GreyNoise Round Up: Product Updates

GreyNoise added a number of exciting updates in April, including 20 new tags for users to monitor emerging vulnerabilities and threats, and identify benign actors. We’ve also added integration updates to support our new IP Similarity and Timeline features, and enhancements to the IP Similarity capability to improve accuracy and give users a summary view to easily understand similar IP infrastructure.

IP Similarity Enhancements

New IP Similarity Summary View

‍

We’ve enhanced our IP Similarity feature with a summary view that breaks down the high level summary of what fields we found similar in our dataset, and allows customers to quickly scan for common fields and tags. IP Similarity is available to paying customers and to our community VIP users: start a trial* today to explore or learn more about this feature.

IP Similarity Model Updates

We've updated the algorithm used by our IP Similarity to improve accuracy through several changes. Feature vectors are scaled and normalized to increase the distance between low and high information numbers, resulting in lower similarity scores. Bugs related to tokenizing user agent and web path strings were fixed, and options like 'unknown' and certain domain names were excluded. Values for webpath, rDNS, OS, and ports were adjusted, resulting in a feature vector with 693 items. Lastly, the minimum info threshold was raised to help improve accuracy of results.

IP Timeline Enhancements

‍

90 Days of IP Timeline Data Now Available

We’ve enhanced our IP timeline feature to store up to 90 days of IP history data (previously, we provided up to 60 days of data) to enable customers to better understand historical IP activity when threat hunting or performing incident response. IP Timeline is available to paying customers and to our community VIP users: start a trial* today to explore or learn more about this feature.

New and Updated Integrations

Integration Update: Anomali ThreatStream Enrichment

‍

We updated our Anomali ThreatStream Enrichment to include our IP Similarity and IP Timeline features. From the context of an observable, customers can now see all details GreyNoise knows, plus view similar IPs and the timeline of observed activity. Learn More

New Integration: Anomali ThreatStream Malicious IP Feed

Our Malicious IP Feed is now available on the Anomali ThreatStream marketplace. Customers can now easily subscribe to the feed and get a daily update of malicious IPs that GreyNoise observed scanning the internet in the last 24 hours. Learn More

Integration Update: Splunk SOAR

We updated our Splunk SOAR integration to introduce two new commands: "similar noise ips" and "noise ip timeline". These commands pull data from the GreyNoise IP Similarity and IP Timeline features and allow customers to bring that context into Splunk SOAR for an analyst to use during an investigation. Learn More

Integration Update: Maltego

We updated our Maltego Enterprise transform set to include a new Transform that allows for users to query for Similar IPs. This leverages the new IP Similarity tool, and allows for Maltego users to bring similar IPs into their graph for additional research and correlation within Maltego. Learn More

Integration Update: GreyNoise SDK

The GreyNoise SDK has been updated to include both CLI and API based commands to interact with the new IP Timeline and IP Similarity APIs. Learn More

Tags Coverage Enhancements

In the month of April, GreyNoise added 20 new tags:

10 malicious activity tags

6 benign actor tags

4 unknown activity tags

All GreyNoise users can monitor scanning activity we’ve seen for a tag by creating an alert that will inform them of any new IPs scanning for tags they are interested in.

Notable Security Research and Detection Engineering Blogs:

Change in ENV Crawler Tags as Bots Continue to Target Environment Files

On Tuesday, April 25, 2023, GreyNoise is changing how we classify environment file crawlers from unknown intent to malicious intent. At the time of publication, this change will result in the reclassification of over 11,000 IPs as malicious. Users who use GreyNoise’s malicious tag to block IPs based on malicious intent will see an increase in blocked IPs.

Active Exploitation Attempts (CVE-2023-1389) Against TP-Link Archer Gigabit Internet Routers

In collaboration with our partner Trinity Cyber, GreyNoise has a new tag for scan traffic related to CVE-2023-1389, a pre-auth command injection weakness in TP-Link Archer routers.

New Vulnerability: PaperCut MF/NG

On Friday, April 21, 2023, CISA added CVE-2023-27350 (a critical unauthenticated remote code execution vulnerability) impacting PaperCut MF and PaperCut NG to the Known Exploited Vulnerabilities (KEV) list. PaperCut MF and PaperCut NG are both enterprise printer management software.

A Trio of Tags For Identifying Microsoft Message Queue Scanners And Exploiters Live Now - QueueJumper (CVE-2023-21554)

Check Point Research discovered three vulnerabilities in Microsoft Message Queuing (MSMQ) service, patched in April's Patch Tuesday update. The most severe, QueueJumper (CVE-2023-21554), is a critical vulnerability allowing unauthenticated remote code execution. GreyNoise has a tag, classified as malicious, for the full QueueJumper RCE Attempt.

Sensor Coverage Enhancements

‍

We’ve added additional sensor coverage for the following countries:

Destination country search is available in all commercial plans for GreyNoise and to our community VIP users. Start a trial* today to explore destination data.

Search Enhancements

The GNQL cheat sheet is now available in the search bar. Want to learn more about how to effectively use GNQL? Review the cheat sheet for some helpful examples around syntax and available fields to use in search.