GreyNoise Round Up: Product Updates - May 2023

May brought more product enhancements to user workflows, data coverage… and of course, more interesting tags! Twenty four to be exact, as we continue to improve our product to help our customers monitor emerging threats and identify benign actors. We improved our sensor coverage to include coverage in the country of Ghana, plus we made some helpful improvements to our bulk analysis, RIOT dataset, and APIs.  

Improvement to Bulk Analysis: Export Unknown IPs

The Bulk Analysis function in the GreyNoise Visualizer has been improved so that users can now export unidentified IPs via CSV and JSON.  

This improvement helps analysts more easily identify the ‘interesting’ IPs in a bulk dataset that they are analyzing (IPs identified by GreyNoise are identified to be known common scanners or common business services; IPs that are UNKNOWN in GreyNoise could represent a targeted threat or something that requires additional investigation). 

To access this feature, go to the GreyNoise Analysis page and analyze a file or dataset containing IP addresses.

Improvements to Destination Metadata: Sensor Hits

Two fields have been added to the metadata returned via Bulk Data, IP Context API, and GNQL API that will help users determine baselines or rates of activity:

• metadata.sensor_hits is the amount of unique data the sensor has recorded from the queried IP.
• metadata.sensor_count is the number of our sensors from which the IP address or behavior has been observed.

RIOT: Qualys Scanner IPs added

We are now tracking Qualys scanner IP addresses in our RIOT database of common business services, so that customers can whitelist this activity (should they wish to) or contextualize this activity when seen in their security logs.

RIOT identifies IPs from known benign services and organizations that commonly cause false positives in network security and threat intelligence products. The collection of IPs in RIOT is continually curated and verified to provide accurate results.

New and Updated Integrations

Splunk Improvements: High Volume Enrichment, IP Similarity and IP Timeline Support

‍

‍

‍

‍

The GreyNoise App for Splunk has been updated to include a new Feed component, which allows users to ingest the GreyNoise indicator feed into Splunk to be used for high-volume log enrichment. Additionally, new dashboard and commands have been added to support the IP Similarity and IP Timeline tools.  Learn More

ThreatQ Improvements: New Actions for ThreatQ Orchestrator

ThreatQ has released new GreyNoise Actions for the Orchestrator platform which allow for IP Similarity, RIOT and Quick lookups against the GreyNoise API. These updates can be downloaded from the ThreatQ Marketplace.  Learn More

Tags Coverage Enhancements

In May, GreyNoise added 24 new tags:

20 malicious activity tags

• Sophos Web Appliance RCE Attempt
• Solarview Compact 6 RCE Attempt
• JexBoss Backdoor Check
• TRENDnet TEW-652BRP RCE Attempt
• Apache Superset Authentication Bypass Attempt
• Arris TR3300 RCE Attempt
• D-Link DWL-2600AP RCE Attempt
• Tenda AX3 RCE Attempt
• Nacos No Auth Scanner
• Apache Solr Admin Panel RCE Attempt
• Ruckus Wireless Admin RCE Attempt
• WordPress Advanced Custom Fields XSS Attempt
• Sophos Mobile XXE Attempt
• SecurePoint UTM Auth Bypass Attempt
• Roxy-WI RCE Attempt
• Pentaho Business Analytics Server RCE Attempt
• Tenda RCE Attempt
• Zyxel RCE Attempt
• DCBI Netlog LAB RCE Attempt
• LB-LINK RCE Attempt

3 benign actor tags

• SOCRadar
• Open Port Statistics
• Malware Patrol

1 unknown tag

• Nessus Scanner

All GreyNoise users can monitor scanning activity we’ve seen for a tag by creating an alert informing them of any new IPs scanning for tags they are interested in.

Notable Security Research and Detection Engineering Blogs:

KEV'd: CVE-2021-45046, CVE-2023-21839, and CVE-2023-1389

On Monday, May 1, 2023, CISA added CVE-2021-45046, CVE-2023-21839, and CVE-2023-1389 to the Known Exploited Vulnerabilities (KEV) list.  For all three CVEs, GreyNoise users had visibility into which IPs were attempting mass exploitation prior to their addition to the KEV list. GreyNoise tags allow organizations to monitor and prioritize the handling of alerts regarding benign and, in this case, malicious IPs.

Trinity Cyber + GreyNoise: Sharing Intelligence to Protect Internet Citizens

At GreyNoise we recognize the value of partnership and intelligence sharing when it comes to protecting internet citizens. Today the GreyNoise Labs team wants to give a shoutout to Trinity Cyber.

Progress’ MOVEit Transfer Critical Vulnerability: CVE-2023-34362

On May 31st, 2023 Progress issued a security notice to users of MOVEit Transfer regarding a vulnerability that allows for escalated privileges and potential unauthorized access to the environment. CVE-2023-34362 was assigned to this vulnerability on June 2, 2023.

Sensor Coverage Enhancements: Ghana

‍

We’ve added additional sensor coverage for the following countries:

• Ghana

You can view which IPs are seen scanning sensors in certain countries from our IP details page, or use `destination_country:”<country_name>”` in GNQL to find IPs that have hit those regions.  Destination country search is available in all commercial plans for GreyNoise and to our community VIP users.

‍

‍