This is a follow-up from our October, 2022 post — Sensors and Benign Scanner Activity
Throughout the year, GreyNoise tends to focus quite a bit on the “naughty” connections coming our way. After all, that’s how we classify IP addresses as malicious so organizations can perform incident triage at light speed, avoid alert fatigue, and get a leg up on opportunistic attackers by using our IP-based block-lists.
At this time of year, we usually take some time to don our Santa hats and review the activities of the “nice” (a.k.a., “benign”) sources that make contact with our fleet.
Scanning the entire internet now drives both cybersecurity attack strategies and defense tactics. Every day, multiple legitimate organizations perform mass scanning of IPv4 space to gather data about exposed services, vulnerabilities, and general internet health. In November 2024, we deployed 24 new GreyNoise sensors across diverse network locations to study the behavior and patterns of these benign scanners.
When organizations deploy new internet-facing assets, they typically experience a flood of inbound connection attempts within minutes. While many security teams focus on malicious actors, understanding benign scanning activity is equally crucial for several reasons:
We positioned 24 freshly baked sensors across five separate autonomous systems and eight distinct geographies and began collecting data on connection attempts from known benign scanning services. We narrowed the focus down to the top ten actors with the most tags in November. The analyzed services included major players in the internet scanning space, such as Shodan, Censys, and BinaryEdge, along with newer entrants like CriminalIP and Alpha Strike Labs.
Today, we’ll examine these services' scanning patterns, protocols, and behaviors when they encounter new internet-facing assets. Understanding these patterns helps security teams better differentiate between routine internet background noise and potentially malicious reconnaissance activity. There’s a “Methodology” section at the tail end of this post if you want the gory details of how the sausage was made.
We’ll first take a look at the fleet size of the in-scope benign scanners.
The chart below plots the number of observed IP addresses from each organization for the entire month of November vs. the total tagged interactions from those sources (as explained in the Methodology section). Take note of the tiny presence of both Academy for Internet Research and BLEXBot, as you won’t see them again in any chart. While they made the cut for the month, they also made no effort to scan the sensors used in this study.
As we’ll see, scanner fleet size does not necessarily guarantee nimbleness or completeness when it comes to surveying services on the internet.
The internet scanner/attack surface management (ASM) space is pretty competitive. One area where speed makes a difference is how quickly new nodes are added to the various inventories. All benign scanners save for ONYPHE (~9 minutes) and CriminalIP (~17 minutes) hit at least one of the target sensors within five minutes of the sensor coming online.
BinaryEdge and ONYPHE display similar dense clustering patterns, with significant activity bursts occurring around the 1-week mark. Their sensor networks appear to capture a high volume of unique IP contacts, forming distinctive cone-shaped distributions that suggest systematic scanning behavior.
Censys and Bitsight exhibit comparable behavioral patterns, though Bitsight’s first contacts appear more concentrated in recent timeframes. This could indicate a more aggressive or efficient scanning methodology for discovering new hosts.
ShadowServer shows a more dispersed pattern of first contacts, with clusters forming across multiple time intervals rather than concentrated bursts. This suggests a different approach to host discovery, possibly employing more selective or targeted scanning strategies.
Alpha Strike Labs and Shodan.io demonstrate sparser contact patterns, indicating either more selective scanning criteria or potentially smaller sensor networks. Their distributions show periodic clusters rather than continuous streams of new contacts.
CriminalIP presents the most minimal contact pattern, with occasional first contacts spread across the timeline. This could reflect a highly selective approach to host identification or a more focused scanning methodology.
The above graph also shows just how extensive some of the scanner fleets are (each dot is a single IP address making contact with one of the sensors; dot colors distinguish one sensor node from another).
If we take all that distinct data and whittle it down to count which benign scanners hit the most sensors first, we see that ONYPHE is the clear winner, followed by Censys — demonstrating strong but more focused scanning capabilities — with BinaryEdge coming in third.
The chart below digs a bit deeper into the first contact scenarios. We identified the very first contacts to each of the 24 sensor nodes from each benign scanner. ONYPHE shows a concentrated burst of activity in the 6-12 hour window, while Bitsight’s contacts are more evenly distributed throughout the observation period. Censys demonstrates a mixed pattern, with clusters in the early hours followed by sporadic contacts. ShadowServer exhibits a notably consistent spread of first contacts across multiple time windows.
BinaryEdge’s pattern suggests coordinated scanning activity, with tight groupings of contacts that could indicate automated discovery processes. Alpha Strike Labs shows a selective, possibly more targeted approach to first contact, while CriminalIP has minimal but distinct touchpoints. Shodan rounds out the observation set with periodic contacts that suggest a methodical scanning approach.
While speed is a critical competitive edge, coverage may be an even more important one. It’s fine to be the first to discover, but if you’re not making a comprehensive inventory, are you even scanning?
We counted up all the ports these benign scanners probed over the course of a week. Censys leads the pack with an impressive 36,056 ports scanned, followed by ShadowServer scanning 19,166 ports, and Alpha Strike Labs covering 14,876 ports.
ONYPHE, Shodan, and even both BinaryEdge and Bitsight seem to take similar approaches when it comes to probing for services on midrange and higher ports. All of them, save for CriminalIP, definitely know when you’ve been naughty and tried to hide some service outside traditional port ranges.
Before moving on to our last section, it is important to remind readers that we are only showing a 7-day view of activity. Some scanners, notably Censys, have much broader port coverage than a mere 55% of port space. The internet is a very tough environment to perform measurements in. Routes break, cables are cut, and even one small connection hiccup could mean a missed port hit. Plus, it’s not very nice to rapidly clobber a remote node that one is not responsible for.
The vast majority of benign contacts have no real payloads. Some of them do make checks for specific services or for the presence of certain weaknesses. When they do, the GreyNoise Global Observation Grid records a tag for that event. We wanted to see just how many tags these benign scanners sling our way.
Given ShadowServer’s mission, it makes sense that they’d be looking for far more weaknesses than the other benign scanners. The benign scanner organizations that also have an attack surface management (ASM) practice will also usually perform targeted secondary scans for customers who have signed up for such inspections.
We hope folks enjoyed this second look at what benign scanners are up to and what their strategies seem to be when it comes to measuring the state of the internet.
If you have specific questions about the data or would like to see different views, please do not hesitate to contact us in our community Slack or via email at research@greynoise.io.
Sensors were deployed between 2024-11-19 and 2024-11-26 (UTC) across five autonomous systems and in the IP space of the following countries:
The in-scope benign actors (based on total tag hits across all of November):
Both Palo Alto’s Cortex Expanse and ByteSpider were in the original top ten, but were removed as candidates. Each of those services are prolific/noisy (one might even say “rude”), would have skewed the results, and made it impossible to compare the performance of these more traditional scanners. Furthermore, while ByteSpider may be (arguably) benign, it has more of a web crawling mission that differs from the intents of the services on the rest of the actor list.
We measured the inbound traffic from the in-scope benign actors for a 7-day period.
Unfortunately, neither Academy for Internet Research and BLEXBot reached out and touched these 24 new sensor nodes, therefore have no presence in the results.
Attackers are increasingly capitalizing on newly disclosed vulnerabilities within hours of proof-of-concept (PoC) code becoming public. This shrinking timeline leaves defenders with little time to react. A recent example is the rapid response to two Mitel MiCollab vulnerabilities — CVE-2024-41713 (authentication bypass) and CVE-2024-35286 (SQL injection). On December 5, GreyNoise was ready. The same day the PoC went public, GreyNoise began observing attacker activity, demonstrating the speed at which threat actors exploit new information.
The following screenshots from GreyNoise’s Visualizer show unique IP addresses associated with attacker activity following the PoC release. These spikes coincide with the deployment of detection tags, providing a clear picture of how quickly attackers respond to new exploit information.
Leveraging our IP blocklists, GreyNoise customers can immediately block IPs targeting these vulnerabilities.
The chart below shows unique IP addresses probing for CVE-2024-41713 on December 5, immediately after the PoC release. This activity demonstrates attacker interest, highlighting how quickly attackers act on new exploit opportunities. For defenders, this means prioritizing visibility and mitigation immediately after public disclosures.
While the SQL injection vulnerability showed limited activity, it’s important to monitor for potential escalation. Even low activity levels can indicate attackers testing the waters, making proactive mitigation essential.
Both vulnerabilities have been addressed by Mitel:
By applying these patches, organizations can reduce their exposure to attacker activity.
The divergence between predicted exploit likelihood and real-world attacker behavior highlights the necessity for real-time threat intelligence. Predictive models like EPSS currently list both CVEs at 0% likelihood of exploitation, yet GreyNoise’s data provides concrete evidence of attacker activity. This underscores a critical reality: attackers act on opportunities as soon as they arise, often outpacing static predictions.
With GreyNoise, defenders can:
Organizations leveraging Mitel MiCollab should act quickly:
The Mitel MiCollab vulnerabilities demonstrate the importance of rapid response in cybersecurity. While defenders cannot always predict when attackers will act, real-time visibility ensures they can respond effectively to reconnaissance or exploitation efforts as they emerge. GreyNoise’s ability to deploy detection tags on the same day as the PoC release exemplifies its commitment to staying ahead of attackers. This readiness is crucial in a world where the window between disclosure and active attacker activity continues to shrink. By detecting reconnaissance or exploitation efforts within hours, GreyNoise gives defenders the critical lead time needed to respond effectively.
The insights in this blog were made possible by GreyNoise’s Global Observation Grid, a network of internet-facing, primary sensors that passively observe and analyze global attack traffic. GreyNoise recently announced significant enhancements to its sensor and data pipeline technology that deliver deeper insights and broader coverage into cyber threats, equipping security teams with actionable intelligence to better detect, prioritize, and respond to emerging and resurgent threats.
Stay ahead of emerging threats with GreyNoise’s real-time intelligence. Contact us today to learn how we can help protect your organization from evolving vulnerabilities.
Over 220 cybersecurity professionals recently shared what they believe to be the most undervalued skill in our industry: the ability to communicate effectively. This revelation came from a Storm⚡️Watch podcast poll and the ensuing discussion highlighted just how critical this "soft skill" truly is.
The crew shared stories that will resonate with anyone who's had to bridge the gap between technical complexity and business reality. Emily, coming from incident response, learned the hard way that executives care less about IOCs and more about how security issues translate to lost deals and damaged relationships. Himaja developed her communication approach by studying how reporters digested her technical reports, using their follow-up questions as a compass for future messaging.
The help desk trenches proved to be an excellent training ground for Kimber, who discovered that success often meant quickly determining whether someone needed visual aids or step-by-step instructions. This adaptability served her well in product management, where she learned that sometimes you need to let people vent before any productive conversation can occur.
Glenn's journey from academia to a customer-facing vendor role emphasized that becoming an effective communicator isn't accidental. It requires intentional effort and constant refinement, especially when dealing with audiences ranging from fresh-faced students to grant-wielding researchers.
The shift to remote work has only amplified the importance of clear communication. Text-heavy platforms like Slack have introduced new challenges in conveying nuance and managing generational differences in communication styles. The solution isn't just about choosing the right words — it's about knowing when to escalate from text to voice, how to distill complex reports into actionable insights, and finding the right balance between professional and personable.
In an industry stereotypically populated by technical "lone wolves", the reality is that cybersecurity's effectiveness hinges on collaboration and relationship building. Whether you're convincing executives to fund critical defenses or helping colleagues understand emerging threats, the ability to connect, explain, and persuade is as crucial as any technical skill.
The path to improved communication isn't about memorizing presentation techniques or mastering email templates. It's about developing emotional intelligence, learning to read your audience, and adapting your message while maintaining its essential truth. In the end, cybersecurity professionals may wield sophisticated tools, but our most powerful asset is the ability to make complex ideas accessible and actionable.
There are many more insights from the full discussion. It’s well-worth a listen.
Critical infrastructure powers the systems we rely on every day — electricity, clean water, transportation. But what happens when these systems are exposed to the internet, left vulnerable to remote attacks? As a new Censys report reveals, this is the growing reality, with 145,000 industrial control systems (ICS) exposed, including thousands of unsecured human-machine interfaces (HMIs).
These findings highlight a growing problem: internet-exposed HMIs, designed to make critical systems manageable, are becoming prime targets for attackers. Often unprotected, these interfaces give malicious actors direct access to operations making the implications profound — not just for cybersecurity professionals, but for society at large.
The Censys report uncovers significant exposure:
Real-world examples in the report, such as attacks in Pennsylvania and Texas, illustrate how attackers used exposed HMIs to manipulate water systems. These cases didn’t require advanced ICS expertise — just access to an insecure HMI.
For years, ICS security has focused on protecting specialized protocols like Modbus and DNP3. But the Censys report highlights the growing risk posed by low-hanging fruit like HMIs and remote access points, which attackers can exploit to bypass more complex systems entirely.
During the Summer of 2024, GreyNoise set up sensors emulating internet-connected HMIs to understand the attack traffic they receive. The results reinforce the urgency of securing these systems:
These findings align with the Censys report, demonstrating that HMIs and remote access points are critical insecurities that need immediate attention.
The Censys report and GreyNoise findings are clear: defending ICS environments requires a shift in focus. Here are key steps to take:
The exposures highlighted in the Censys report aren’t a technical problem — they’re societal. Critical infrastructure is the backbone of our modern world, and the risks posed by exposed systems are too great to ignore. The time to act is now: secure the basics, monitor for threats with real-time intelligence, and close the gaps attackers are exploiting.
GreyNoise is dedicated to expanding our visibility into ICS/OT environments by growing our fleet of sensors and profiles. As we enhance our coverage in 2025, we aim to provide even deeper insights to help defenders stay ahead of emerging threats. Contact us to learn more.
GreyNoise has discovered previously undisclosed zero-day vulnerabilities in IoT-connected live streaming cameras, leveraging AI to catch an attack before it could escalate. These cameras are reportedly used in sectors such as industrial operations, healthcare, and other sensitive environments like houses of worship, highlighting the urgent need for stronger cybersecurity defenses as the threat landscape continues to evolve.
This discovery was made possible after a GreyNoise honeypot detected an attempt to execute an exploit against it. An attacker had developed and automated a zero-day vulnerability exploit, using a broad-spectrum reconnaissance and targeting strategy to run it across the internet. However, the exploit hit GreyNoise’s global sensor network, where GreyNoise’s proprietary internal AI technology flagged the unusual activity. Upon further investigation, GreyNoise researchers discovered the zero-day vulnerabilities. Once exploited, attackers could potentially seize complete control of the cameras, view and/or manipulate video feeds, disable camera operations, and enlist the devices into a botnet to launch denial-of-service attacks.
This marks one of the first instances where threat detection has been augmented by AI to discover zero-day vulnerabilities. By surfacing malicious traffic that traditional tools would have missed, GreyNoise successfully intercepted the attack, identified the vulnerabilities, and reported them before they could be widely exploited. The company’s proactive approach, combining AI-powered detection with expert human analysis, proves that AI can dramatically accelerate the discovery of vulnerabilities — making the internet safer, one discovery at a time.
GreyNoise partnered with VulnCheck to responsibly disclose the flaws, tracked as CVE-2024-8956 and CVE-2024-8957.
View the full technical analysis and register now for GreyNoise’s expert panel webinar to learn more about the broader implications of these findings for security professionals.
The vulnerabilities impact NDI-enabled pan-tilt-zoom (PTZ) cameras from multiple manufacturers. Affected devices use VHD PTZ camera firmware < 6.3.40 used in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63. These cameras, which feature an embedded web server allowing for direct access by web browser, are reportedly deployed in environments where reliability and privacy are crucial, including:
Affected devices are typically high-cost live streaming cameras, sometimes exceeding several thousand dollars.
GreyNoise found the affected cameras to be vulnerable to a range of potentially dangerous attacks. These vulnerabilities, if exploited, could potentially expose sensitive business meetings, compromise telehealth sessions, and disrupt cameras deployed in industrial settings, leaving organizations potentially exposed to data and privacy breaches.
Attacks like this are not new — in 2021, live feeds of 150,000 cameras inside schools, hospitals, and more were exposed. Vulnerable IoT devices are prime targets for attackers looking to add compromised devices to a botnet, like the infamous Mirai botnet.
Security teams today face an overwhelming number of alerts, many of which result from harmless internet activity like routine scans and benign traffic. With countless alerts pouring in daily, identifying threats becomes incredibly difficult, and many serious vulnerabilities can go unnoticed amid the noise.
This is where AI steps in. GreyNoise’s Sift, powered by large language models (LLMs) trained on vast amounts of internet traffic — including traffic targeting IoT devices — identifies anomalies that traditional systems may miss. Instead of just reacting to known threats, Sift excels at spotting new anomalies, threats that haven't been identified yet or don’t fit any known signatures.
Sift analyzes real-time internet traffic and enriches that data with GreyNoise’s proprietary datasets. It then runs the data through advanced AI systems, which help separate routine activity from potential threats. This process allows researchers to focus on truly meaningful threats without getting lost in the noise.
In this case, Sift flagged unrecognized traffic that had not been tagged as a known threat. This caught the attention of GreyNoise researchers, who further investigated the unusual traffic. Their investigation led to the discovery of two previously unknown zero-day vulnerabilities in live streaming cameras — highlighting how AI can transform the speed and accuracy of cybersecurity research.
“This isn’t about the specific software or how many people use it — it’s about how AI helped us catch a zero-day exploit we might have missed otherwise,” said Andrew Morris, Founder and Chief Architect at GreyNoise Intelligence. “We caught it before it could be widely exploited, reported it, and got it patched. The attacker put a lot of effort into developing and automating this exploit, and they hit our sensors. Today it’s a camera, but tomorrow it could be a zero-day in critical enterprise software. This discovery proves that AI is becoming essential for detecting and stopping sophisticated threats at scale.”
By rapidly filtering out irrelevant traffic, Sift gives human researchers a clear head start. Capable of sifting through millions of data points, it enables researchers to focus on critical threats in real-time. This combination of AI-driven anomaly detection and human-led investigation is essential in today’s fast-paced cybersecurity landscape, where attackers are constantly evolving their tactics. Without Sift’s machine learning capabilities, these vulnerabilities might have remained hidden.
GreyNoise’s discoveries shed light on a larger issue facing the rapidly growing IoT landscape. With nearly 19 billion IoT devices in operation globally, industrial and critical infrastructure sectors rely on these devices for operational efficiency and real-time monitoring. However, the sheer volume of data generated makes it challenging for traditional tools to discern genuine threats from routine network traffic, leaving systems vulnerable to sophisticated attacks. Last month, U.S. authorities dismantled a botnet that leveraged a variety of IoT devices, including IP cameras. IoT devices remain a prime target for attackers looking to exploit insecure design and functionality.
Organizations using VHD PTZ camera firmware < 6.3.40 used in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63 should take immediate action to patch the discovered vulnerabilities and secure their systems.
VulnCheck alerted affected manufacturers to the flaws, only receiving a response from PTZOptics. The manufacturer released firmware updates addressing these flaws.
Read the GreyNoise Labs blog for technical analysis and deeper insight into how Sift helped discover these zero-day vulnerabilities.
Watch our expert panel take a deep dive into the technical details and strategic implications of this discovery to provide the context you need to better protect your organization.
Register now and learn how AI-driven cybersecurity is changing the status quo and how it can transform your security strategy.
A newly released report by Sophos reveals a sophisticated multi-year APT (Advanced Persistent Threat) campaign that exploited network perimeter devices, using both new and older vulnerabilities to infiltrate high-value targets. Beginning in 2018, the campaign’s actors leveraged advanced tactics, techniques, and procedures to target internet-facing devices belonging to government and critical infrastructure entities, and other high-value targets. The campaign demonstrates that APT actors are increasingly focusing on network perimeters — especially unpatched, internet-facing devices like VPNs, routers, and other edge infrastructure — as prime entry points for further compromise.
“This campaign is a wake-up call about just how serious the threat to edge devices really is,” said Andrew Morris, Founder and Chief Architect at GreyNoise Intelligence. “Attackers are getting in through overlooked devices, deploying rootkits at the firmware level, and persisting on everything from routers to security cameras to HVAC systems and digital signage. And here’s the thing: detecting this kind of persistence today is incredibly tough. Major device platform vendors have entire teams dedicated to rooting out these threats on PCs, and it’s still a struggle. So, imagine trying to detect and defend against this level of sophistication on an embedded device like a router or a modem — almost no chance.”
At GreyNoise, we observe perimeter-focused attacker behavior across a range of vulnerabilities, both new and resurgent, providing us with a unique view of these threats as they unfold. This blog unpacks key strategic insights from the campaign, explains why network perimeter exploitation should be a top security focus, and provides actionable steps to help security teams stay one step ahead. We’ll explore some of the actively probed CVEs associated with this campaign, the ongoing risks of unpatched devices, and practical ways to mitigate exposure using real-time intelligence.
GreyNoise is proud to have contributed to Sophos’ research and we encourage you to read the full report. In an effort to aid in exposure mitigation efforts, GreyNoise is providing the following information to defenders:
The Sophos report details a sophisticated campaign beginning in 2018, where attackers initially targeted Cyberoam, an India-based Sophos subsidiary. Using intelligence gathered from Cyberoam, along with additional development, the attackers attempted mass exploitation to build a network of operational relay boxes (ORBs). However, after largely failing in this due to detection, they shifted tactics to remain under the radar, focusing exclusively on a small number of high-value targets. This more targeted approach enabled them to infiltrate select government agencies, critical infrastructure, and influential organizations such as embassies. This campaign underscores how APTs adapt and leverage both collected intelligence and advanced tradecraft to achieve their strategic goals.
The attackers exhibited patience and adaptability, evolving their approach from broad, indiscriminate scanning to targeted reconnaissance and exploitation. Their tactics included custom rootkits, firmware-based persistence, and sophisticated command-and-control channels, like ICMP tunneling and proxy chains, enabling long-term, stealthy access to compromised networks. This combination of large-scale scanning followed by focused exploitation demonstrates how attackers systematically identify and prioritize vulnerabilities on perimeter devices to achieve their objectives.
This campaign highlights how perimeter devices — including VPNs, routers, and other internet-facing systems — serve as critical points of entry for attackers. Although these devices are essential to network operations, ensuring timely patching can be challenging due to the business impact of taking these systems offline, making them attractive targets for attackers seeking to exploit this operational challenge.
GreyNoise’s data consistently shows that perimeter devices draw significant reconnaissance and scanning activity from malicious IPs probing weak points. Our real-time intelligence captures how attackers conduct broad scans across these devices, identifying which ones might be vulnerable to exploitation.
This heatmap highlights the volume of malicious IPs actively targeting high-profile systems leveraging CVEs related to the campaign, illustrating the intensity of reconnaissance and exploitation and offering critical insights for prioritizing defenses around these devices.
Security professionals should regularly audit and patch all high-profile systems that are internet-facing, especially those with widely known vulnerabilities. Leveraging IP blocklists allows security teams to intercept and block scanning activity on these endpoints, helping to prevent initial access and reduce perimeter risks.
While newer vulnerabilities often dominate security headlines, this campaign underscores that attackers frequently exploit older vulnerabilities as well. Over 35% of the CVEs in Sophos' Database of Network Device CVEs were released before 2020, with 95% of them included in CISA’s Known Exploited Vulnerabilities (KEV) catalog — a vital resource for tracking high-risk vulnerabilities. Despite available patches, these CVEs often remain unpatched on many perimeter devices, making them easy targets for attackers.
Re-evaluate patching priorities to include older vulnerabilities that impact perimeter devices. GreyNoise’s CVE tracking provides insights into which resurgent vulnerabilities see active targeting, allowing teams to focus on high-risk vulnerabilities that are exploited repeatedly. Older vulnerabilities continue to present significant risk if left unpatched, particularly on perimeter devices.
According to the Sophos report, the attackers initially began their campaign with broad, indiscriminate scanning to locate vulnerable devices before refining their focus to specific, high-value targets. This phased approach demonstrates how attackers leverage large-scale reconnaissance to identify weak entry points and then shift to targeted exploitation.
GreyNoise’s real-time data on reconnaissance trends offers visibility into this broader phase, capturing which high-profile CVEs attackers are actively probing across devices. This data reveals where attackers focus their scanning efforts on the network perimeter, providing early indicators of which vulnerabilities are most at risk.
The precision and patience of this APT campaign send a clear message: perimeter devices remain prime targets, and unpatched vulnerabilities continue to offer attackers a simple path to network entry. The campaign reinforces the need for security professionals to maintain real-time visibility into these threats — both legacy CVEs and active reconnaissance of network devices.
By monitoring attacker behavior and focusing on high-risk vulnerabilities, teams can take concrete steps to strengthen their defenses against persistent, sophisticated attacks.
We know that many organizations are working diligently to assess their exposure, analyze logs, and manage vulnerabilities following this APT campaign. To aid in this effort, GreyNoise is providing all users — both paying and free — 14 days of access to real-time exploitation data for the CVEs associated with this threat. Our goal is to help security teams stay informed and make it easier to track active exploitation.
----
Noah Stone contributed to this writeup in collaboration with GreyNoise Research. Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
A joint U.S. and UK advisory has identified 25 vulnerabilities tied to an exploitation campaign by Russia state-sponsored threat actors, specifically APT 29 — the group behind the infamous SolarWinds hack. GreyNoise actively tracks 12 of the 25 vulnerabilities mentioned in the advisory. To provide real-time, actionable context, GreyNoise has detected that nine of these vulnerabilities are being actively probed by attackers, offering critical insights for organizations to prioritize their defenses.
Given the real-time nature of GreyNoise’s observations, the set of actively targeted vulnerabilities is likely to change over time. Please check the GreyNoise Visualizer for the latest information.
GreyNoise observes internet traffic via its global network of sensors and honeypots, allowing it to track and classify behavior as malicious or benign.
While the advisory outlines 25 vulnerabilities, GreyNoise is uniquely positioned to provide real-time insights, identifying the nine CVEs currently being probed. These active scans are part of mass, opportunistic efforts, a tactic commonly used by threats actors like APT 29 (Cozy Bear), although GreyNoise does not attribute malicious activity directly.
Of the 12 GreyNoise-tracked CVEs mentioned in the joint advisory, GreyNoise observes exploitation or reconnaissance activity across the following:
These vulnerabilities cover a wide range of products critical to business operations and infrastructure, making this real-time data invaluable for defenders to prioritize patching.
In the joint advisory, the agencies highlighted the threat of mass opportunistic scans and the focus thereof by Russian intelligence:
“This mass scanning and opportunistic exploitation of vulnerable systems, as opposed to more targeted operations, increase the threat surface to include virtually any organization with vulnerable systems.
The SVR [Russian Foreign Intelligence] takes advantage of opportunistic victims to host malicious infrastructure, conduct follow-on operations from compromised accounts, or to attempt to pivot to other networks.”
The advisory comes at a time when attackers are increasingly relying on mass opportunistic scanning to compromise organizations, making it critical that organizations leverage real-time intelligence showing when and where attackers are engaged in reconnaissance and exploitation activity.
For more details, read the full U.S. and UK report here.
(This is the conclusion of our four-part series on "Understanding the Election Cybersecurity Landscape".)
Thanks to the emergence of powerful new AI-infused tools, a new battleground for democracy has emerged — one that does not rely on physical conflict but on the manipulation of information. Deepfakes and disinformation campaigns have become potent weapons, threatening the integrity of democratic processes. These sophisticated techniques not only mislead the public but also sow discord, making it increasingly difficult to distinguish truth from falsehood.
Deepfakes — a.k.a., hyper-realistic, artificially generated or manipulated videos or audio recordings — have advanced to a level where even seasoned experts struggle to differentiate them from authentic media. Combined with disinformation campaigns, these tools can spread false narratives at alarming speed and scale.
The January 2024 New Hampshire primary was a wake-up call. Voters received robocalls featuring an AI-generated voice impersonating President Joe Biden, urging them to abstain from voting in the primary. Instead, the message encouraged them to save their vote for the general election. This incident is a single, yet stark, example of how domestic actors are utilizing advanced technologies to manipulate voters and disrupt electoral processes.
Disinformation campaigns thrive in online platforms, from social media to fake news websites. Both domestic and foreign actors — including Russia, China, and Iran — are involved in these efforts, as highlighted by the Intelligence Community's 2024 Annual Threat Assessment. Their goal is simple but destructive: to exacerbate societal divisions and influence voter perceptions.
In a recent case, the Department of Justice foiled a Russian-sponsored operation that aimed to sway voters by creating fake news sites that closely mimicked legitimate media outlets. Such tactics demonstrate the lengths to which bad actors will go to infiltrate and corrupt the information ecosystem.
Disinformation and deepfake technologies threaten to destabilize democratic institutions in several ways:
In response to these escalating threats, Senator Mark R. Warner has called for decisive action. In a letter to the Cybersecurity and Infrastructure Security Agency (CISA), Warner outlined the critical need for state and local election officials to be equipped with the tools to counter disinformation and deepfakes. These officials are often voters' most trusted sources of election information, but they operate with limited resources and staff.
Warner urged CISA to strengthen its support for local election administrators and advocated for collaboration across government agencies, technology companies, academic institutions, and international allies to combat the spread of disinformation. Only through coordinated efforts can we build the resilience necessary to defend democratic processes.
As technology continues to evolve, so too does the potential for its misuse. Deepfakes and disinformation campaigns are not just technological novelties; they are deliberate attempts to distort reality and undermine the public’s trust in elections. To safeguard democracy, proactive measures must be taken:
The threat posed by deepfakes and disinformation campaigns is real and growing. As technology advances, so does the potential for misuse by those seeking to disrupt democratic processes. By raising awareness, promoting media literacy, and fostering collaboration between government, private sectors, and international allies, we can protect the integrity of our elections and ensure that democracy endures in the digital age.
Now is the time to act. The future of democracy depends on our collective ability to respond to these new challenges. Let's safeguard the truth and uphold the trust that is the foundation of democratic society.
GreyNoise’s honeypots have been actively monitoring exploit attempts targeting the SolarWinds Serv-U vulnerability (CVE-2024-28995), revealing exactly what files attackers are after. From key system files to credential-containing configuration files, our data shows how attackers are scanning for vulnerable systems in real time.
GreyNoise interacts directly with attackers through its honeypots, providing verifiable, firsthand data. This gives security teams a clearer, more accurate picture of real-time threats, allowing them to cut through the noise and focus on what's truly malicious.
(This is part three in our "Understanding the Election Cybersecurity Landscape" series.)
As we rapidly approach the 2024 U.S. elections, the human element remains one of the most vulnerable aspects of our electoral system. While technological defenses continue to evolve, state actors and cybercriminals in general are increasingly turning to phishing and social engineering tactics to exploit human psychology and gain unauthorized access to sensitive information or systems. These attacks pose a significant threat to election integrity by targeting election officials, campaign staff, and voters alike.
Phishing attacks during election seasons often exploit the heightened emotions and time pressures associated with political campaigns. Attackers craft convincing emails, text messages, or social media posts that appear to come from trusted sources such as election boards, political parties, or candidates themselves. These messages typically create a sense of urgency or importance to prompt quick, unthinking responses from targets.
For example, an election official might receive an email that appears to be from a voting machine vendor, claiming there's a critical security update that needs immediate attention. The email could contain a malicious link or attachment that, when clicked, installs malware or captures login credentials. Similarly, voters might receive text messages with false information about polling place changes or registration requirements, containing links to fraudulent websites designed to steal personal information.
Social engineering attacks go beyond simple phishing by leveraging more complex psychological manipulation. These attacks often involve multiple touchpoints and can unfold over extended periods, making them particularly insidious.
In the context of elections, a social engineering attack might involve an attacker posing as an IT support technician, contacting county election workers with offers of assistance. Over time, the attacker builds trust and may eventually request remote access to systems or sensitive information under the guise of providing support. This type of attack exploits the often-overworked and under-resourced nature of many local election offices.
Another common tactic is impersonating authority figures. An attacker might pose as a high-ranking election official or party leader, using this perceived authority to pressure lower-level staff into bypassing security protocols or divulging confidential information.
The consequences of successful phishing and social engineering attacks can be far-reaching. A single compromised account or system can serve as an entry point for broader network infiltration, potentially leading to:
Moreover, even unsuccessful attacks can erode public confidence in the electoral process. The mere perception that election systems or officials might be compromised can fuel doubts about election integrity, which could be especially problematic this year.
Mitigating the risks posed by phishing and social engineering requires a multi-faceted approach that combines technological solutions with robust human training and awareness programs.
As we move ever closer to the 2024 elections, the sophistication of phishing and social engineering attacks is likely to increase. The rise of AI-generated content, including deepfakes, will make it even more challenging to distinguish legitimate communications from fraudulent ones (something we will cover in the final installment).
However, by focusing on the human element – both in terms of vulnerabilities and strengths – we can build a more resilient election security ecosystem. Empowering election officials and voters with knowledge and critical thinking skills is our best defense against these evolving threats.
The integrity of our elections depends not just on secure technology, but on a vigilant and informed populace. By recognizing the central role of human factors in election security, we can work towards elections that are not only technologically sound but also trusted and resilient in the face of increasingly sophisticated attacks.
Censys and GreyNoise teamed up for the last three months to shed new light on the real-world threats facing internet-exposed industrial control systems (ICS). At LABSCon 2024, they shared their findings, challenging some long-held assumptions about ICS security.
Earlier this year, Censys researchers identified over 40,000 internet-connected ICS devices in the U.S., including over 400 human-machine interfaces (HMIs). Many of these interfaces required no authentication at the time of observation. HMIs provide easy-to-understand and easy-to-manipulate interfaces, which make them low-hanging targets for threat actors seeking to disrupt operations. Given the relative ease of manipulation, we were curious about the actual attack traffic such interfaces receive.
To conduct preliminary research, GreyNoise set up hyper-realistic emulations of internet-connected HMIs for critical control systems, camouflaging them by geography and ASNs. Glenn Thorpe, Sr. Director, Security Research & Detection Engineering at GreyNoise analyzed forty-five days of data for these surprising and concerning findings:
This research highlights a potential disconnect between perceived risks and actual threat actor behavior toward internet-exposed ICS. While the industry has long focused on securing ICS-specific communication protocols, the more pressing threat may lie in more common, easily exploitable entry points like remote access services. The swift targeting suggests a prioritization for probing such devices online.
This research underscores the critical importance of securing remote access services as a frontline defense for ICS environments. The relative ease of targeting these generic entry points may often render the exploitation of specialized ICS protocols unnecessary.
GreyNoise and Censys intend to continue this research to learn more based on these experimental findings.
(This is part two in our "Understanding the Election Cybersecurity Landscape" series.)
State-sponsored actors play a critical role in election interference, employing a range of tactics to undermine the integrity of the electoral process. These actors, often backed by powerful nations like Russia, China, and Iran, have the resources and motivation to conduct sophisticated attacks that can erode public trust in elections.
State-sponsored actors engage in various activities interfering with elections, including cyberespionage, disinformation campaigns, and direct attacks on election infrastructure. Cyberespionage involves the theft of sensitive information, such as voter data or campaign communications, which can be used to influence public opinion or blackmail candidates. Disinformation campaigns, often conducted through social media, aim to spread false or misleading information to manipulate voter perceptions and sow discord. For example, Russia has been known to use fake personas and highly networked accounts to spread hyper-partisan themes effectively and quickly.
Direct attacks on election infrastructure are also a concern, as they can disrupt the voting process and undermine the integrity of election results. This includes attempts to gain physical or digital access to election systems, which can compromise their confidentiality, availability, or integrity. For instance, the Justice Department recently indicted two Russian propagandists associated with the state-funded media outlet RT for allegedly engaging in money laundering and channeling nearly $10 million to a right-leaning media organization.
We've also seen evidence of a recent suspected Iranian attack against the campaign of Republican presidential nominee Donald Trump, potentially resulting in the theft of internal campaign documents. The FBI is investigating the matter, as well as attempts to infiltrate President Joe Biden's reelection campaign, which became Vice President Kamala Harris' campaign after Biden dropped out of the race.
The activities of state-sponsored actors in election interference have significant implications for democratic societies. By undermining public trust in the electoral process, these actors can erode the legitimacy of governments and create social divisions. For example, research suggests that election interference campaigns can intensify internal divisions within a target state, making it harder for the political establishment to agree on priorities, implement policy, and respond to challenges from foreign actors.
To counter the threats posed by state-sponsored actors, it is essential to understand their methods and recognize the signs of such interference. This includes investing in cybersecurity efforts for political campaigns, encouraging social media companies to remove deceptive or hateful posts, and passing legislation requiring online political ads to adhere to certain standards of truthfulness. Additionally, election officials should take steps to harden infrastructure against common attacks, utilize account security tools, and rehearse incident response plans.
Understanding the methods of state-sponsored actors and recognizing the signs of such interference is crucial in developing robust defenses. By investing in cybersecurity, promoting transparency in political advertising, and enhancing election infrastructure security, we can mitigate the risks posed by these actors and protect the integrity of democratic elections.
We've put together the following list of resources to help folks further understand and defend against this very real and present threat:
Recent Influence Operations: Recent foreign influence operations have been identified, including those perpetrated by Russia, China, and Iran, which have been accused of conducting complex campaigns to manipulate U.S. politics.
We're excited to share a groundbreaking new blog post from our Labs team that dives deep into the world of Bluetooth Low Energy (BTLE) device identification and vulnerability research. In "BLUUID: Firewallas, Diabetics, And... Bluetooth," our very own Remy explores the fascinating and often overlooked realm of BTLE security.
This comprehensive analysis covers everything from building a BTLE Generic Attribute (GATT) Universally Unique Identifiers (UUIDs) database to remotely identifying Bluetooth devices for vulnerability research. Remy doesn't just stop at theory – he demonstrates real-world implications by uncovering and responsibly disclosing vulnerabilities in Firewalla firewall products.
But why should you care about BTLE security? As Remy points out, the impact extends far beyond just privacy concerns. Recent incidents involving BTLE-enabled insulin pumps highlight the potential for physical harm when these systems are compromised or malfunction.
In this blog, you'll learn:
Whether you're a cybersecurity professional, IoT enthusiast, or simply curious about the hidden world of Bluetooth, this blog post offers valuable insights and practical techniques you won't want to miss.
Ready to dive in? Head over to the GreyNoise Labs blog to read the full article and expand your understanding of BTLE security and its far-reaching implications.
Last week at BSidesLV, I had the privilege to explore the complexities of the CISA's Known Exploited Vulnerabilities (KEV) Catalog. This vital resource aids organizations in understanding which vulnerabilities are actively exploited and how to prioritize remediation efforts effectively.
Here, I’ll share three key insights from my analysis that can enhance vulnerability management strategies.
The full talk (it's only 20 minutes, but I clearly could have used 30!) can be found here, and the slides and dataset used can be found here.
The average age of CVEs added to the KEV decreases over time. In 2023, which we consider the first full baseline year, most vulnerabilities were added within the first week of their assignment. This trend suggests not only are vulns being exploited faster (we know this) but also improved information sharing and partnerships between CISA and other organizations.
Additionally, the shift towards younger CVEs being added to KEV is encouraging as it indicates that the security community is becoming more proactive in identifying exploitation. For organizations, this means staying vigilant and ready to respond quickly to newly disclosed vulnerabilities, as they're more likely to be added to the KEV shortly after discovery.
A lesser-known aspect of the KEV data is that it's not static.
In October 2023, CISA added a field called "known ransomware campaign use" to the catalog. We found that this field is updated silently and can change from "unknown" to "known" without fanfare. From October 2023 → July 2024, this field was updated 41 times.
Research suggests that vulnerabilities flagged for known ransomware use are patched 2.5 times faster; this makes sense given the significant financial and operational impacts of ransomware attacks. Organizations should pay close attention to this field and regularly check for updates. It goes without saying that if a vulnerability in your environment is flagged for known ransomware use, it should be prioritized for patching immediately.
Another interesting finding is that by considering two data points from within the KEV, you can discern a “level of concern” that organizations can use to make more informed decisions about which vulnerabilities to address first when resources are limited.
1. The time that is given to fix the vulnerability.
Early on, the time to fix a vulnerability was either 14 or 180 days. Shortly after the Russia/Ukraine war, CISA seemed to adjust to a 21-day fixed period. However, if you look at the bottom right of the plot, you'll notice that there have been a handful of vulnerabilities with even shorter fix timelines in the last year.
2. The day of the week the vulnerability was added to the KEV.
Interestingly, the day of the week a vulnerability is added can be telling. In the past year+, there have only been two drops on a Friday, and both had a time to fix of 7 days (a time to fix of 7 days has only happened six more times). Overall, the time to fix has standardized to 21 days for most entries, but shorter timeframes indicate higher-priority vulnerabilities.
To summarize, although the KEV catalog is mainly intended for government use, it provides valuable insights for prioritizing vulnerabilities. Cybersecurity professionals can enhance their remediation efforts by analyzing patterns such as vendor dominance, time given to fix, the day of the week an issue was added, and any changes to the ransomware field.
Again, the full talk can be found here, and the slides and dataset can be found here.
All of my friends (and my bathroom scale, honestly) will tell you that I love tortillas. Not just any tortillas, however…they have to be homemade. I make sure we have homemade tortillas every week and keep them in the fridge. They are better than anything you can buy in a store, and they are simply amazing when they are hot off the comal. My kids know this; when they see the comal on the stove, they make a point of hanging around the kitchen to snag one (often a few!) while they are fresh because they understand that freshness is everything for tortillas.
In just the first 6 months of 2024, we’ve seen over 2,000 remotely exploitable, no-authentication-necessary CVEs be published. These are the kinds of vulnerabilities that are exploited on the Internet - via APTs and criminals or botnets driving mass exploitation - every minute of every day. This is a huge amount to deal with, and what we’ve seen this year is that they are occurring more frequently on edge devices that don’t have many mitigating controls to protect them. When these things happen, it forces security teams to drop what they are doing and scramble for a fix.
There are many existing vulnerability prioritization solutions that can help by including information like “Known Exploits Available” or “In the Wild”. The issue is that these attributes quickly become stale. Technically, a snippet of proof-of-concept code is an available exploit, but it isn’t the same as a mass exploitation attack by a criminal organization. A hard-to-exploit race condition that requires a lot of time and effort might be “In the Wild”, but that doesn’t require the same urgency to fix as something an actor is actively exploiting today. In many ways, these attributes (in addition to CVSS Base Scores, Vendor bulletins, etc) are like stale tortillas - edible but ultimately unsatisfying.
At GreyNoise we believe that security teams deserve actionable information that is fresh enough to know what attackers are doing right now, so that they can respond with the speed and urgency required. Consequently, today we’re launching GreyNoise for Vulnerability Prioritization to give our customers exactly that.
We run a global network of thousands of sensors that emulate the types of assets enterprises have exposed to the Internet: web servers, network gear, etc. We see when attackers and bots start probing them, and we collect the data as they are attacked in real-time. We compare this against known bad behaviors and known IPs; our ML models are even capable of alerting us to unknown but suspicious or malicious activities that are the hallmarks of novel exploits. This is all unique, primary data that we collect rather than simply aggregating from third-party sources. In other words, we make fresh tortillas from scratch rather than just reselling ones we bought from a supermarket.
As we collect this information, we make it immediately available via our Visualizer for ad-hoc usage and through our API for inclusion in your existing automation. We ensure that information is always fresh, so that you can get the most up-to-date intel for as long as you need until you fix the problem.
There are many good vulnerability prioritization tools out there, but we believe that only we can tell vulnerability teams which CVEs need attention now based on what attacks are actually happening today. Because Vuln Intel is based on all the same data that powers GreyNoise, you’ll also be able to share what you know seamlessly with your SOC analysts and threat hunters.
We think you’ll enjoy having fresh and actionable information with Greynoise Vulnerability Prioritization. You can visit our website to learn more or schedule time to talk with us directly.
I know you’ll also love having fresh and delicious tortillas, so please enjoy this recipe. I look forward to hearing from you about both!
Ingredients:
For example, I find 300gm (4 x 75gm) flour + 75gm lard (1 x 75gm) + 8gm salt (.1 x 75gm) mixed with 150gm (2 x 75gm) hot water makes 8 burrito-sized or 12 fajita-sized tortillas.
Instructions:
Eat them soon — they will be unbelievably good for 60 minutes, very good the rest of the day, and better than anything you can buy in the store for at least a week if you keep them in the fridge.
As we edge closer to the 2024 U.S. elections, the cybersecurity landscape surrounding this crucial event is more complex and dynamic than ever. The sheer variety of targets, tactics, and threats highlights the immense challenge of securing our democratic process. From state-sponsored entities to cybercriminals and hacktivists, a multitude of actors are ready to exploit any vulnerabilities they can find. Understanding this broad landscape is essential for grasping the challenges we face and appreciating the efforts required to safeguard our elections.
To help reduce any confusion, and provide some solid guidance, we’ve put together a multipart series that we’ll be releasing over the coming weeks. The goal is to help folks understand what’s truly at-risk, along with helpful things you can do to join in the efforts to maintain and increase the cyber safety and resilience of America’s elections. We’re starting, today, with an overview of who and what is truly at risk, along with a high-level review of the adversaries and tactics in play. Over the remaining series, we’ll tackle:
Let’s dive in!
When we think about election security, our minds often jump to voting machines and voter registries. While these are certainly critical, the attack surface extends far beyond them. Political campaigns, for instance, rely heavily on digital infrastructure, including websites, email systems, and databases. These elements are prime targets for cyber intrusions and disinformation campaigns designed to disrupt operations and erode public trust. Political parties, too, are vulnerable, with adversaries seeking to steal sensitive information or create chaos within their ranks.
News and social media platforms also play a crucial role in the election process. Unfortunately, they are frequently exploited to spread disinformation and sow discord among voters. Manipulating these platforms can have far-reaching consequences, influencing public opinion and undermining the democratic process. Election management systems, responsible for counting, auditing, and reporting results, are also critical targets. Ensuring the integrity of these systems is paramount to maintaining the credibility of the electoral outcome.
The tactics employed by threat actors are as diverse as the targets they pursue. Traditional cyber intrusions, such as phishing and spear phishing, remain prevalent, allowing adversaries to gain unauthorized access to sensitive systems and data. Distributed denial of service (DDoS) attacks aim to disrupt the availability of critical election-related websites and services, potentially causing widespread confusion and delays. Ransomware, which involves encrypting critical data and demanding payment for its release, poses a significant threat to election infrastructure, with the potential to cripple essential operations.
While most voting machines are not directly connected to the internet, they are still vulnerable to internet-based attacks through indirect means. For example, voting machines must accept electronic input files from other computers, such as ballot definition files prepared on Election Management System (EMS) computers. If these EMS computers are compromised, they can introduce fraudulent data or malicious code into the voting machines. This indirect connection to the internet creates a potential attack vector that sophisticated adversaries could exploit.
Recently, the rise of deepfakes and disinformation has added a new layer of complexity to the cybersecurity landscape. The use of AI-generated content to mislead voters and manipulate public opinion has become increasingly sophisticated, making it harder to discern truth from falsehood. These tactics are not only disruptive, but also corrosive, eroding trust in the electoral process and the institutions that support it.
The actors behind these threats are varied, each with distinct motivations and capabilities. State-sponsored actors, including nations such as Russia, China, Iran, and North Korea, have been identified as significant threats. These entities aim to undermine U.S. elections to destabilize the country and influence its policies. Their sophisticated operations often involve a combination of cyber intrusions, disinformation campaigns, and other tactics designed to achieve strategic objectives.
Cybercriminals, on the other hand, are typically motivated by financial gain. They may deploy ransomware or sell stolen data on the “dark web”, exploiting vulnerabilities for profit. Hacktivists, driven by ideological beliefs, seek to promote their political agendas by disrupting election processes or exposing perceived injustices. While their methods may differ, the impact of their actions can be equally damaging.
Understanding the broad landscape of election cybersecurity threats plays a significant role in helping us grasp the complexity and scope of the challenges faced. This knowledge helps the public appreciate the efforts required to secure elections and underscores the importance of vigilance and proactive measures.
As we approach the 2024 elections, enhanced security measures, such as implementing multifactor authentication and conducting regular vulnerability assessments, are vital. Public awareness and education about common disinformation tactics can help mitigate the impact of false information. At the same time, collaboration and information sharing between federal, state, and local agencies, as well as private sector partners, are essential for a coordinated response to emerging threats.
By comprehending and addressing the diverse array of threats, tactics, and actors in the election cybersecurity landscape, we can better protect the integrity of our democratic processes and ensure that every vote counts.
Discover the latest findings from GreyNoise Labs as we delve into a perma-vuln plaguing the D-Link DIR-859 router. In our newest blog post, "Perma-Vuln: D-Link DIR-859, CVE-2024-0769," we uncover the intricacies of CVE-2024-0769, a path traversal vulnerability affecting D-Link DIR-859 WiFi routers, leading to information disclosure.
The exploit's variations, including one observed in the wild by GreyNoise, enable the extraction of account details from the device. The product is End-of-Life, so it won't be patched, posing long-term exploitation risks. Multiple XML files can be invoked using the vulnerability.
Click here to see the details and interesting payload that Sift has identified.
On June 5, 2024, SolarWinds published an advisory detailing CVE-2024-28995 - a path-traversal vulnerability in Serv-U, discovered by Hussein Daher. Our Labs team - with our brand new deception engineer - seized this opportunity to deploy a new honeypot they've been working on. It's supposed to look more real - and vulnerable! - than past honeypots.
They show off all kinds of information gleaned from their honeypot - who's attacking it, what files they're trying to steal, how often they come back, and more.
They actually managed to capture a live attacker making several copy/paste mistakes, and attempting to correct the exploit only to foul it up again! They track the attacker's progress over the course of 4 hours, including one instance where they sent the completely wrong exploit (which happens to be for an unpatched vulnerability!).
Check out the full blog on GreyNoise Labs to learn more about this vulnerability and our observations.
Please update your search term or select a different category and try again.