The bottom line: Two critical Ivanti zero-days (CVE-2025-4427 and CVE-2025-4428) are now being actively exploited after a surge in scanning activity last month. Immediate patching is required.

‍

Why It Matters

When chained together, these vulnerabilities enable unauthenticated remote code execution on Ivanti Endpoint Manager Mobile (EPMM) systems. In April, we warned about a 9x surge in scanning against Ivanti products — that reconnaissance has now transitioned to exploitation.

‍

The Vulnerabilities

• CVE-2025-4427 (CVSS: 5.3): Authentication bypass via improper validation sequence
• CVE-2025-4428 (CVSS: 7.2): Remote code execution through Expression Language injection

How they work: The flaws target the /api/v2/featureusage and /api/v2/featureusage_history endpoints. Input validation occurs before authentication checks, allowing attackers to inject malicious code without credentials.

‍

What We're Seeing

• Small number of attempts to exploit CVE-2025-4427 from one IP address — 212.102.51.249 — on 2025-05-16 (~02:30 GMT), but only attacking our Ivanti sensors, so the attacks are unlikely to be random/opportunistic in nature
• Pattern follows predicted reconnaissance → exploitation lifecycle
• Activity tracked via our CVE-2025-4427 🏷️ 

‍

Who Discovered It

Credit to Project Discovery and WatchTowr for their excellent technical analysis:

• Project Discovery revealed validation precedes authorization in Spring MVC's workflow
• WatchTowr provided detailed proof-of-concept exploits showing the order-of-operations issue

Affected Versions & Patches

Vulnerable:

• 11.12.0.4 and earlier
• 12.3.0.1, 12.4.0.1, 12.5.0.0

‍

Patched:

• 11.12.0.5, 12.3.0.2, 12.4.0.2, 12.5.0.1

‍

Take Action Now

1. Patch immediately to fixed versions
2. Review logs for suspicious API activity
3. Implement WAF rules if patching is delayed
4. Hunt for IOCs focusing on unusual API access patterns

‍

The Big Picture

This case demonstrates why monitoring scanning trends provides early warning of attacks. The exploitation activity is currently limited, but will likely accelerate as more threat actors incorporate these vulnerabilities into their toolkits.

Organizations with Portal ACLs or WAF restrictions have reduced exposure, but patching remains the only complete solution.

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

‍

Key Insight: Why This Matters

The 2025 DBIR highlights a critical area of importance for vulnerability management teams: edge vulnerabilities. 

Exploitation of edge vulnerabilities in breaches has surged eightfold. Yet, nearly one in three edge KEVs remain fully unpatched — despite being widely recognized as critical risks.

This isn’t a matter of awareness (they’re on CISA’s KEV). It’s about action and prioritization. Real-time intelligence is a must in this situation, giving insight into what attackers are targeting now — ensuring the most pressing threats are identified and resolved quickly. 

This year’s DBIR findings necessitate swift action on the part of defenders, particularly as it relates to edge exploitation. 

‍

Executive Summary 

New findings from the 2025 Verizon Data Breach Investigations Report (DBIR) reveal a critical shift in how attackers breach organizations — and how defenders are simultaneously making strides and falling short:  

‍

Speed and Awareness:

• Exploitation of edge KEVs begins immediately — the median time from disclosure to mass exploitation for edge KEVs is zero days, compared to five days for all KEVs. 
• Defenders are prioritizing edge vulnerabilities more than others:
  
  • 54% of edge KEVs were remediated, compared to 38% of all KEVs.
  • Median time to remediate edge KEVs was 32 days, faster than the 38-day median for all KEVs. 
• ‍This presents a concerning duality — on one hand, time-to-exploit for edge vulnerabilities is zero days; meanwhile, it takes defenders an average of 32 days to remediate these flaws. This significant window of exposure represents a critical risk for most organizations on their edge.

‍

Scale: 

• Vulnerability exploitation is second only to credential theft as a means of breaching organizations.  
• Edge vulnerabilities were used in 22% of breaches involving vulnerability exploitation — an eightfold increase from 3% last year. 

‍

Action Gap: 

• Despite this prioritization, nearly one in three edge KEVs remain fully unremediated — the highest rate of full non-remediation among CVEs and KEVs tracked in the DBIR. 

‍

GreyNoise research reveals a deeper complication: Old edge vulnerabilities are resurging, magnifying the risks defenders face. 

‍

Vulnerability Exploitation Is a Growing Breach Method — and Edge Vulnerabilities Are Central

Vulnerability exploitation is rising as a breach method — and edge vulnerabilities, in particular, are being exploited far more often to break into organizations. 

The Verizon DBIR shows: 

• One in five breaches involved vulnerability exploitation, a 34% rise from last year — second only to credential theft. 
• Among those breaches, exploitation of edge vulnerabilities surged eightfold. 

Despite heightened attention, edge KEVs remain the most likely vulnerabilities to be left unpatched — even though they are already recognized as critical risks. 

This points to a widening gap between risk awareness and defensive action. 

‍

GreyNoise Research Reveals the Growing Risk of Vulnerability Resurgence

The DBIR highlights how quickly attackers exploit vulnerabilities — especially those in edge technologies. 

GreyNoise research reveals a deeper problem: attackers also return to older edge vulnerabilities defenders may have deprioritized. 

• Edge vulnerabilities are already slipping through defenders’ patching efforts. 
• GreyNoise observes attackers opportunistically reviving overlooked vulnerabilities — creating unexpected exposure long after the initial disclosure fades from focus. 

Our research uncovered that resurgent vulnerabilities follow three main attack patterns, visualized as follows (read the full report here): 

‍

Static patching models, focused on CISA KEV, CVSS, and EPSS alone, can miss these shifts. 

Dynamic, exploitation-driven intelligence can reveal when old vulnerabilities become active risks again — cutting through the complex attack patterns above by relying on near real-time alerts of heightened activity. 

‍

Resurgence Disproportionately Affects the Edge 

Our analysis revealed that half of the top exploited resurgent vulnerabilities affect edge assets — with 70% of Black Swans, the most unpredictable class of resurgent flaws, affecting the edge. 

‍

The DBIR and GreyNoise research indicate that edge assets are becoming one of the most attractive targets for attackers. 

‍

What Defenders Must Do

Today’s edge threat environment demands a new approach: 

• Prioritize vulnerabilities based on observed, active exploitation, not just severity ratings. 
• Continuously monitor for resurgence — because old threats can quietly reemerge.
• Adopt dynamic, real-time intelligence models that evolve with attacker behavior. 
• Dynamically block threats with real-time intelligence. Attackers are pivoting infrastructure, utilizing trusted IPs to engage in reconnaissance and launch attacks at scale — limiting the effectiveness of static defenses. 

‍

Read the full report: A Blindspot in Cyber Defense: How Resurgent Vulnerabilities Jeopardize Organizational Security.

‍

— — — 

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

‍GreyNoise observed a significant increase in crawling activity targeting Git configuration files on April 20-21, 2025. While the crawling itself is reconnaissance, successful discovery of exposed Git configuration files can lead to exposure of internal codebases, developer workflows, and potentially sensitive credentials. This activity is tracked under the GreyNoise Git Config Crawler tag, which identifies IPs crawling the internet for sensitive Git configuration files. 

‍

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

‍

Majority of IPs are Malicious — Potential Regional Targeting

GreyNoise observed nearly 4,800 unique IP addresses daily from April 20-21, marking a substantial increase compared to typical levels. Although activity was globally distributed, Singapore ranked as both the top source and destination for sessions during this period, followed by the U.S. and Germany as the next most common destinations. 

Likewise, in the past 90 days by unique IP count, Singapore remains the top source and destination country for this activity. None of the IPs are spoofed, indicating the traffic originated from the IPs observed. GreyNoise can confirm that 95% of all IPs engaged in this behavior in the past 90 days are malicious.  

‍

Top Source Countries:

• Singapore (4,933 unique IPs)
• U.S. (3,807 unique IPs)
• Germany (473 unique IPs)
• U.K. (395 unique IPs)
• Netherlands (321 unique IPs)

‍

Top Destination Countries: 

• Singapore (8,265 unique IPs)
• U.S. (5,143 unique IPs)
• Germany (4,138 unique IPs)
• U.K. (3,417 unique IPs)
• India (3,373 unique IPs)

The IPs are linked to cloud infrastructure providers such as Cloudflare, Amazon, and DigitalOcean.

‍

Four Spikes Since September — April the Largest Yet

Since September 2024, GreyNoise has observed four distinct spikes in Git configuration crawling activity, each involving approximately 3,000 unique IPs — with the April 20-21, 2025 spike marking the largest to date. 

‍

‍

The late February spike tells somewhat of a different story in terms of source and destination session traffic:

‍

Top Source Countries:

• Netherlands 
• U.S. 
• Germany

‍

Top Destination Countries:

• U.S.
• U.K. 
• Spain

‍

Why It Matters

Git configuration files can reveal: 

• Remote repository URLs (GitHub, GitLab)
• Branch structures and naming conventions 
• Metadata that provides insight into internal development processes

In some cases, if the full .git directory is also exposed, attackers may be able to reconstruct the entire codebase — including commit history, which may contain confidential information, credentials, or sensitive logic. 

In 2024, a Git configuration breach exposed 15,000 credentials and resulted in 10,000 cloned private repositories. 

‍

Recommendations

To prevent this type of exposure: 

• Ensure .git/ directories are not accessible via public web servers
• Block access to hidden files and folders in web server configurations
• Monitor logs for repeated requests to .git/config and similar paths
• Rotate any credentials exposed in version control history

‍

Related CVE:

CVE-2021-23263

‍

GreyNoise will continue to monitor the situation and provide updates as necessary. To stay abreast of the latest developments, please navigate to the top of this page and subscribe to our blog. 

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

— — — 

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

On April 18, 2025, GreyNoise observed a 9X spike in suspicious scanning activity targeting Ivanti Connect Secure (ICS) or Ivanti Pulse Secure (IPS) VPN systems. 

More than 230 unique IPs probed ICS/IPS endpoints — a sharp rise from the usual daily baseline of fewer than 30. This surge may indicate coordinated reconnaissance and possible preparation for future exploitation. 

‍

‍

What We’re Seeing

GreyNoise has a tag tracking suspicious scanning activity for Ivanti Connect Secure systems. This tag includes IPs observed attempting to identify internet-accessible ICS/IPS systems.

‍

‍

Observed Spike: 234 Unique IPs on April 18, 2025

Observed Activity in Past 90 Days: 1,004 Unique IPs 

Spoofable IPs: 0% (All IPs are not spoofable)

IP Classifications: 

• 634 Suspicious
• 244 Malicious
• 126 Benign

‍

Top 3 Source Countries:

• U.S. 
• Germany 
• Netherlands

‍

Top 3 Destination Countries:

• U.S. 
• Germany 
• U.K.

‍

Infrastructure Insights

A closer look at the source infrastructure reveals a notable split in behavior:

• Malicious IPs (those observed in other known malicious activity) are primarily using: 
  
  • Tor exit nodes
  • Common cloud and VPS providers with familiar names. 
• Suspicious IPs are linked to:
  
  • Lesser-known or niche hosting providers. 
  • Less mainstream cloud infrastructure. 

‍

Why This Matters

Ivanti Connect Secure has been targeted repeatedly in recent years due to its role in enterprise remote access. 

While no specific CVEs have been tied to this scanning activity yet, spikes like this often precede active exploitation. GreyNoise has previously observed similar patterns in the lead-up to the public discovery of new vulnerabilities. 

‍

Recommended Defensive Actions

Security teams should: 

• Review logs for suspicious probes of ICS/IPS.
• Monitor login activity from new or suspicious IPs. 
• Block known malicious or suspicious IPs using GreyNoise. 
• Patch all ICS/IPS systems with the latest updates. 

‍

GreyNoise will continue tracking this activity and will publish updates as necessary. 

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

— — — 

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

Attackers from every corner of the internet are exploiting a uniquely dangerous class of cyber flaws: resurgent vulnerabilities. 

These aren’t being exploited as zero-days — and spikes in activity rarely make headlines. They’re older flaws that quietly return to relevance as attacker interest reignites. Some were deprioritized years ago. Others were never seen as serious. But today, they’re being opportunistically exploited at scale, often in edge technologies like firewalls, routers, and VPNs — the very internet-facing assets attackers use for initial access and persistence. 

GreyNoise’s latest research breaks down these vulnerabilities — how they behave, why they’re dangerous, and what defenders and policymakers need to know to stay ahead. 

‍

‍

Key Takeaways:  

• Resurgent vulnerabilities fall into three distinct behavioral categories: Utility, Periodic, and Black Swan. Each category has unique exploitation patterns, with Black Swan being the most unpredictable. 
• Over half of the top exploited resurgent CVEs and nearly 70% of Black Swan vulnerabilities affect edge technologies, such as routers and VPNs — the very technologies attackers use for initial access and persistence. 
• Some CVEs are first exploited years after disclosure, creating long-standing blind spots in many patching programs. 
• Resurgent exploitation often arrives without warning, underscoring the need for adaptive patch management and dynamic blocking strategies that account for dormant but dangerous vulnerabilities. 
• Government and private threat intelligence providers have reported state-sponsored exploitation of old vulnerabilities. GreyNoise Intelligence continues to observe widespread opportunistic activity against many of the same flaws. 

‍

Inside the report: 

• A new framework for understanding how vulnerabilities resurface.
• Behavioral patterns of resurgence — and what they mean for defenders. 
• Visuals and examples of resurgent CVEs exploited at scale. 
• Tactical insights for security professionals and policymakers to improve patch prioritization, dynamic blocking, and risk mitigation.

‍

Download the full report and prepare before the next wave hits. 

‍

‍

— — —

‍

^{Noah Stone contributed to this writeup in collaboration with GreyNoise Research. Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

GreyNoise has observed a significant spike — 3 times that of typical activity — in exploitation attempts against TVT NVMS9000 DVRs, peaking on April 3 at over 2,500 unique IPs. This information disclosure vulnerability can be used to gain administrative control over affected systems. 

GreyNoise has identified sufficient overlap with Mirai, indicating this activity is associated with the botnet. Countless reports in the past have named the TVT NVMS9000 DVR as a target for botnet enlistment, including a GreyNoise update reporting Mirai targeting in early March. 

Manufactured by TVT Digital Technology Co., Ltd., a Shenzhen-based company, NVMS9000 DVRs are reportedly used in security and surveillance systems. The DVRs are used for recording, storing, and managing video footage from security cameras. A company report mentions TVT has “served customers in more than 120 countries.” 

Most malicious IP addresses are targeting systems based in the United States, United Kingdom, and Germany. 

‍

GreyNoise Observations 

On March 31, 2025, GreyNoise observed the beginning of a surge in unique IP addresses attempting to exploit the NVMS9000 DVR. The number of IPs peaked at over 2,500 on April 3, with over 6,600 IPs attempting to exploit the flaw in the past 30 days. 

GreyNoise can confirm that all IPs targeting the flaw in the past 30 days are malicious, and none of them are spoofable. 

‍

‍

Attackers could potentially use this flaw to gain full control of the DVR. 

‍

Source and Destination Countries

The majority of IPs in the past 30 days have originated from the Asia-Pacific (APAC) region, while the U.S., U.K., and Germany are the top target countries.  

‍

Top Source Countries

• Taiwan (3,637 IPs)
• Japan (809 IPs)
• South Korea (542 IPs). 

‍

Top Destination Countries

• United States (6,471 IPs)
• United Kingdom (5,738 IPs)
• Germany (5,713 IPs). 

‍

Mitigations 

Organizations using the NVMS9000 DVR or similar systems should ensure that they are properly secured. Recommended actions include: 

• Use GreyNoise to block known malicious IP addresses attempting to exploit this vulnerability. 
• Apply all available patches.
• Restrict public internet access to DVR interfaces. 
• Monitor network traffic for signs of unusual scanning or exploitation attempts. 

Monitor attacker activity targeting this flaw and block malicious IPs. 

‍

Stay updated by visiting the GreyNoise tag for this activity. 

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

April 7, 2025 Update

After GreyNoise’s reporting of heightened activity targeting key technologies on March 28, we now observe on April 7 a significant rise in exploitation attempts against Linksys E-Series routers. 

GreyNoise assesses the activity is linked to Mirai. 

The associated GreyNoise tag is:

• Linksys E-Series TheMoon Remote Command Injection Attempt

‍

‍

These updates come at a time when routers and other edge technologies are reportedly attracting significant interest from advanced, well-resourced attackers.

‍

On March 28, GreyNoise observed a significant spike in activity targeting multiple edge technologies, including SonicWall, Zoho, Zyxel, F5, Linksys, and Ivanti systems. While some of these technologies are edge systems, others are primarily internal management tools. 

This uptick suggests increased reconnaissance or exploitation attempts, indicating that threat actors may be probing for vulnerabilities or unpatched systems. Security teams should be aware of this trend and assess potential risks. 

‍

Observed Activity 

GreyNoise telemetry indicates a marked increase in in-the-wild activity targeting these systems.

View real-time activity and block malicious IPs by navigating to the GreyNoise Visualizer’s CVE Search feature and pasting CVEs of interest. 

‍

Ivanti

‍

SonicWall

‍

Zoho

‍

Zyxel

‍

F5

‍

Linksys 

‍

Recommended Actions

1. Patch Management: Ensure that all systems are up to date with the latest security patches to mitigate known vulnerabilities. 
2. Network Monitoring: Closely monitor traffic — retroactively analyzing March 28 logs — for unusual patterns or activity targeting these systems. 
3. Threat Intelligence & Dynamic Blocking: Use GreyNoise to view real-time activity targeting these systems, and to block malicious IPs. 

View real-time activity and block malicious IPs by navigating to the GreyNoise Visualizer’s CVE Search feature and pasting CVEs of interest. 

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

May 2, 2025 Update:  

GreyNoise has observed a sharp and sustained decline in suspicious opportunistic scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals — dropping by more than 99 percent within 48 hours of our March 31 report. 

Opportunistic scanning activity fell from a peak of 20,000 unique IPs per day to just over 100 per day, and remained low through April until now.

‍

3xK Tech GmbH IP Infrastructure Abused

The majority of IPs involved in this activity are associated with the provider, 3xK Tech GmbH — accounting for nearly 20,000 of the 25,000+ IPs observed in the past 90 days. Of the physical subnets in which these IPs exist, 80 to 90 percent were involved in this activity. 

Similar to recent GreyNoise reporting on Git Config scanning, where actors abused Cloudflare infrastructure, actors are now relying heavily on infrastructure provided by 3xK Tech GmbH.

Threat actors are increasingly rotating between infrastructure providers, making provider-based blocking both ineffective and unsustainable. Dynamic IP blocking is essential to defend against these threats and future ones alike.

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

‍

GreyNoise has observed a significant surge in login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals. Over the last 30 days, nearly 24,000 unique IP addresses have attempted to access these portals. The pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation. 

Recent patterns observed by GreyNoise suggest that this activity may signal the emergence of new vulnerabilities in the near future: 

“Over the past 18 to 24 months, we’ve observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies,” said Bob Rudis, VP of Data Science at GreyNoise. “These patterns often coincide with new vulnerabilities emerging 2 to 4 weeks later.” 

‍

Key Observations 

• The spike began on March 17, 2025, with activity peaking at nearly 20,000 unique IPs per day and remaining steady until March 26 before tapering off. 
• Most of the observed activity is classified as suspicious (23,800 IPs), with a smaller subset flagged as malicious (154 IPs). 

The consistency of this activity suggests a planned approach to testing network defenses, potentially paving the way for exploitation. Organizations using Palo Alto Networks products should take steps to secure their login portals. 

‍

‍

A significant portion of the traffic is associated with 3xK Tech GmbH (20,010 IPs) under ASN200373. Other notable contributors include PureVoltage Hosting Inc., Fast Servers Pty Ltd., and Oy Crea Nova Hosting Solution Ltd.

Additionally, GreyNoise has identified three JA4h hashes linked to the login scanner tool: 

• po11nn11enus_967778c7bec7_000000000000_000000000000
• po11nn09enus_fb8b2e7e6287_000000000000_000000000000
• po11nn060000_c4f66731b00d_000000000000_000000000000

These hashes indicate the use of specific connection patterns typical of the login scanner tool used by the attackers in question, allowing GreyNoise to identify and correlate separate login attempts as originating from the same toolkit.

Source and Destination Analysis 

• Source Countries: Predominantly originating from the United States (16,249) and Canada (5,823), followed by Finland, Netherlands, and Russia.  
• Destination Countries: The overwhelming majority of traffic targeted systems in the United States (23,768), with smaller volumes directed toward the United Kingdom, Ireland, Russia, and Singapore. 

These patterns reflect the global nature of the activity, indicating that multiple regions are being targeted.

‍

Concurrent Crawler Activity Detected

The activity appears to be linked to other PAN-OS reconnaissance-related tags such as PAN-OS Crawler, where a single spike was observed on March 26, 2025 involving 2,580 unique source IPs. 

‍

‍

Reminiscent of 2024 Espionage Campaign

This surge in activity is reminiscent of a 2024 espionage campaign targeting perimeter network devices, reported by Cisco Talos. While the specific methods differ, both incidents highlight the importance of monitoring and securing critical edge devices against unauthorized access. 

‍

Recommendations

Given the unusual nature of this activity, organizations with exposed Palo Alto Networks systems should review their March logs and consider performing a detailed threat hunt on running systems to identify any signs of compromise.

View Attacker Activity & Block Malicious IPs

GreyNoise will continue to monitor the situation and provide updates if material developments arise. 

Navigate now to the GreyNoise Visualizer to:

‍

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

Following reports of widespread reboots affecting DrayTek routers globally, GreyNoise is bringing awareness to in-the-wild activity against several known vulnerabilities in DrayTek devices. While we cannot confirm a direct connection between this activity and the reported reboots, we are surfacing this data to help defenders monitor and respond accordingly.

Observed In-The-Wild Activity 

GreyNoise has observed in-the-wild activity against the following CVEs:

• CVE-2020-8515 — a remote code execution vulnerability in multiple DrayTek router models. 
• CVE-2021-20123 — a directory traversal vulnerability in DrayTek VigorConnect. 
• CVE-2021-20124 — a second directory traversal vulnerability in DrayTek VigorConnect. 

Below is a breakdown of recent in-the-wild activity observed by the GreyNoise Global Observation Grid (GOG).

Across all CVEs, GreyNoise has observed the following activity in the past 45 days:

‍

By CVE, we’ve seen the following: 

‍

CVE-2020-8515: Remote Code Execution 

• No activity in the past 24 hours. 
• 82 IPs observed in the past 30 days.
• Top destination countries by sessions in the past week: Indonesia, Hong Kong, United States. 

‍

‍

CVE-2021-20123: Directory Traversal

• Activity in the past 24 hours. 
• 23 IPs observed in the past 30 days.
• Top destination countries by sessions in the past week: Lithuania, United States, Singapore. 

‍

‍

CVE-2021-20124: Directory Traversal

• Activity in the past 24 hours. 
• 22 IPs observed in the past 30 days.
• Top destination countries by sessions in the past week: Lithuania, United States, Singapore.

‍

‍

GreyNoise will continue to monitor in-the-wild activity related to DrayTek devices. Explore the GreyNoise Visualizer for the latest activity. 

‍

Read the SecurityWeek report detailing the reboots. 

‍

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}‍

Attackers are actively exploiting Apache Tomcat servers by leveraging CVE-2025-24813, a newly disclosed vulnerability that, if successfully exploited, could enable remote code execution (RCE). GreyNoise has identified multiple IPs engaging in this activity across multiple regions. 

Fortunately, GreyNoise can confirm exploit traffic is currently limited to naive attackers utilizing PoC code.

We created a new CVE-2025-24813 tag to help defenders track this activity. 

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

Active Exploitation Detected

‍GreyNoise has observed four unique IPs attempting to exploit this vulnerability since March 17, 2025. Attackers are leveraging a partial PUT method to inject malicious payloads, potentially leading to arbitrary code execution on vulnerable systems. 

‍

Exploitation is already underway, with attack attempts spanning multiple countries. Given Apache Tomcat’s widespread deployment, these early signs of activity suggest more exploitation is likely to follow. 

Geographic Distribution 

Targeted Regions

The majority of exploit attempts targeted systems in the United States, Japan, India, South Korea, and Mexico, with over 70% of sessions directed at U.S.-based systems.

Attack Origin

GreyNoise observed exploitation attempts as early as March 11, though this activity is not reflected in the GreyNoise Visualizer. 

Within the visualizer, we first observed exploit attempts from a Latvia-based IP on March 18, followed by separate attempts on March 19 from IPs traced to Italy, the United States, and China. Notably, the Latvia-based IP showed no further activity after March 18, and the two IPs traced to Latvia and Italy are linked to a known VPN service. 

‍Today, GreyNoise observed another exploit attempt from the U.S.-based IP. Both IPs from China and the United States are not spoofable. 

‍

Mitigations & Recommendations 

To protect against CVE-2025-24813, organizations running affected versions of Apache Tomcat should:

• Apply the latest security patches immediately.
• Monitor for unexpected PUT requests in web server logs. 
• Deploy WAF rules to block malicious payloads. 
• Use GreyNoise to track real-time exploitation activity and block malicious IPs. 

‍Organizations should immediately assess their Apache Tomcat deployments and apply patches to mitigate potential RCE risks. 

GreyNoise is actively tracking this activity in real time — defenders can access our latest intelligence to block malicious IPs.

‍

‍

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

GreyNoise has identified a notable resurgence of in-the-wild activity targeting three ServiceNow vulnerabilities: 

• CVE-2024-4879 (Critical)
• CVE-2024-5217 (Critical)
• CVE-2024-5178 (Medium)

All three vulnerabilities have seen attacker interest in the past 24 hours. 

Over 70% of sessions in the past week were directed at systems in Israel. Over the past week, targeted systems have been detected in Israel, Lithuania, Japan, and Germany, though only Israel and Lithuania saw activity in the past 24 hours. 

These vulnerabilities reportedly may be chained together for full database access.

‍

Notable Increase in Attacker Interest

GreyNoise has recorded the highest number of unique IPs targeting these vulnerabilities in the past month. The number of threat IPs observed in the past 24 hours — with unique IPs in the past 30 days — is as follows: 

‍

CVE-2024-5178 (ServiceNow Input Validation)

• 36 threat IPs in Past 24hrs 

‍

This vulnerability is not in CISA’s Known Exploited Vulnerabilities (KEV) catalog. 

‍

‍

CVE-2024-4879 (ServiceNow Template Injection)

• 48 threat IPs in Past 24hrs

‍

‍

CVE-2024-5217 (ServiceNow Input Validation)

• 48 threat IPs in Past 24hrs 

‍

‍

‍

Recommended Defensive Actions

Organizations using ServiceNow should take the following steps immediately: 

• Apply Security Patches: Ensure all affected ServiceNow instances are updated with the latest security fixes.
• Restrict Access: Limit exposure of management interfaces to prevent unauthorized access.
• Monitor Trends: Use GreyNoise to track activity related to these vulnerabilities. 

GreyNoise will continue monitoring this evolving situation and provide real-time intelligence on observed activity. Leverage the GreyNoise Visualizer to stay updated with the latest. 

‍

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

— — —

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

Update (March 12, 2025): New Evidence Suggests Attackers Are Mapping Infrastructure Before Exploitation

‍GreyNoise has observed Grafana path traversal attempts preceding the coordinated SSRF surge on March 9, indicating attackers may be using Grafana as a foothold for deeper exploitation. While direct attribution is unclear, the timing suggests a multi-phase attack strategy, where attackers first map exposed infrastructure before escalating their attacks.

‍

Grafana path traversal vulnerabilities have in the past been used to access configuration files and internal network details. The timing of this activity, followed closely by SSRF exploitation, suggests attackers may be using reconnaissance techniques to identify high-value targets before launching further attacks. While the direct relationship between these events remains unconfirmed, the pattern aligns with potentially more coordinated activity than initially reported.

‍

What This Means for Defenders

• If attackers are systematically mapping infrastructure before exploitation, defenders should identify and disrupt this early-stage activity. 
• Monitoring for reconnaissance behaviors, such as path traversal attempts, may provide early warning signs before full-scale exploitation occurs. 
• Organizations should act now to patch vulnerable systems, restrict access where possible, and monitor for unexpected outbound requests that could indicate SSRF exploitation. 

GreyNoise will continue tracking this activity and providing updates if new patterns emerge.

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

‍

GreyNoise Detects Unusual SSRF Exploitation Trends Across Multiple CVEs

Key Takeaways

• On March 9, GreyNoise observed a coordinated surge in SSRF exploitation, affecting multiple widely used platforms. 
• At least 400 IPs have been seen actively exploiting multiple SSRF CVEs simultaneously, with notable overlap between attack attempts. 
• The top countries receiving SSRF exploitation attempts during the surge were the United States, Germany, Singapore, India, and Japan. 
• Israel saw SSRF exploitation activity as early as January, with renewed activity observed in this latest surge. 
• Historical parallels: SSRF vulnerabilities played a key role in the Capital One breach (2019), which exposed 100M+ records. 

‍

SSRF is a Major Target for Attackers For Good Reason

Among other things, attackers leverage SSRF for: 

• Cloud Exploitation: Many modern cloud services rely on internal metadata APIs, which SSRF can access if exploited. 
• Pivoting and Reconnaissance: SSRF can be used to map internal networks, locate vulnerable services, and steal cloud credentials. 

‍

Recent SSRF Exploitation Trends

GreyNoise is flagging a sharp increase in SSRF exploitation occurring on March 9 across multiple Server-Side Request Forgery (SSRF) vulnerabilities: 

• ~ 400 unique IPs have been observed actively exploiting 10 SSRF-related CVEs.
• Many of the same IPs are targeting multiple SSRF vulnerabilities at once, rather than focusing on a single known vulnerability. 
• Unlike routine botnet noise, this pattern suggests structured exploitation, automation, or pre-compromise intelligence gathering. 

‍

Which CVEs Are Being Exploited? 

GreyNoise has identified active exploitation attempts against the following flaws. Click on the links to see real-time exploitation activity and block malicious IPs.

‍

Historical SSRF Exploitation by Destination Country

GreyNoise has identified the following ten countries as having the greatest exploitation activity in the past 6 months across all reported SSRF flaws: 

‍

‍

Additional countries seeing early SSRF exploitation, with spikes dating back to December 2024, are: Hong Kong, South Korea, Australia, France, Taiwan, Qatar, and Slovakia.

‍

SSRF Exploitation in Past 24 Hours Limited to Israel and The Netherlands

Only two countries have been targeted in the past 24 hours:

‍

Recommendations for Defenders 

Organizations should take immediate steps to ensure they are not exposed: 

• Patch and Harden Affected Systems 
  
  • Review patches for the targeted CVEs and apply mitigations where available. 
• Restrict Outbound Access Where Possible
  
  • Limit outbound connections from internal apps to only necessary endpoints. 
• Monitor for Suspicious Outbound Requests
  
  • Set up alerts for unexpected outbound requests.
• Block Malicious IPs Using GreyNoise

‍

‍

‍

‍

‍

‍

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.} 

‍

Cisco Talos recently uncovered a sophisticated attack campaign targeting Japanese organizations through CVE-2024-4577, a critical PHP-CGI remote code execution flaw with 79 exploits available. While Talos focused on victimology and attacker tradecraft, GreyNoise telemetry reveals a far wider exploitation pattern demanding immediate action from defenders globally.

‍

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

Attack Overview

According to Cisco Talos, the threat actor exploited PHP-CGI installations on Windows systems to deploy Cobalt Strike beacons and conduct post-exploitation activities using the TaoWu toolkit. Key indicators include:

• Initial Access: Exploitation via PHP-CGI vulnerability using HTTP POST requests with MD5 hash e10adc3949ba59abbe56e057f20f883e as a success marker.
• Payloads: PowerShell scripts fetching Cobalt Strike reverse HTTP shellcode (e.g., http://38[.]14[.]255[.]23:8000/payload.ps1).
• C2 Infrastructure: Servers 38[.]14[.]255[.]23 and 118[.]31[.]18[.]77 hosted on Alibaba Cloud, with HTTP User-Agent strings mimicking legacy Internet Explorer versions.

‍

GreyNoise Observations

‍GreyNoise data confirms that exploitation of CVE-2024-4577 extends far beyond initial reports. Attack attempts have been observed across multiple regions, with notable spikes in the United States, Singapore, Japan, and other countries throughout January 2025. 

‍

‍

GreyNoise’s Global Observation Grid (GOG) — a worldwide network of honeypots — detected 1,089 unique IPs attempting to exploit CVE-2024-4577 in January 2025 alone. While initial reports focused on attacks in Japan, GreyNoise data confirms that exploitation is far more widespread, with significant activity observed in:

‍

‍

More than 43% of IPs targeting CVE-2024-4577 in the past 30 days are from Germany and China. 

‍

In February, GreyNoise detected a coordinated spike in exploitation attempts against networks in multiple countries, suggesting additional automated scanning for vulnerable targets.

‍

‍

Guidance for Defenders

Organizations with internet-facing Windows systems exposing PHP-CGI — especially those in these newly identified targeted regions — should follow the guidance provided by Cisco Talos and perform retro-hunts to identify similar exploitation patterns.

Identify and block malicious IPs actively targeting CVE-2024-4577. 

Read the Cisco Talos report here.

Key Takeaways

• GreyNoise has detected active exploitation by more than 90 unique threat IPs in the past 24 hours across CVEs linked to the Chinese cyber espionage group, Silk Typhoon (HAFNIUM). 
• GreyNoise is not attributing this activity to Silk Typhoon. Rather, we have identified active exploitation of CVEs that have been linked to Silk Typhoon’s operations in prior campaigns. 
• CVE-2021-26855, CVE-2021-44228 (Log4Shell), and CVE-2024-3400 are being actively targeted by threat actors. 
• GreyNoise’s observations come just one day after Microsoft reported Silk Typhoon’s shift to IT supply chain targeting.
• On Wednesday, U.S. authorities reportedly charged alleged Silk Typhoon operatives in a hacker-for-hire scheme, paying up to $75,000 per compromised inbox. 
• The findings come as U.S. policymakers escalate scrutiny of Chinese cyber threats, with the House Select Committee on the Chinese Communist Party (CCP) holding a hearing on March 5, the same day Microsoft released its report, on the growing risks posed by Chinese state-sponsored hacking. 

‍

GreyNoise Confirms Exploitation in the Wild

‍GreyNoise analyzed CVEs linked to Silk Typhoon and found three actively exploited in the past 24 hours:

• CVE-2021-26855 – An Exchange ProxyLogon SSRF vulnerability.
• CVE-2021-44228 – The Log4Shell vulnerability, a critical Apache Log4j RCE. 
• CVE-2024-3400 – A PAN-OS GlobalProtect RCE. 

‍

GreyNoise Observations: Active Exploitation in the Past 24 Hours

‍GreyNoise’s Global Observation Grid (GOG) confirms exploitation of these CVEs in the past 24 hours. The heatmap below shows activity over the past 45 days, and the following data reflects the last 30 days. 

‍

‍

CVE-2021-26855 (ProxyLogon SSRF)

‍

Top 3 Source Countries

• Singapore
• France
• United States

Top 3 Behaviors of Exploiting IPs

• ProxyLogon SSRF Attempt
• ADB Attempt
• Web Crawler

IP Count

• 52 (Past 24 Hours)
• 2,199 (Past 30 Days)

‍

‍

CVE-2021-44228 (Log4Shell RCE)

‍

Top 3 Source Countries

• United States 
• Iran 
• India

Top 3 Behaviors of Exploiting IPs

• Apache Log4j RCE Attempt
• Web Crawler
• TLS/SSL Crawler

IP Count

• 31 (Past 24 Hours)
• 453 (Past 30 Days)

‍

‍

CVE-2024-3400 (PAN-OS GlobalProtect RCE)

‍

Top 3 Source Countries

• United States 
• Singapore 
• Germany

Top 3 Behaviors of Exploiting IPs

• Palo Alto PAN-OS CVE-2024-3400 RCE Attempt
• Generic Path Traversal Attempt
• Web Crawler

IP Count

• 10 (Past 24 Hours)
• 164 (Past 30 Days)

‍

‍

Recommended Actions

• ‍Apply Patches Promptly – Ensure that all affected systems are updated to remediate CVE-2021-26855, CVE-2021-44288, and CVE-2024-3400.
• ‍Monitor GreyNoise Intelligence – Use GreyNoise tags and filtering to detect and block IPs engaged in malicious activity related to these CVEs. 
• ‍Reduce Exposure – 
  • Disable unnecessary internet-facing services. 
  • Implement strong authentication (such as MFA) on all accessible systems.
  • Segment networks to restrict lateral movement in case of compromise. 

‍

GreyNoise will continue to monitor the threat landscape and provide insights on evolving attacker tactics. Explore the GreyNoise Visualizer.

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

––– ––– ––– 

‍

‍^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.} 

‍

On March 3, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming their exploitation in the wild.

GreyNoise provided visibility into these vulnerabilities before their addition to KEV, giving defenders an early advantage. 

‍

‍

‍

Observed Exploitation

CVE-2022-43939 (Authorization Bypass) & CVE-2022-43769 (Special Element Injection)

Hitachi Vantara Pentaho BA Server Vulnerabilities 

Observed activity is identical across both CVEs: 

• First Observed Exploitation: December 6, 2024
• Most Recent Exploitation: February 28, 2025
• IP Count & Classification: 15 (100% malicious)
• Top 3 Source Countries: Singapore, Hong Kong, United States
• Top Tags:
  
  • Apache Airflow Example DAG RCE Attempt 
  • Apache Airflow Experimental API Access Check
  • Apache Airflow Remote Command Injection Attempt
  • 3CX Management Console LFI Attempt
  • 74CMS SQL Injection Attempt

‍

‍

‍

CVE-2024-4885

Progress WhatsUp Gold Path Traversal Vulnerability

• First Observed Exploitation: December 6, 2024 (Same date as CVE-2022-43939 & CVE-2022-43769)
• Most Recent Exploitation: March 2, 2025
• IP Count & Classification: 8 (100% malicious) 
• Top 3 Source Countries: Hong Kong, Russia, Brazil
• Top Tags:
  
  • Progress WhatsUp Gold RCE Attempt
  • GeoServer Scanner
  • TLS/SSL Crawler

‍

‍

Recommendations for Defenders

• Patch immediately – Apply vendor patches as soon as possible. If patching isn’t feasible, implement available mitigations. 
• Monitor for exploitation – Review logs for signs of scanning, reconnaissance, or unauthorized access related to these CVEs.
• Block known malicious IPs – GreyNoise tracks attacker IPs involved in exploitation. Organizations should use this intelligence to proactively block threats. 
• Reduce attack surface – Restrict internet exposure for vulnerable services and enforce strict access controls.

‍

GreyNoise Continues to Track These Threats

GreyNoise tagged these vulnerabilities before KEV inclusion, reinforcing the importance of real-time attack intelligence. 

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

— — — 

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

Update (5 March 2025): Key Clarifications on Eleven11bot

Further analysis has refined the understanding of the scale and nature of Eleven11bot. Key clarifications:

Likely a Mirai Variant

• Eleven11bot is likely not a distinct botnet, but rather a Mirai variant using a single new exploit targeting HiSilicon-based devices, particularly those running TVT-NVMS9000 software.

Overestimated Infection Numbers

• While reports estimated 86,400 infections globally, the actual number of compromised devices is likely fewer than 5,000.

Misidentified Tracking Signature

• The "head[...]1111" signature, initially associated with Eleven11bot, is not malware-related but rather part of the HiSilicon SDK protocol used for remote management across white-labeled devices.

Faulty Detection Method Inflated Infection Estimates

• The reported 86K+ infections appear to be based on a misidentification of normal HiSilicon device protocol traffic as botnet activity.

‍

How GreyNoise Identified This Activity

GreyNoise analyzed a list of 1,400 IPs provided by Censys, identifying 1,042 of them engaging in scanning and exploitation attempts. These were primarily embedded systems that typically do not initiate outbound internet communication, reinforcing their likely compromise.

While initial infection estimates were high, the activity observed in GreyNoise suggests that a subset of these devices are actively participating in Mirai-related behavior. Because these IPs are unlikely to change dynamically (e.g., through DHCP), they may continue to be involved in future Mirai botnet activity.

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

‍

A newly discovered global cyber threat is rapidly expanding, infecting tens of thousands of internet-connected devices to launch powerful cyberattacks. Nokia Deepfield’s Emergency Response Team (ERT) has identified a new botnet, tracked as Eleven11bot, which they estimated has compromised over 30,000 devices, primarily security cameras and network video recorders (NVRs). 

According to DeepField, Eleven11bot has been used in distributed denial of service (DDoS) attacks against telecom providers and gaming platforms, with some attacks lasting multiple days and causing widespread disruptions. Jérôme Meyer, a security researcher tracking the botnet, described it as “one of the largest known DDoS botnet campaigns observed since the invasion of Ukraine in February 2022.” 

‍

GreyNoise Observations on Eleven11bot

Following Deepfield’s findings, Censys provided GreyNoise with a list of 1,400 IPs that appear to be linked to Eleven11bot due to the configuration of the endpoint devices and the banners matching what Deepfield identified in their research. GreyNoise has observed 1,042 IPs actively hitting our sensors in the past 30 days. 

‍

‍

Key findings from our data:

• 96% of these IPs are non-spoofable, meaning they originate from genuine, accessible devices. 
• 61% of the 1,042 observed IPs (636) are traced to Iran. 
• 305 IPs are currently classified as malicious by GreyNoise.

While GreyNoise does not speculate on attribution, this increase in botnet activity comes just two days after the U.S. administration reasserted its “maximum pressure” campaign on Iran, imposing new economic sanctions. 

‍

How the Botnet is Expanding

GreyNoise data indicates that the botnet is involved in malicious activities. Observations from GreyNoise show that the botnet is engaging in actions presumably aimed at expanding its operations, including:

• Brute-force attacks against login systems.
• Exploitation of weak and default passwords on IoT devices.
• Targeting specific security camera brands, such as VStarcam, using hardcoded credentials. 
• Network scanning for exposed Telnet and SSH ports is often left unprotected on IoT hardware.

GreyNoise has identified 305 IP addresses actively carrying out malicious attacks linked to the botnet. 

‍

How to See the Botnet in Action

SOC teams, vulnerability management professionals, and threat hunters can track the botnet’s live activity using GreyNoise:

1. Navigate to the Analysis feature.
2. Paste the list of botnet IPs (source: Censys) into the search bar. 
3. Download the CSV of malicious IPs to take immediate blocking actions.

‍

Censys-Provided IP List

A list of IPs associated with this botnet is available below: 

189.146.95.172, 109.177.122.31, 89.138.147.184, 151.235.34.214, 5.236.26.32, 219.68.208.58, 188.136.145.85, 188.0.252.252, 85.185.86.123, 85.64.144.30, 37.209.250.184, 46.100.167.242, 187.222.16.246, 93.117.22.12, 201.103.21.250, 49.49.196.236, 85.204.92.18, 5.235.246.3, 188.208.56.221, 85.65.233.119, 92.246.144.41, 89.44.129.106, 121.121.120.83, 187.140.192.47, 2.177.119.45, 85.204.208.71, 212.33.220.19, 94.248.157.238, 118.100.14.226, 1.34.208.234, 185.143.205.205, 187.145.119.33, 94.236.212.196, 2.183.103.157, 184.82.165.29, 140.228.114.78, 151.235.209.217, 181.91.50.105, 5.232.132.134, 94.69.204.29, 151.235.218.159, 89.44.178.47, 5.239.203.128, 96.56.153.66, 5.236.31.85, 201.124.214.125, 223.197.242.106, 129.122.190.112, 5.237.218.185, 47.40.192.65, 31.46.51.89, 31.25.135.70, 92.16.149.88, 93.117.25.45, 2.181.122.131, 5.236.4.240, 188.136.145.211, 212.230.233.242, 79.129.204.249, 186.179.190.223, 2.177.94.45, 151.232.164.183, 2.180.168.37, 109.125.132.22, 37.255.231.24, 5.239.201.165, 178.238.205.215, 93.117.4.125, 5.237.211.203, 85.204.91.53, 185.161.39.100, 37.255.202.86, 91.215.63.71, 2.185.147.45, 80.44.4.218, 188.208.62.96, 103.16.202.12, 201.110.173.252, 46.167.130.169, 94.236.208.50, 89.144.164.205, 5.236.5.8, 5.239.201.208, 2.181.125.1, 151.235.251.145, 66.79.103.47, 111.70.42.18, 175.182.30.205, 195.181.92.230, 2.181.122.167, 2.187.30.159, 151.235.225.234, 185.179.170.128, 45.64.9.50, 2.183.92.21, 5.239.194.245, 5.235.255.11, 114.79.139.86, 103.213.2.195, 51.148.68.216, 2.183.85.111, 103.168.95.100, 37.148.26.127, 123.252.30.158, 189.111.108.196, 189.130.110.67, 195.181.89.153, 213.170.113.103, 85.105.224.110, 85.75.90.215, 121.123.48.140, 95.76.175.162, 91.92.238.206, 151.235.246.135, 178.238.205.7, 2.189.32.234, 5.232.208.113, 78.38.50.13, 151.235.165.4, 2.183.103.167, 94.183.34.57, 151.235.222.49, 89.34.176.50, 37.255.229.225, 75.176.59.51, 151.247.255.155, 5.237.245.216, 151.235.171.145, 185.99.213.108, 93.117.24.248, 2.183.84.97, 121.122.76.121, 85.204.81.30, 212.33.216.93, 119.63.252.244, 177.82.53.144, 5.235.229.227, 89.144.181.119, 151.235.190.139, 151.247.176.26, 2.180.66.200, 151.247.255.247, 187.131.55.220, 93.118.132.89, 93.117.21.63, 201.17.188.158, 185.155.15.213, 94.183.167.204, 201.138.15.112, 37.6.224.129, 188.136.147.176, 195.181.88.185, 85.204.209.154, 89.44.134.251, 94.183.49.104, 46.167.147.56, 5.235.245.163, 2.189.220.6, 2.181.117.54, 151.235.251.24, 212.33.214.217, 151.235.199.20, 80.178.101.235, 189.147.165.51, 220.134.49.77, 5.239.194.91, 195.181.95.232, 89.132.5.70, 92.26.231.102, 121.121.217.80, 121.121.138.216, 151.235.203.13, 89.144.185.223, 151.235.237.239, 106.1.144.120, 63.143.94.171, 159.192.253.252, 68.237.32.174, 151.235.215.52, 142.189.195.120, 151.247.177.116, 121.121.185.142, 217.24.158.182, 2.180.61.219, 89.44.134.113, 89.144.177.1, 5.235.241.26, 77.127.1.199, 2.182.205.80, 2.183.86.125, 93.117.9.179, 93.173.99.106, 201.138.108.135, 151.235.185.112, 82.137.225.93, 5.232.25.254, 5.239.211.129, 89.151.143.129, 94.183.71.123, 66.79.101.150, 2.180.200.177, 2.183.117.7, 41.75.110.81, 5.237.209.186, 31.215.79.124, 89.44.132.159, 178.238.205.171, 217.24.144.115, 45.80.100.91, 141.149.50.170, 2.180.153.175, 195.181.88.149, 185.145.9.81, 46.100.165.9, 85.204.82.198, 5.235.201.75, 109.125.137.19, 85.185.223.52, 118.67.38.71, 46.100.63.67, 151.235.195.235, 89.44.177.151, 220.132.212.32, 189.133.6.176, 5.239.214.253, 2.85.193.200, 2.183.99.153, 5.235.244.117, 47.18.219.178, 2.188.249.61, 85.204.212.250, 79.131.53.200, 46.100.71.145, 222.154.255.94, 93.117.19.101, 187.131.11.211, 2.187.21.254, 151.235.235.44, 85.204.216.11, 201.124.11.143, 85.204.212.173, 5.236.4.37, 5.236.26.159, 2.181.165.22, 86.122.111.157, 78.38.49.93, 80.210.22.1, 218.210.35.204, 151.235.183.146, 151.235.249.130, 37.156.8.153, 121.121.194.43, 5.235.254.98, 5.236.26.135, 188.0.248.66, 211.51.2.142, 49.205.214.42, 93.117.1.16, 151.235.248.13, 5.235.253.190, 94.183.66.171, 187.236.0.124, 2.181.174.246, 185.145.9.91, 2.183.89.62, 189.146.49.218, 212.33.215.219, 2.179.178.61, 45.227.182.70, 187.202.253.3, 212.33.221.178, 88.227.24.153, 93.173.82.201, 124.120.109.25, 5.232.215.149, 91.81.250.29, 91.140.9.194, 2.180.128.35, 185.153.19.82, 81.213.125.57, 85.204.216.82, 96.246.97.171, 207.68.254.110, 5.239.205.61, 217.172.112.173, 5.239.211.57, 2.84.151.60, 86.101.165.44, 110.78.152.13, 179.233.2.126, 223.205.106.141, 5.235.254.226, 94.183.223.246, 2.183.82.177, 151.235.224.111, 185.214.38.245, 177.32.50.202, 93.117.30.74, 91.138.231.182, 80.41.187.85, 195.181.92.73, 42.200.101.249, 94.183.39.190, 46.167.139.58, 151.235.215.166, 213.14.135.196, 2.180.227.174, 213.255.192.133, 62.38.192.91, 5.235.252.173, 5.26.198.252, 162.247.30.77, 78.186.137.34, 37.255.240.146, 85.204.222.227, 5.236.3.21, 93.117.18.132, 93.117.21.38, 195.181.88.44, 89.44.178.187, 49.158.178.14, 180.75.76.186, 188.136.146.183, 2.187.28.140, 5.236.27.49, 85.204.92.157, 201.111.57.181, 5.235.200.231, 188.136.145.156, 68.114.79.238, 190.70.203.65, 2.181.181.162, 89.44.177.52, 187.189.119.70, 14.192.239.183, 89.44.180.82, 93.117.5.58, 1.34.190.33, 46.167.142.60, 110.78.143.218, 119.203.80.160, 187.153.251.86, 151.235.237.248, 151.235.193.90, 123.205.137.2, 67.248.45.251, 195.181.84.56, 46.117.201.231, 109.122.236.65, 5.235.224.94, 95.9.243.32, 5.237.200.221, 94.52.221.36, 142.190.101.154, 5.237.218.129, 46.167.128.78, 5.235.247.46, 2.183.81.97, 2.180.115.134, 2.180.48.78, 189.226.255.168, 58.136.192.226, 189.144.217.55, 5.235.200.240, 93.69.92.102, 93.117.24.86, 120.151.233.95, 86.16.32.174, 217.219.132.8, 69.114.91.81, 5.235.205.108, 5.232.6.185, 217.24.149.149, 79.12.134.200, 155.93.138.70, 189.164.69.177, 73.155.56.206, 93.117.15.45, 186.22.8.134, 2.180.120.161, 85.130.151.235, 175.139.19.110, 151.235.250.51, 187.228.70.80, 201.137.43.131, 177.130.45.117, 89.44.135.156, 217.24.151.249, 151.235.191.176, 151.235.173.15, 175.136.64.28, 5.238.149.232, 5.235.224.121, 2.180.209.135, 122.118.49.210, 217.172.113.244, 85.185.21.106, 1.34.19.189, 85.204.221.45, 177.243.176.6, 151.235.196.18, 31.25.130.35, 188.136.145.134, 66.79.101.50, 217.24.154.7, 1.34.103.28, 201.103.44.104, 39.52.9.123, 5.235.192.12, 151.235.209.39, 103.21.223.123, 5.239.195.94, 85.130.174.180, 188.0.251.172, 31.120.75.59, 58.136.145.71, 5.239.199.51, 195.181.81.190, 175.145.228.109, 121.123.81.221, 2.183.104.53, 110.78.141.81, 24.47.40.46, 31.171.223.253, 2.177.57.197, 93.67.124.116, 189.190.82.24, 71.71.129.146, 121.121.184.196, 2.183.86.140, 85.130.237.70, 151.235.251.125, 5.237.224.16, 68.132.85.87, 2.183.102.202, 2.183.84.147, 76.30.30.53, 216.158.152.171, 2.180.167.109, 2.179.74.143, 189.130.182.115, 93.117.7.9, 37.255.200.202, 2.177.160.228, 217.24.149.39, 46.167.149.243, 187.170.118.148, 85.204.220.227, 2.187.8.244, 93.117.20.253, 151.239.92.236, 46.100.61.124, 66.79.98.48, 151.235.199.42, 85.204.92.166, 80.191.189.91, 72.80.79.252, 89.243.14.23, 109.122.228.133, 5.237.245.37, 184.178.59.222, 2.183.119.159, 85.204.83.117, 201.123.134.124, 187.234.229.230, 2.180.56.252, 131.100.136.93, 2.179.167.151, 151.235.182.64, 5.239.206.19, 5.237.243.159, 203.73.166.3, 189.223.218.108, 37.255.197.113, 2.183.103.77, 195.181.90.120, 95.5.11.129, 151.235.183.69, 95.80.169.14, 189.251.16.220, 187.235.152.211, 79.130.180.251, 78.188.109.187, 109.110.130.251, 177.94.244.81, 77.49.205.38, 5.237.225.225, 103.217.134.123, 2.189.17.59, 80.252.51.71, 2.177.58.228, 93.117.30.209, 151.235.187.184, 189.131.146.104, 84.42.41.2, 5.237.211.166, 79.129.48.124, 189.146.209.177, 151.235.240.75, 2.180.113.51, 5.235.220.196, 2.183.103.180, 114.33.109.103, 110.77.170.51, 85.204.214.71, 94.183.108.176, 94.183.152.218, 85.15.44.159, 189.164.38.239, 2.182.209.245, 67.242.148.242, 171.6.97.135, 195.181.39.41, 98.0.212.169, 94.66.106.97, 5.236.27.28, 188.208.57.217, 5.239.204.228, 2.187.8.64, 59.120.97.125, 23.243.134.140, 151.247.208.75, 93.117.24.75, 109.186.33.241, 93.118.97.114, 195.181.93.58, 195.181.83.209, 79.129.169.250, 86.105.196.226, 189.223.229.214, 187.147.245.234, 217.24.151.88, 2.187.9.162, 5.239.202.12, 84.241.0.19, 93.117.15.208, 219.92.33.224, 2.181.164.16, 93.119.95.2, 2.189.32.169, 95.38.24.35, 168.210.206.226, 93.117.11.255, 5.235.224.145, 189.222.221.227, 2.182.204.206, 203.106.189.215, 218.35.170.14, 51.194.49.200, 85.204.91.192, 5.235.239.145, 178.238.205.244, 109.122.231.77, 5.235.195.149, 189.238.78.99, 5.232.147.159, 5.236.27.100, 78.188.91.209, 94.183.165.81, 49.205.178.192, 2.178.108.180, 188.0.250.116, 5.235.251.230, 91.138.228.157, 188.211.204.134, 188.208.58.177, 5.232.123.11, 2.183.86.177, 87.203.214.185, 70.119.153.165, 217.24.158.32, 185.143.205.198, 151.235.206.231, 212.50.187.72, 219.95.75.69, 85.204.90.28, 181.164.73.16, 217.24.149.253, 189.234.249.162, 60.248.49.68, 5.235.246.82, 5.237.242.162, 187.104.138.93, 85.96.205.145, 89.44.135.176, 5.235.237.14, 37.255.210.207, 216.232.6.27, 93.117.18.15, 189.149.95.6, 89.44.129.32, 188.208.63.235, 1.10.255.254, 2.180.112.180, 94.183.187.127, 178.238.205.188, 219.95.76.180, 175.139.73.202, 76.171.86.84, 41.38.151.102, 121.121.114.108, 187.250.45.91, 151.235.183.211, 78.182.13.6, 5.235.112.248, 85.204.93.87, 46.117.134.28, 217.24.152.228, 2.182.204.88, 5.238.239.127, 5.236.93.20, 93.117.28.92, 123.252.63.8, 2.181.123.33, 31.130.186.229, 94.183.121.207, 177.128.21.82, 212.33.214.210, 5.232.149.229, 151.235.249.162, 5.232.148.106, 93.117.1.99, 37.26.33.239, 85.185.23.81, 14.43.138.61, 111.95.173.139, 46.100.60.41, 5.235.231.230, 89.144.181.125, 2.183.83.95, 151.235.38.33, 5.235.193.27, 37.255.228.49, 46.65.212.7, 183.82.114.10, 159.250.32.219, 94.21.67.157, 5.237.227.252, 178.238.204.238, 35.129.112.115, 188.0.255.34, 159.192.112.133, 2.180.112.125, 151.235.247.197, 212.56.152.72, 5.80.48.238, 2.180.130.55, 185.129.239.186, 5.29.135.63, 46.167.158.137, 74.141.247.68, 72.252.155.77, 151.235.199.189, 189.165.255.1, 151.235.201.10, 93.117.29.181, 79.130.195.166, 151.235.32.249, 188.208.60.42, 189.129.154.117, 195.181.84.72, 5.239.9.236, 159.20.101.73, 85.204.223.66, 2.183.116.135, 195.181.80.60, 122.117.232.247, 5.235.188.153, 88.214.8.82, 93.69.95.145, 93.117.18.204, 5.237.245.34, 93.117.17.94, 93.117.23.199, 2.184.54.148, 189.133.90.196, 2.183.84.226, 2.187.9.19, 217.119.134.247, 5.237.198.211, 2.183.108.192, 94.183.22.231, 195.181.85.175, 72.89.228.221, 76.91.240.41, 115.133.40.94, 2.182.204.203, 151.235.184.46, 2.187.26.4, 94.183.34.86, 151.235.222.195, 2.189.16.32, 89.139.22.16, 187.194.13.216, 89.44.177.203, 72.226.55.118, 182.53.50.7, 109.122.228.83, 5.237.196.153, 2.181.171.176, 2.182.210.187, 2.180.233.57, 5.160.164.157, 85.204.94.54, 93.117.27.212, 189.136.228.166, 89.139.50.53, 93.117.6.114, 181.188.89.136, 39.61.142.37, 195.181.91.79, 188.152.71.244, 151.235.205.206, 73.166.225.156, 88.247.58.129, 5.239.195.231, 5.239.204.48, 188.208.61.152, 2.180.182.232, 2.183.83.58, 182.18.254.74, 188.136.134.40, 93.117.28.135, 189.144.150.208, 2.181.180.194, 5.235.188.131, 217.24.148.254, 85.204.89.202, 151.235.205.254, 2.183.88.135, 187.154.193.97, 93.117.9.189, 2.183.101.128, 85.185.222.126, 151.235.182.175, 188.125.133.68, 105.184.84.151, 93.117.11.231, 85.204.211.4, 217.24.144.179, 85.204.87.184, 2.183.103.205, 177.11.198.142, 5.235.213.64, 151.235.251.107, 5.202.130.176, 2.187.11.222, 61.221.204.130, 87.70.72.26, 66.79.102.2, 141.237.201.205, 2.183.92.19, 114.34.70.104, 151.235.170.230, 5.235.236.126, 5.239.201.116, 195.181.82.66, 85.204.211.240, 2.187.23.176, 5.235.255.99, 91.92.239.53, 74.62.19.2, 5.237.221.66, 151.235.242.250, 151.235.193.214, 217.24.152.220, 187.250.51.93, 89.144.181.147, 71.87.234.14, 189.60.254.220, 121.122.103.7, 2.179.166.242, 68.193.40.235, 94.183.137.181, 195.181.85.67, 151.235.4.177, 120.158.143.49, 2.179.65.208, 2.180.125.74, 82.81.33.192, 151.247.253.126, 2.183.82.51, 95.212.144.172, 189.151.199.249, 59.126.81.229, 24.189.118.45, 99.217.21.63, 217.24.152.64, 89.41.42.145, 88.247.3.244, 94.192.45.51, 2.191.22.175, 78.38.124.97, 2.189.158.98, 2.179.65.167, 80.191.13.230, 217.180.231.219, 151.235.247.155, 212.33.219.110, 5.175.151.103, 85.204.213.152, 73.19.30.201, 187.226.51.72, 171.4.1.158, 5.237.196.108, 94.183.169.64, 92.249.235.62, 2.189.16.98, 58.136.221.25, 5.235.190.102, 103.239.251.223, 2.180.198.137, 85.204.216.61, 5.235.197.52, 85.204.88.42, 84.241.11.121, 60.49.64.12, 184.82.211.44, 95.38.144.106, 93.118.104.232, 5.236.29.201, 151.235.190.49, 175.145.96.123, 149.106.153.111, 93.117.19.218, 187.199.123.56, 178.164.145.153, 183.89.196.233, 24.193.72.244, 210.186.19.215, 188.0.253.216, 5.232.208.195, 5.160.160.237, 121.122.89.29, 118.163.126.240, 2.176.110.80, 2.187.9.147, 39.38.140.158, 93.117.26.79, 93.117.2.114, 95.6.66.197, 46.100.170.220, 165.255.49.16, 149.100.174.16, 185.170.236.138, 2.183.120.150, 172.114.252.162, 5.235.218.39, 2.180.90.95, 2.183.105.236, 95.77.150.198, 189.131.172.161, 201.103.87.55, 185.143.205.169, 5.160.164.190, 5.202.243.183, 5.239.205.155, 217.24.159.181, 5.198.232.224, 188.208.60.80, 180.75.9.47, 5.235.241.96, 201.106.100.165, 5.239.214.5, 67.81.227.18, 5.239.195.191, 5.235.247.184, 5.237.198.49, 93.117.21.125, 89.44.182.23, 177.193.59.18, 188.0.255.13, 151.235.180.152, 151.235.245.195, 88.248.19.4, 150.129.144.141, 91.92.238.223, 188.0.249.188, 59.126.116.185, 85.75.64.133, 185.11.69.162, 178.252.142.190, 85.185.23.45, 85.204.222.76, 187.195.64.11, 93.118.96.117, 2.183.85.115, 212.33.217.6, 188.0.252.15, 151.205.164.197, 2.180.132.190, 2.180.93.85, 212.33.222.199, 2.181.175.157, 5.235.245.125, 151.235.240.13, 85.204.223.125, 182.235.184.57, 151.235.231.223, 89.144.177.4, 182.53.238.86, 185.147.40.132, 151.235.32.60, 85.204.219.152, 2.189.17.148, 200.74.91.155, 2.183.105.184, 5.232.129.134, 221.166.171.189, 176.12.64.65, 195.181.90.168, 2.183.87.222, 93.117.21.139, 2.181.247.128, 5.236.13.168, 2.181.120.208, 5.190.253.247, 85.204.90.242, 2.187.8.145, 2.180.106.81, 2.183.82.141, 5.239.192.50, 187.250.70.157, 2.183.118.51, 85.204.87.208, 187.211.77.132, 2.180.252.8, 217.24.158.130, 89.138.140.44, 212.33.221.97, 5.239.177.164, 78.187.37.146, 188.0.252.49, 151.235.240.41, 46.6.15.156, 119.42.71.249, 5.160.164.177, 171.5.117.144, 2.176.12.95, 151.235.181.0, 178.248.203.165, 121.121.122.140, 94.183.151.242, 5.239.192.112, 2.183.110.56, 2.183.119.252, 220.133.105.205, 2.183.121.254, 14.192.239.250, 35.141.220.32, 151.235.215.103, 5.232.8.156, 5.232.140.10, 2.183.95.77, 189.102.4.119, 2.180.180.49, 151.235.161.213, 2.183.89.173, 187.235.101.174, 93.117.11.116, 94.183.235.37, 150.129.144.144, 110.77.170.232, 5.236.26.193, 96.246.230.97, 185.82.167.140, 93.117.30.230, 5.237.227.23, 217.24.155.60, 188.208.60.114, 2.180.91.177, 217.24.156.21, 187.195.104.61, 189.226.172.99, 93.117.8.229, 2.183.103.48, 93.117.26.123, 5.237.238.167, 14.137.65.139, 176.66.117.117, 2.187.29.119, 189.225.58.80, 37.156.24.141, 189.222.54.234, 217.24.154.169, 212.33.217.203, 2.180.233.54, 175.142.46.139, 201.137.105.24, 187.195.66.122, 2.183.95.126, 151.235.197.243, 2.191.20.163, 5.235.192.85, 88.228.151.17, 94.183.37.23, 212.33.220.113, 2.180.205.91, 89.144.171.3, 188.136.146.28, 84.241.43.45, 2.180.17.65, 85.204.212.174, 111.248.15.189, 213.191.186.66, 58.136.106.47, 5.235.249.92, 2.187.29.157, 201.123.230.175, 37.148.74.5, 31.14.209.135, 151.235.171.255, 217.24.144.246, 208.80.139.41, 2.187.29.105, 201.124.125.87, 2.177.147.234, 5.235.226.137, 2.176.138.214, 60.48.51.21, 5.232.26.41, 88.250.67.183, 2.179.189.80, 2.183.111.129, 5.237.208.231, 68.192.201.223, 2.185.209.42, 109.186.73.105, 187.145.163.235, 178.238.204.98, 89.144.178.54, 189.241.206.39, 85.204.222.133, 201.110.155.87, 2.185.150.143, 2.181.78.175, 187.145.174.214, 2.181.34.17, 189.146.101.63, 94.183.223.172, 2.183.112.141, 114.34.229.150, 121.123.189.11, 72.12.173.190, 2.177.91.98, 5.160.164.169, 151.235.202.107, 175.144.158.57, 115.135.43.140, 210.186.17.196, 185.75.204.0, 2.186.115.59, 91.92.121.171, 108.185.72.100, 94.183.158.220, 195.181.81.154, 5.235.230.127, 151.235.241.21, 31.204.239.127, 94.183.195.49, 181.91.50.241, 195.228.99.217, 121.122.90.43, 118.170.40.214, 85.64.142.148, 93.117.17.102, 2.182.206.251, 151.235.230.111, 5.239.213.73, 170.0.18.244, 71.93.3.7, 217.24.152.236, 2.178.103.79, 46.167.145.103, 151.235.235.134, 83.235.179.174, 2.183.108.227, 66.79.100.26, 89.44.130.122, 85.185.237.214, 114.35.64.31, 93.117.5.40, 195.181.86.117, 2.183.83.85, 85.204.81.0, 217.24.147.195, 188.0.250.133, 187.73.28.29, 2.187.20.145, 85.204.93.20, 151.235.212.180, 5.237.210.87, 2.181.180.156, 187.194.201.193, 200.150.163.194, 186.179.223.20, 201.121.6.112, 2.182.212.9, 151.235.205.88, 2.180.72.49, 213.57.249.148, 88.232.160.120, 195.181.86.95, 5.235.218.172, 108.5.110.97, 189.235.70.129, 217.172.113.32, 103.69.29.170, 213.165.184.131, 5.202.243.65, 94.183.33.217, 61.2.105.70, 123.195.179.167, 189.132.111.39, 2.187.20.77, 2.180.153.163, 178.36.96.217, 89.44.130.45, 151.235.188.92, 5.236.31.104, 5.232.213.61, 105.246.14.119, 94.65.248.215, 94.183.223.153, 67.84.124.42, 78.189.28.7, 2.187.22.106, 78.187.87.138, 195.181.83.210, 210.186.107.47, 174.166.16.176, 5.235.252.8, 27.72.113.179, 89.44.134.104, 95.81.97.59, 184.82.116.10, 93.117.23.12, 61.223.78.139, 2.179.177.19, 118.232.89.51, 43.240.7.122, 85.204.89.254, 217.24.159.111, 93.172.163.102, 94.183.115.88, 79.10.140.140, 5.237.227.161, 207.254.166.51, 36.233.54.118, 94.64.157.103, 184.82.186.156, 5.232.159.199, 5.235.193.73, 109.120.219.165, 5.235.112.60, 189.146.195.2, 217.24.145.208, 78.189.224.232, 175.139.56.231, 45.226.133.169, 94.53.135.14, 2.181.165.217, 80.191.189.159, 5.235.205.222, 185.143.205.76, 5.237.242.155, 151.235.212.152, 46.167.151.49, 85.105.113.212, 5.235.240.129, 2.183.86.113, 92.25.135.138, 185.218.200.27, 200.18.125.134, 159.20.106.121, 1.161.150.91, 185.166.229.157, 2.183.91.152, 94.183.217.152, 188.0.249.156, 121.122.118.70, 5.239.211.111, 49.48.130.16, 37.148.62.216, 173.49.75.75, 108.35.94.159, 96.74.21.214, 80.11.129.246, 212.120.199.220, 151.247.210.28, 217.24.159.197, 103.16.46.227, 189.236.14.228, 2.177.173.184, 2.181.112.215, 151.239.94.216, 189.133.36.154, 1.34.203.141, 171.4.83.120, 2.183.108.128, 89.132.6.94, 151.235.232.7, 24.171.213.14, 37.255.244.105, 89.240.115.67, 5.239.202.126, 185.124.159.76, 184.82.144.171, 36.227.89.44, 106.1.5.195, 104.173.137.198, 110.78.152.154, 85.74.6.79, 2.183.80.10, 37.6.217.0, 134.236.115.108, 151.235.221.135, 5.235.188.57, 89.231.35.33, 2.183.118.226, 2.190.132.169, 151.235.253.83, 122.116.133.57, 24.169.5.172, 50.113.46.209, 2.183.101.176, 60.53.224.111, 5.232.10.201, 188.208.59.162, 201.121.169.133, 2.183.123.130, 195.181.84.247, 5.29.140.145, 180.75.5.202, 5.235.189.44, 196.50.194.85, 2.180.13.47, 5.235.239.230, 5.237.242.173, 185.153.208.104, 85.204.91.215, 108.184.9.187, 85.105.116.37, 89.139.36.0, 2.177.229.120, 2.177.202.114, 67.81.205.204, 179.62.127.73, 59.15.150.137, 100.2.171.189, 5.236.24.103, 46.167.147.144, 46.100.71.220, 151.235.175.122, 93.117.12.64, 5.232.24.211, 2.189.220.98, 151.233.48.234, 2.181.120.193, 37.148.16.232, 60.50.2.228, 86.124.75.141, 47.181.47.106, 5.235.234.174, 151.235.208.114, 2.183.87.75, 93.117.14.163, 72.43.148.85, 151.235.236.156, 2.180.126.254, 5.237.244.13, 151.235.223.61, 187.168.133.119, 2.189.220.254, 93.117.0.21, 151.233.53.26, 184.22.130.239, 137.119.111.130, 186.218.123.202, 178.131.8.104, 121.141.164.171, 159.20.96.195, 93.117.8.92, 5.237.213.108, 2.183.111.160, 89.44.176.167, 94.183.116.28, 5.235.246.35, 2.180.235.99, 37.148.29.41, 49.204.124.148, 5.235.193.254, 86.181.168.97, 95.45.93.241, 85.185.223.121, 151.235.186.114, 5.204.37.113, 46.100.69.183, 2.180.74.223, 220.132.162.224, 195.181.81.52, 223.206.121.91, 115.132.5.52, 37.148.14.254, 173.3.133.68, 91.92.183.238, 187.234.68.66, 39.52.36.253, 66.79.98.39, 2.180.122.103, 211.250.18.251, 45.59.58.192, 219.89.205.132, 93.173.111.134, 85.204.93.48, 5.237.213.70, 93.117.14.194, 89.144.189.185, 5.235.250.211, 2.187.33.36, 5.235.242.118, 66.79.102.171, 80.210.31.150, 85.204.88.118, 2.183.87.46, 111.243.142.54, 185.75.204.181, 93.172.26.242, 5.239.207.190, 217.24.148.61, 151.235.205.52, 2.183.106.212, 2.180.103.67, 5.235.251.64, 2.180.84.176, 5.58.31.53, 80.210.57.45, 201.138.164.225, 187.155.29.83, 5.235.243.106, 213.149.184.35, 189.136.41.104, 84.241.63.126, 85.185.21.156, 46.176.58.132, 85.204.222.105, 217.119.134.178, 5.236.7.208, 201.121.133.204, 2.183.105.2, 5.232.21.31, 151.235.243.112, 185.82.166.192, 188.116.226.138, 217.24.159.236, 5.232.212.143, 2.180.249.69, 2.180.224.168, 195.181.89.241, 76.175.230.13, 180.176.42.219, 103.225.138.3, 88.248.253.99, 2.189.18.57, 89.44.135.126, 79.129.161.175, 175.137.10.255, 46.100.165.75, 46.100.60.154, 221.156.100.230, 5.235.202.13, 104.33.88.36, 151.235.221.167, 2.183.107.153, 188.208.62.67, 189.251.6.24, 2.238.193.71, 5.235.195.173, 5.237.239.111, 151.235.211.29, 5.236.25.129, 151.235.165.137, 2.183.99.231, 189.235.184.238, 5.239.202.33, 189.238.38.8, 93.117.25.34, 89.144.179.31, 217.218.249.223, 93.117.24.204, 5.235.253.209, 2.180.103.138, 101.108.154.28, 14.192.239.152, 5.239.176.110, 85.204.85.232, 85.204.92.109, 46.100.71.4, 93.117.18.0, 121.122.114.229, 159.192.253.205, 98.148.153.127, 2.233.120.114, 5.235.197.156, 151.235.229.11, 223.205.103.58, 189.157.233.22, 78.188.231.62, 195.181.88.14, 187.233.187.246, 93.117.1.41, 2.181.112.50, 217.24.148.23, 5.237.206.192, 217.24.150.38, 2.187.21.52, 212.33.219.157, 85.204.95.4, 93.117.14.3, 105.242.109.188, 5.160.164.26, 195.74.245.44, 85.204.91.140, 119.42.115.88, 151.235.167.7, 197.87.218.4, 2.183.120.111, 185.176.33.41, 2.178.97.29, 91.138.234.26, 184.82.115.240, 79.127.2.188, 112.169.68.208, 78.38.41.244, 151.235.192.159, 5.202.84.19, 209.131.253.45, 2.181.127.121, 108.170.68.134, 5.239.211.210, 93.117.13.29,

‍

How Organizations Can Defend Themselves 

GreyNoise recommends the following steps to protect against the botnet and similar cyber threats: 

• Block traffic from known malicious IPs. GreyNoise provides real-time data for defenders to block threats proactively. 
• Monitor network logs for unusual login attempts. Attackers are brute-forcing weak Telnet and SSH credentials. 
• Secure IoT devices immediately. Change default passwords, update firmware, and disable remote access where unnecessary. 
• Enable DDoS protection and rate-limiting. The botnet is designed for high-intensity attacks, so organizations should harden their network defenses.

‍

GreyNoise is Actively Monitoring Eleven11bot-Linked Activity

GreyNoise continues to track real-time scanning and attack activity from the botnet. We will provide further updates if new information arises. 

Track the botnet in real time — see if your network is a target. Navigate to the GreyNoise Analysis feature, paste the IPs above into the search bar, and download the CSV of malicious IPs for immediate blocking actions. 

‍

— — — 

‍^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

Mass Internet Exploitation in 2024: A Rapidly Escalating Threat

In 2024, attackers didn’t just exploit vulnerabilities — they automated them at scale, turning the internet into a playground for mass exploitation. 

• Attackers exploited vulnerabilities within hours of disclosure. 
• 40% of exploited CVEs were at least four years old — some dating back to the 1990s. 
• Ransomware groups leveraged nearly 30% of KEV-listed vulnerabilities that GreyNoise tracked. 

GreyNoise observed widespread internet scanning and exploitation attempts across thousands of IPs, showing how attackers are scaling operations faster than defenders can respond. 

‍

‍

The GreyNoise 2025 Mass Internet Exploitation Report provides a detailed breakdown of how mass exploitation evolved in 2024, which vulnerabilities were most targeted, and how CISOs and security professionals can stay ahead in 2025. 

‍

Key Findings from the 2025 Mass Internet Exploitation Report

• The most exploited vulnerability of 2024 targeted home internet routers, fueling massive botnets used in cyberattacks. 
• Legacy vulnerabilities remain among the most widely exploited, with attackers continuing to target publicly known flaws, sometimes dating back to the 1990s. 
• GreyNoise observed multiple CVEs showing signs of exploitation before being added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, reinforcing the need for real-time intelligence. 
• Ransomware groups leveraged 28% of KEV-listed vulnerabilities tracked by GreyNoise, showing mass exploitation is a key enabler of financially motivated attacks. 
• A surge in May 2024 was traced to 12,000+ unique IPs involved in an exploitation event targeting Android devices. 

‍

The Speed and Surprise of Mass Exploitation: New and Old CVEs Under Attack

This report confirms that mass exploitation is not just a zero-day problem — it’s a persistent issue across both new and old vulnerabilities. 

“Mass exploitation isn’t just about zero-days — it’s about attackers industrializing vulnerability exploitation at scale,” said Andrew Morris, Founder and Chief Architect at GreyNoise. "They care less about CVSS scores or KEV lists. They scan the entire internet — it’s quick and cheap to do — they find what’s exposed, and go after it immediately. This report shows just how fast and unpredictable mass exploitation really is — and why security teams need real-time intelligence to keep up.” 

‍‍

Why This Matters Now

• Most patching strategies can’t keep up — attackers automate exploits faster than teams can assess, prioritize, and deploy fixes. 
• Mass exploitation is moving faster than traditional security workflows — organizations need real-time intelligence, not just alerts. 
• Ransomware groups are automating attacks. Exploitation of known vulnerabilities remains a primary initial access method. 
• Home routers and IoT devices are increasingly being exploited at scale. Many organizations fail to account for these attack surfaces. 

‍

The Most Observed Exploitation Activity in 2024

Attackers aren’t just targeting newly disclosed vulnerabilities — many of the most exploited CVEs in 2024 are years old, proving that security teams must rethink patching priorities. 

GreyNoise tracked the most frequently observed vulnerability exploitation attempts across the internet in 2024. Some of the most targeted vulnerabilities included:

• CVE-2018-10561 (GPON Router Worm) – 96,042 unique IPs
• CVE-2014-8361 (Realtek Miniigd UPnP Worm) – 41,522 unique IPs
• CVE-2016-6277 (NETGEAR Command Injection) – 40,597 unique IPs
• CVE-2023-30891 (Tenda AC8 Router Exploit) – 29,620 unique IPs
• CVE-2016-20016 (MVPower CCTV DVR RCE) – 17,496 unique IPs

These vulnerabilities were frequently targeted throughout 2024, often in large-scale scanning campaigns, botnet-building operations, or ransomware-driven attacks. 

‍

‍

Defensive Takeaways for 2025

The 2025 Mass Internet Exploitation Report confirms that:

• Mass exploitation begins rapidly after disclosure, making real-time intelligence critical for prioritization. 
• Legacy vulnerabilities remain prime targets, often exploited alongside newer flaws. 
• Security teams need real-time exploitation intelligence to make informed decisions. 

‍

‍

— — —

‍

Noah Stone contributed to this writeup in collaboration with GreyNoise Research. Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.

‍

Key Takeaways

• GreyNoise has detected active exploitation of 23 of the 62 CVEs mentioned in Black Basta’s leaked chat logs, including vulnerabilities affecting enterprise software, security appliances, and widely used web applications. 
• CVE-2023-6875 is being exploited despite not being listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, reinforcing the need for real-time intelligence beyond static lists. 
• Some of these CVEs have been actively exploited in just the past 24 hours, including critical flaws in Palo Alto PAN-OS, JetBrains TeamCity, Microsoft Exchange, and Cisco IOS XE.  
• GreyNoise is not attributing this activity to the ransomware group, Black Basta. Rather, we are observing active exploitation of a subset of the 62 CVEs mentioned in the group’s leaked chat logs. 
• GreyNoise confirms active exploitation of 23 of the 62 CVEs. However, since not all 62 are trackable by GreyNoise, the actual number of exploited vulnerabilities may be higher. 

‍

GreyNoise Confirms Active Exploitation of CVEs Listed in Black Basta’s Leaked Chats

A major leak of internal chat logs from the Black Basta ransomware group has revealed 62 CVEs discussed by the group — offering a glimpse into the vulnerabilities considered for exploitation by one of the most active ransomware operators. The list, first compiled by VulnCheck, underscores how attackers continue to target publicly known vulnerabilities long after disclosure. 

To assess real-world impact, GreyNoise analyzed internet-wide exploitation activity for these vulnerabilities. Our data confirms that 23 of these CVEs are actively being exploited, including in enterprise software, security appliances, and widely used applications. 

‍

Observed Exploitation Activity 

Below we see that 23 of the 62 CVEs mentioned in Black Basta’s leaked chat logs have been targeted within the past 30 days. 

‍

‍

The CVEs are: 

• CVE-2024-3400 – Palo Alto Networks PAN-OS Command Injection 
• CVE-2024-27198 – JetBrains TeamCity Authentication Bypass
• CVE-2024-24919 – Check Point Quantum Security Gateways Information Disclosure
• CVE-2024-23897 – Jenkins Command Line Interface (CLI) Path Traversal Vulnerability
• CVE-2024-1709 – ConnectWise ScreenConnect Authentication Bypass
• CVE-2023-6875 – wpexperts post_smtp_mailer Missing Authorization
• CVE-2023-4966 – Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability
• CVE-2023-42793 – JetBrains TeamCity Authentication Bypass Vulnerability
• CVE-2023-36845 – Juniper Junos OS PHP External Variable Control
• CVE-2023-36844 – Juniper Junos OS EX Series PHP External Variable Modification Vulnerability
• CVE-2023-29357 – Microsoft SharePoint Server Privilege Escalation Vulnerability
• CVE-2023-22515 – Atlassian Confluence Broken Access Control 
• CVE-2023-20198 – Cisco IOS XE Web UI Privilege Escalation 
• CVE-2022-41082 – Microsoft Exchange Server Remote Code Execution 
• CVE-2022-41040 – Microsoft Exchange Server Server-Side Request Forgery Vulnerability
• CVE-2022-37042 – Synacor Zimbra Collaboration Suite (ZCS) Authentication Bypass Vulnerability
• CVE-2022-30525 – Zyxel Multiple Firewalls OS Command Injection 
• CVE-2022-27925 – Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability
• CVE-2022-26134 – Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability
• CVE-2022-22965 – Spring Framework JDK 9+ Remote Code Execution Vulnerability
• CVE-2022-1388 – F5 BIG-IP Missing Authentication Vulnerability
• CVE-2021-44228 – Apache Log4j RCE (Log4Shell)
• CVE-2021-26855 – Microsoft Exchange Server RCE (ProxyLogon)

‍

Recent Exploitation: Activity Seen in the Last 24 Hours

‍A subset of the CVEs targeted within the past 30 days have been targeted within the past 24 hours. These include:

• CVE-2024-3400 – Palo Alto Networks PAN-OS Command Injection 
• CVE-2024-27198 – JetBrains TeamCity Authentication Bypass
• CVE-2024-24919 – Check Point Quantum Security Gateways Information Disclosure
• CVE-2024-1709 – ConnectWise ScreenConnect Authentication Bypass
• CVE-2023-4966 – Citrix NetScaler ADC Buffer Overflow (Citrix Bleed)
• CVE-2023-36845 – Juniper Junos OS PHP External Variable Control
• CVE-2023-22515 – Atlassian Confluence Broken Access Control 
• CVE-2023-20198 – Cisco IOS XE Web UI Privilege Escalation 
• CVE-2022-41082 – Microsoft Exchange Server Remote Code Execution 
• CVE-2022-30525 – Zyxel Multiple Firewalls OS Command Injection 
• CVE-2021-44228 – Apache Log4j RCE (Log4Shell)
• CVE-2021-26855 – Microsoft Exchange Server RCE (ProxyLogon)

‍

How Defenders Can Respond 

‍Organizations should immediately assess their exposure to the actively exploited CVEs from this blog and take the following steps:

• Patch these vulnerabilities — especially those being actively exploited in the last 24 hours. 
• Use GreyNoise’s intelligence to prioritize and validate real-world threats.
• Move beyond KEV — CVE-2023-6875 underscores the importance of real-time intelligence over advisories and lists. 

‍

How to Investigate These CVEs in GreyNoise

• GreyNoise customers: Log in to the GreyNoise product, navigate to the CVEs tab, paste the 62 CVEs, and select “SEARCH” to see real-time exploitation activity. 
• Free users: GreyNoise allows you to search for exploitation activity one CVE at a time via our free lookup tool. 

‍

Full List of CVEs Mentioned in Black Basta’s Leaked Chat Logs

The following 62 CVEs were identified in Black Basta’s leaked chat logs by VulnCheck. Organizations can use this list to assess their exposure. 

• CVE-2024-3400
• CVE-2024-27198
• CVE-2024-26169
• CVE-2024-25600
• CVE-2024-24919
• CVE-2024-23897
• CVE-2024-23113
• CVE-2024-23109
• CVE-2024-23108
• CVE-2024-21762
• CVE-2024-21683
• CVE-2024-21413
• CVE-2024-21378
• CVE-2024-21338
• CVE-2024-1709
• CVE-2024-1708
• CVE-2024-1086
• CVE-2023-7028
• CVE-2023-7027
• CVE-2023-6875
• CVE-2023-4966
• CVE-2023-42793
• CVE-2023-42115
• CVE-2023-38831
• CVE-2023-36884
• CVE-2023-36874
• CVE-2023-36845
• CVE-2023-36844
• CVE-2023-36745
• CVE-2023-36394
• CVE-2023-35628
• CVE-2023-3519
• CVE-2023-3467
• CVE-2023-3466
• CVE-2023-29357
• CVE-2023-23397
• CVE-2023-22515
• CVE-2023-21716
• CVE-2023-20198
• CVE-2022-41352
• CVE-2022-41082
• CVE-2022-41040
• CVE-2022-37969
• CVE-2022-37042
• CVE-2022-30525
• CVE-2022-30190
• CVE-2022-27925
• CVE-2022-26134
• CVE-2022-22965
• CVE-2022-1388
• CVE-2022-0609
• CVE-2021-44228
• CVE-2021-42321
• CVE-2021-42287
• CVE-2021-42278
• CVE-2021-40444
• CVE-2021-28482
• CVE-2021-26855
• CVE-2020-1472
• CVE-2017-5754
• CVE-2017-5753
• CVE-2017-11882

‍

GreyNoise will continue monitoring exploitation trends in real time. Stay updated by following GreyNoise’s threat intelligence reports, platform updates, and by visiting the GreyNoise visualizer. 

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

— — — 

‍^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍