence.
GreyNoise is proud to have contributed to Sophos’ research and we encourage you to read the full report. In an effort to aid in exposure mitigation efforts, GreyNoise is providing the following information to defenders:
The Sophos report details a sophisticated campaign beginning in 2018, where attackers initially targeted Cyberoam, an India-based Sophos subsidiary. Using intelligence gathered from Cyberoam, along with additional development, the attackers attempted mass exploitation to build a network of operational relay boxes (ORBs). However, after largely failing in this due to detection, they shifted tactics to remain under the radar, focusing exclusively on a small number of high-value targets. This more targeted approach enabled them to infiltrate select government agencies, critical infrastructure, and influential organizations such as embassies. This campaign underscores how APTs adapt and leverage both collected intelligence and advanced tradecraft to achieve their strategic goals.
The attackers exhibited patience and adaptability, evolving their approach from broad, indiscriminate scanning to targeted reconnaissance and exploitation. Their tactics included custom rootkits, firmware-based persistence, and sophisticated command-and-control channels, like ICMP tunneling and proxy chains, enabling long-term, stealthy access to compromised networks. This combination of large-scale scanning followed by focused exploitation demonstrates how attackers systematically identify and prioritize vulnerabilities on perimeter devices to achieve their objectives.
This campaign highlights how perimeter devices — including VPNs, routers, and other internet-facing systems — serve as critical points of entry for attackers. Although these devices are essential to network operations, ensuring timely patching can be challenging due to the business impact of taking these systems offline, making them attractive targets for attackers seeking to exploit this operational challenge.
GreyNoise’s data consistently shows that perimeter devices draw significant reconnaissance and scanning activity from malicious IPs probing weak points. Our real-time intelligence captures how attackers conduct broad scans across these devices, identifying which ones might be vulnerable to exploitation.
This heatmap highlights the volume of malicious IPs actively targeting high-profile systems leveraging CVEs related to the campaign, illustrating the intensity of reconnaissance and exploitation and offering critical insights for prioritizing defenses around these devices.
Security professionals should regularly audit and patch all high-profile systems that are internet-facing, especially those with widely known vulnerabilities. Leveraging IP blocklists allows security teams to intercept and block scanning activity on these endpoints, helping to prevent initial access and reduce perimeter risks.
While newer vulnerabilities often dominate security headlines, this campaign underscores that attackers frequently exploit older vulnerabilities as well. Over 35% of the CVEs in Sophos' Database of Network Device CVEs were released before 2020, with 95% of them included in CISA’s Known Exploited Vulnerabilities (KEV) catalog — a vital resource for tracking high-risk vulnerabilities. Despite available patches, these CVEs often remain unpatched on many perimeter devices, making them easy targets for attackers.
Re-evaluate patching priorities to include older vulnerabilities that impact perimeter devices. GreyNoise’s CVE tracking provides insights into which resurgent vulnerabilities see active targeting, allowing teams to focus on high-risk vulnerabilities that are exploited repeatedly. Older vulnerabilities continue to present significant risk if left unpatched, particularly on perimeter devices.
According to the Sophos report, the attackers initially began their campaign with broad, indiscriminate scanning to locate vulnerable devices before refining their focus to specific, high-value targets. This phased approach demonstrates how attackers leverage large-scale reconnaissance to identify weak entry points and then shift to targeted exploitation.
GreyNoise’s real-time data on reconnaissance trends offers visibility into this broader phase, capturing which high-profile CVEs attackers are actively probing across devices. This data reveals where attackers focus their scanning efforts on the network perimeter, providing early indicators of which vulnerabilities are most at risk.
The precision and patience of this APT campaign send a clear message: perimeter devices remain prime targets, and unpatched vulnerabilities continue to offer attackers a simple path to network entry. The campaign reinforces the need for security professionals to maintain real-time visibility into these threats — both legacy CVEs and active reconnaissance of network devices.
By monitoring attacker behavior and focusing on high-risk vulnerabilities, teams can take concrete steps to strengthen their defenses against persistent, sophisticated attacks.
We know that many organizations are working diligently to assess their exposure, analyze logs, and manage vulnerabilities following this APT campaign. To aid in this effort, GreyNoise is providing all users — both paying and free — 14 days of access to real-time exploitation data for the CVEs associated with this threat. Our goal is to help security teams stay informed and make it easier to track active exploitation.
----
Noah Stone contributed to this writeup in collaboration with GreyNoise Research. Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
Please update your search term or select a different category and try again.
