Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Honeypots Are Back: The Movie: The Blog

GreyNoise was founded to see what others don’t. That quest led us to build a unique global network of thousands of sensors across hundreds of strategically selected points of presence, giving cybersecurity practitioners unparalleled insight into online activity, whether malicious or benign. 

And in 2023, we saw something new.

In the second quarter of 2023 GreyNoise researchers observed a substantial change in internet scanning behavior. Malicious inventory scans significantly reduced in frequency and scale, and the vast majority of these types of scans now come from benign sources. This, along with the speed at which compromises follow vulnerability announcements, strongly suggests more capable attacker groups have implemented their own form of “attack surface monitoring”, to avoid tripping existing defenses. Attackers are now less likely to risk their reconnaissance infrastructure being detected and flagged prior to establishing confidence in a successful attack path.

A change in attacker behavior is rendering current defenses less effective. But an established technique is ready to rise to the challenge. Honeypots are back.

With attackers routing around observation and detection, traditional third-party threat intelligence cannot provide the targeted attack visibility that defenders need. A first-party, honeypot-based approach is ready to step into the breach.

While honeypot programs have traditionally struggled with deployment, operation, and data analysis, new technology is changing the game. Advances in infrastructure automation, network traffic shaping, cloud computing, and artificial intelligence make it possible to consistently identify novel attacks and reveal attacker infrastructure. New honeypot networks are easy to deploy, with flexible impersonation, believable personas, and automated analysis. Whether on an organization’s perimeter or deployed across the globe, they provide the insights defenders need to protect key systems before a breach. 

At GreyNoise, we haven’t just focused on tech leadership — we’ve brought in thought leadership as well. In order to educate the market about these new challenges, and how honeypots can help tackle them, our deception and intelligence experts Andrew Morris and Bob Rudis have published the Honeypots Are Back report. This report:

  • Breaks down targeted attacks
  • Compares third- and first-person threat intelligence
  • Discusses traditional honeypot challenges
  • Establishes a new honeypot maturity framework
  • Provides a security checklist for defenders to implement this necessary capability

To dive deeper into each of these topics, read the report here. To see a demonstration of the new honeypot capabilities under development at GreyNoise today, watch our on-demand honeypot webinar here. And if you’re ready to discuss standing up a mature honeypot network in your own environment, talk to our team

NetNoiseCon - Recapping our Debut Event

We had a blast at NetNoiseCon on April 19th and we hope you did too! If you missed out, don't worry - we've got you covered with this recap.

From incredible technical talks to insightful career advice from industry leaders, there was something for everyone. We strongly encourage you to watch each of the talks and soak in the wisdom shared by our stellar lineup of speakers.

Watch the full playlist of NetNoiseCon videos on YouTube here.

Technical Talks & Briefs:

Special Storm⚡️Watch briefing from boB Rudis - GreyNoise’s boB Rudis shares a fun and insightful brief on several active APT groups and the targeting of industrial control systems.

Trashing the Pandas: Analyzing Current Infrastructure Trends and T9000v2 - A Mustang Panda Case Study - This incredible technical talk from floofpwn was a crowd pleaser. Join floofpwn as he analyzes Mustang Panda malware and explores current infrastructure trends. Threat Hunters & Researchers should dig this talk!

Methods of Finding Threat Signals - Proofpoint’s Greg Lesnewich presented his methods for finding signal within the noise, finding anomalies in the data, and how to use layering techniques to find threats.

Vintage Internet Noise - GreyNoise’s Kimber Duke dives into the vintage internet vulnerabilities, many of which are 20+ years old, that still haunt us today.

Out of Touch, Out of Timeline - Making Sense of Temporal Correlation - Jonathan Reiter from Dragos shares his method of time series analysis, leveraging tools like GreyNoise’s timeline of observed activity, to investigate scan and host behavior.

Career Advancement & Advice Talks

Brain skills | functions | AI - Santiago Holley, VP of Threat Management at Redtrace Technologies, shares his thoughts on the strengths of AI and the inherent strengths of humans and how our brains work - and how we can bring those two together.

Stress, Mindfulness, & Mental Health in Cybersecurity - Matt Johansen, writer of the Vulnerable U Newsletter, explores the particular challenges and stresses that many in cybersecurity face, and how to deal with them. This is a fantastic honest look at our work in InfoSec and the struggles that many have with mental health.

How I Got Into CyberSecurity - GreyNoise Ambassador Joseph McDonagh shares his unorthodox career path from the military into cybersecurity. At the end, Joseph also shares how he uses GreyNoise “backwards” and leverages Splunk.


Huge thanks to all of our speakers - we really appreciate their time and insight.Also - Thank you to everyone who tuned in and joined us live at NetNoiseCon, we had a blast!

We will bring NetNoiseCon back later this year, so stay tuned for more news about the next event. In the mean time, join us on Discord and say Hi!

2024 Verizon DBIR: Surviving the Year of the Vuln

The 2024 edition of the Verizon Data Breach Investigations Report (DBIR) has finally been released! The team did their usual bang-up job pulling key knowledge threads from the massive volume of data submitted by their ever-increasing number of contributors (of which GreyNoise is one!). Our researchers have pored over this tome to identify critical themes that should be of great import to GreyNoise customers and community.

The Year Of The Vuln

Identifying when attackers attempt to exploit vulnerabilities on internet-facing endpoints is at the heart of what we do at GreyNoise. So, it comes as no surprise that the DBIR team “witnessed a substantial growth of attacks involving the exploitation of vulnerabilities as the critical path to initiate a breach when compared to previous years.” The 180% increase was felt — almost daily — by all who keep track of headlines in the cybersecurity press. Our GreyNoise sensor fleet caught an extra 200K unique IPv4 addresses slinging malicious tagged activity our way (4.2 million malicious IPv4s in 2022 vs. 4.4 million in 2023), and the volume from those adversarial sources went from just over 10 million malicious tagged events to 13+ million.

One thing we did not expect was vulnerability exploitation chipping away at the volume of both credential-based attacks and phishing as the critical path action to initiate a breach, as seen in Figure 6 from the report:

Historically, phishing has been one of the most successful attack paths for our adversaries, and the volume of lost and stolen credentials is stunningly huge. However, organizations have been steadily investing in both more advanced phishing protection (including awareness training); and, credential blasts are both noisy and increasingly thwarted as organizations rely more heavily on elevated protections provided by identify and authentication providers like Okta.

Conversely, using internet infrastructure to find and exploit vulnerable, exposed services can be a risk-free activity for attackers, and there is an almost endless supply of both new vulnerabilities and unpatched hosts. GreyNoise excels at identifying this activity, and we provide the timeliest and most comprehensive information on those attack types and sources, bar none.

It was also a bit distressing, but not unsurprising (given Figure 6) seeing that vulnerability exploitation was at the heart of third-party-related breaches.

Figure 10. Action varieties in selected supply chain interconnection breaches (n=1,075)

You Don’t Have Time To Patch

Every defender should print out page 21 of the 2024 DBIR and tape it to their wall (or, cubicle, if you’re in the 50% of IT folks still commuting to offices).

Most cybersecurity folks are not familiar with the “survival analysis” shown in Figure 19. It’s just a fancy way of estimating the time until some event occurs. This analysis focuses on vulnerability remediation data (i.e., “patching”), with an emphasis on how long it takes organizations to patch vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog.

GreyNoise researchers are huge fans of CISA KEV. We even benchmark ourselves against it! We meet or beat CISA over 62% of the time when it comes to having a tag ready for defenders to use. How do our customers use these tags? Well, the primary way is to block activity from IP addresses associated with these tags. While this may not prevent pinpoint targeted attacks, it absolutely buys them time to keep safe from opportunistic attacks, and helps them identify those targeted attacks much faster, and with greater precision.

Our own data clearly shows that once a proof-of-concept (PoC) is available, attackers waste zero time going after vulnerable systems. And, there is increasingly little daylight between when a CVE is published and when a PoC becomes available.

Seeing that 85% of CISA KEV entries remain unpatched after 30 days clearly shows that most organizations have no time to patch. This means protecting these assets from harm during that 30-day exposure is paramount.

Closing The Door On Attackers

The DBIR team used the “open door” metaphor for how attackers made their way into organizations in 2023. At GreyNoise, we’re highly focused on helping organizations safeguard every single entry point in their internet-facing infrastructure, while also laying out some of our own trapdoors to help confuse and ensnare them.

With GreyNoise, organizations can gain an edge over their adversaries, using our advanced sensors to identify targeted attacks quicker than ever before. Combined with the proven, battle-tested intelligence in our existing Noise dataset, defenders now have the tools to both make it extremely difficult for attackers to be successful, and slow them down long enough to finish asset remediation efforts. Join us as we work to chip away at the million-incident record the DBIR set this year, and turn the tide against our combined foes! You can get started with our data here, or connect with our team to talk about advanced features.

What We're Reading: April 2024

Sam Houston // Senior Community Manager

💡 AWS Made Easy Livestream Ep. 99.5 | Rahul Subramaniam + Stephen Barr 

Thoughts: Ezra’s Klein’s interview with the CEO of Anthropic is an interesting discussion about the speed of growth of the industry and the impact AI will have on our electricity consumption, the impact on jobs, and more. Very interesting listen!

Bob Rudis // VP Data Science & Research

🚀 Book: The Ascendant Wars: Hellfire | Rhett C. Bruno & M.B. Vance

Why I like it: It has stylistic and narrative elements like The Expanse novels, and presents an intriguing future where some humans (dubbed Wardens) have outgrown their humanity thanks to bioengineering and rule the galaxy with ruthless efficiency. This story centers around the folks impacted by a particularly horrible Warden who decides to mess with the pseudo-stability of the regime in order to gain control. Excellent writing.

🪙 Article: Lessons after a half-billion GPT tokens | Ken Kantzer 

Thoughts: It was a good read as well. I don't necessarily agree with all the points, but the author's practical take on making real-world apps with "AI" is very refreshing amidst all the hype.

Louis Evans // Director of Product Marketing

💨 Atmospheric Disturbances | Rivka Galchen

Why I like it: This brilliant, disturbing novel centers on a psychiatrist suddenly convinced his wife has been replaced by an imposter (presumably a reference to a real disorder, Capgras delusion) and that the secret to finding his real wife is hidden in an obscure paper by a research meteorologist—clearly based on the author’s own father. Hilarious, insightful, surprisingly punny—and though written in 2006, the bite-sized chapters are perfect for our age of internet distractions (just me?).

🚪 The Saint of Bright Doors | Vajra Chandrasekera

Thoughts: Incisive, bizarre, and with a last-act twist that slides perfectly, yet shockingly, into place, The Saint of Bright Doors is certainly deserving of its string of award nominations. I saw Chandrasekera read an excerpt from this book on his tour; he chose the scene where the protagonist’s mother tells her son “the doctors will tell you I’m dying of cancer . . . but really it’s because I’m disappointed in you.” But Bright Doors does not disappoint. 

🐉 The Dragon Waiting | John M. Ford

TLDR: Neil Gaiman wrote that this book “contains no dragons”. It’s not quite true—and Gaiman’s full quote contains a qualifier that I’m cunningly concealing from you—but close enough. Now consider what it means to recommend a dragonless book about dragons. Familiarity with the Wars of the Roses and strong opinions about the Byzantine empire will be greatly rewarded. 

Ron Bowes  // Lead Security Researcher

🪄 Book: Maximum Entertainment 2.0 | Ken Weber

Why I like it: It is a book about having a more interesting stage presence as a magician. I'm not a (professional (or good)) magician, but telling stories and being interesting on stage applies to all of us!

🧛 Book: The Twelve | Justin Cronin 

Backstory: Vampire fiction might be too embarrassing to post…for context, I go to the local used bookstore to buy random books. I bought "The Passage" by Justin Cronin and got sucked into (🥁) the story about the world being overrun by a vampire virus. Halfway through, I realized it's a trilogy; now I'm halfway through the second book ("The Twelve"), with the third ready to go. 

🌟 Textbook: Improv 101 | Jet City Improv 

Thoughts: Improv classes are a great way to meet people, build confidence, and have fun in a super supportive environment!

Konstantin // Senior Researcher

🧠 Book: Being You: A New Science of Consciousness | Anil Seth 

Thoughts: It is a nice read. Basically, “the entirety of perceptual experience is a neuronal fantasy that remains yoked to the world through a continuous making and remaking of perceptual best guesses, of controlled hallucinations.” Or how I stopped worrying and learned to love the absence of free will.

Exploring GreyNoise: The User-Centric Design Approach in Cybersecurity

In today’s cyber landscape, blending robust security with effective design is not just beneficial—it’s essential. At GreyNoise, we integrate design principles from the very beginning of our development process, ensuring that every security measure is user-focused and seamlessly integrated. This approach doesn't just enhance the security of digital services; it also ensures that updates and innovative controls fit perfectly within existing systems.

Empowering Users with User-Centric Design

Our philosophy at GreyNoise centers around understanding and addressing your needs, challenges, and feedback. By prioritizing user-centric design, we ensure that each feature and update is not just powerful, but also relatable and engaging.

Putting You First: Your needs, challenges, and feedback are what drive us at GreyNoise. We believe that understanding your perspective is key to making our cybersecurity solutions not just powerful, but also relatable and engaging.

Anticipating Security Needs: We proactively incorporate mechanisms like security logging, monitoring, alerting, and response capabilities into our systems, preparing for potential security incidents before they occur [1].

Join Our Community on Slack: Your insights are invaluable. Engage with us on Slack to share your experiences and suggestions, playing a pivotal role in our product iteration process. Join our Community on Slack.

Simplicity and Accessibility: The Hallmarks of GreyNoise Design

Our commitment to simplicity and accessibility ensures that our tools are straightforward and can be used by everyone. Here’s how we achieve this:

Clutter-Free Interface: Simplicity is central to GreyNoise’s design ethos. Our interfaces are streamlined, focusing on delivering essential information efficiently to prevent overload and facilitate quick, informed decisions.

Focused Feature Set: We hone in on the most impactful features, ensuring our tools are straightforward and effective, making complex threat analysis accessible to all users.

Inclusive Design Philosophy: Upholding the principle that cybersecurity should be accessible to everyone, GreyNoise designs tools that cater to a wide range of abilities, embodying our inclusive design philosophy. Our proof of promise and commitment to accessibility is demonstrated through our Voluntary Product Accessibility Template (VPAT), which details how our products adhere to recognized accessibility standards. This transparency underscores our belief in making security tools accessible to everyone, affirming that effective security is a universal right.

Visual Engagement: Simplifying Complex Information

GreyNoise uses visual elements like infographics to break down complex information, making cybersecurity concepts more understandable and engaging, illustrating the practical benefits of our design-driven approach.


Real-World Applications and User Experiences

GreyNoise consistently demonstrates its commitment to enhancing user capabilities through various educational and interactive platforms. We offer comprehensive demos and case studies, which are pivotal for users looking to deepen their understanding of cybersecurity practices [2]. These resources are tailored to help both novice and advanced users by providing practical, real-world applications of GreyNoise's cybersecurity solutions.

Additionally, GreyNoise is proactive in addressing future cybersecurity concerns by hosting webinars, such as the recent discussion on the future of honeypots. These events aim to educate participants on strategies to combat targeted attacks, reflecting GreyNoise's dedication to keeping the cybersecurity community informed and prepared [3].

A Fusion of Cybersecurity and Design

At GreyNoise, we are redefining the synergy between security and design. Our dedication to user-centric, simple, and accessible design propels us to deliver tools that are not just powerful but also intuitive and inclusive. With GreyNoise, you are equipped with cybersecurity tools designed for the modern digital landscape, where effective security seamlessly integrates with exceptional user experience.

Key Innovations and Features

1. Explore and Investigate: Users can delve into detailed analyses of IP activities, enhancing their understanding and ability to react swiftly to potential threats [4].

2. IP Timeline and Details: Offers a comprehensive view of an IP's history and current status, allowing users to track and analyze behavior patterns over time [5].

3. Alerts and Blocklists: Enables proactive responses with customized alerting systems, ensuring users can respond to threats promptly [6].

At GreyNoise, we don’t just create tools; we build solutions that integrate effective security with exceptional user experience. Our commitment to user-centric, simple, and accessible design drives us to deliver products that not only protect but also empower our users.

Explore GreyNoise’s Design-Centric Cybersecurity Solutions

Dive deeper into how our design-centric cybersecurity solutions can transform your security strategy. Interact with our tools, join our community forum on Slack to share your insights and help shape the future of cybersecurity.


How does GreyNoise ensure its design is user-centric?

GreyNoise integrates user feedback throughout the design and development process, ensuring that our tools meet real user needs effectively and intuitively.

What are GreyNoise’s key design principles?

We focus on simplicity, user-centricity, and accessibility to ensure our cybersecurity tools are effective and easy to use for everyone.

How can I provide feedback on GreyNoise products?

Join our Slack community! It’s a vibrant space where you can provide direct feedback, suggest improvements, and influence our product development.


  1. Secure by Design Principles
  2. GreyNoise Blog
  3. GreyNoise Resources
  4. GreyNoise Product Overview
  5. IP Timeline Feature
  6. Alerts and Blocklists

Decrypting Fortinet's FortiOS 7.0.x

Curious about decrypting Fortinet's FortiOS 7.0.x firmware? In the latest Grimoire post, we delve into the technical details of doing just that, revealing a hardcoded key used in the ChaCha20 encryption algorithm and the steps required to extract the decrypted rootfs.gz file. With this information, researchers can investigate the relevant vulnerabilities and help users address potential security risks.

Check it out over here.

GreyNoise Tags Its Way to 1337 Elite Status

Yesterday, GreyNoise reached a fun and significant milestone after publishing our 1,337th tag. 1337 is a cherished number in hacker culture, as it is a numerical shorthand for "leet", which itself stands for "elite". This term has deep roots, going all the way back to the 80's when one had to make modems scream to access bulletin board systems (now, we humans are the ones screaming whenever we go online to see what fresh hades awaits us each day).

What makes this milestone even more significant is how it was achieved.

The chart, below, shows the cumulative sum of tag counts by year. While there was a modest improvement in intra-year tag creation from 2022 to 2023, we're just into the first few weeks of Q2 in 2024 and are almost at the total tag count for 2023.

We will almost certainly blow past 2023's tag count well-before the end of Q2, and this has all been made possible by our focused and practical use of AI. This system helps our incredible detection engineers quickly triage the millions of events our sensor fleet absorbs every day. With it, they discover and tag novel payloads to help inform and protect our customers, community, and the internet as a whole. The application that fuels this work is called Sift, and we've waxed poetic about it quite a bit over the past few months.

This boost to the tag inventory has also meant an increase in CVE coverage.

(Since it most likely drew your attention, the jumps in 2022 were due numerous factors, including the increase in Russian hostilities towards Ukraine.)

60% of 2024 tags are based on CVEs, and — along with plenty of "modern" vulnerabilities — Sift has helped us catch exploitation attempts of some very old CVEs, too:

I'm incredibly proud of our team of data scientists, security researchers, and detection engineers. Their leet expertise powers the detections that folks rely on every day, and we hope you'll join in our celebration of achieving this epic milestone!

To learn more about GreyNoise tags and how they differ from "traditional" detections, check out our Tags Webinar Series.

CVE-2024-3400: Command Injection Vulnerability in Palo Alto Networks PAN-OS

On April 12th, 2024, Palo Alto Networks announced CVE-2024-3400. CVE-2024-3400 is a CVSS 10 critical arbitrary file-write vulnerability in Palo Alto Networks PAN-OS software versions 10.2, 11.0, and 11.1.  This vulnerability enables unauthenticated attackers to execute arbitrary Linux commands with root-level privileges on affected firewalls if firewalls are configured with a GlobalProtect gateway or portal (or both) and device telemetry enabled.

Palo Alto and Unit 42 have confirmed that threat actors have exploited CVE-2024-3400 in a limited number of attacks in the wild. CISA published guidance and added it to the Known Exploited Vulnerability (KEV) on Friday, April 12, 2024.

Palo Alto Networks released workaround guidance and some hotfixes on April 14, 2024. Customers can also mitigate the vulnerability by enabling Threat ID 95187 if they have a Threat Prevention subscription, or by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version.

GreyNoise is tracking opportunistic exploitation attempts here.  As of April 15, 2024, 17:00 UTC, no attempts have been observed by our fleet. 

Of note: our sensor fleet has detected instances of nonworking exploits that have been circulated online, claiming to be for CVE-2024-3400. This indicates that opportunistic exploitation will quickly follow once a successful exploit code is released.

Leveraging AI Advances to Improve Intelligence for Discovery, Identification, and Interpretation

AI is so hot right now, and the cybersecurity space is no exception. Technology leaders are unveiling exciting new capabilities, vendors are making extravagant claims, and practitioners are working hard to understand how to separate the wheat from the chaff, leveraging AI where it can make the most difference to their operations’ and their organization’s risk.

Here at GreyNoise, we’ve been investigating where AI capabilities can have the biggest impact, and then working to deploy them internally, externally, and in partnership with other security vendors. In this blog we’ll discuss several GreyNoise AI projects and how they’re helping defenders identify and understand threats and secure their environment.

Sift: AI for Anomaly Discovery

Traditional automation is rule-based and rigid. “IF a packet matches this malware signature, THEN block it AND generate an alert”, etc. AI-based approaches are different. AI makes it possible to automate pattern recognition—and its inverse, anomaly discovery. With AI, defenders can rapidly process high volumes of data, and automatically identify the most suspicious observations for high-priority analysis and triage.

Sift is GreyNoise’s tool for solving this problem. It leverages multiple advanced AI techniques, including: 

  • custom-built LLMs (Large Language Models) 
  • nearest neighbor search and vector databases 
  • unsupervised clustering

Sift runs daily, helping our research team process the data generated by our global sensor fleet to identify novel behavior, traffic, and attacks.

For more on Sift and how it works, check out our technical launch blog here

Sift: AI for Targeted Attack Identification

But Sift doesn’t stop there. The same techniques can be applied to the data generated by targeted subsets of our sensors, helping specific organizations generate intelligence insights and reports tailored to observations from their own networks. This AI application will bring the industry-leading research capabilities of GreyNoise into any organization’s internal security processes, reducing triage overhead, accelerating attack identification, and making life easier for defenders—and harder for attackers.

For more on how to bring the insights of Sift into your own organization, talk to our team.

Copilot: AI for Interpretation

The capabilities of AI aren’t limited to stochastic data analysis. Recent advances in transformer architectures and LLMs have cracked the natural language barrier, making it possible to generate well-formulated utterances at scale. This has opened up a new frontier of AI assistants. Microsoft Copilot for Security is leading the charge to bring these capabilities into the cybersecurity space, and GreyNoise is working together with Microsoft on this initiative. We’re a partner in the Microsoft Copilot for Security Partner Private Preview, and our plug-in means that both free and enterprise users can access GreyNoise insights from within their Copilot interface with natural language prompts.

For more on how GreyNoise and Microsoft Copilot for Security work together, check out our dedicated integration page.  

The Future of AI

The future of AI is hard to predict, and the evolution of the field has famously surprised both boosters and skeptics. Organizations looking to leverage these rapidly transforming capabilities will need to roll with the punches—and continue to partner with security vendors who can do the same. Here at GreyNoise we’re committed to doing just that. We’re excited to share how AI is already empowering our security—and we can’t wait to see what’s next.

CVE-2024-3273: D-Link NAS RCE Exploited in the Wild

A remote code execution vulnerability in D-Link NAS devices is actively being exploited and is tracked under CVE-2024-3273. The vulnerability is believed to affect as many as 92,000 devices and further information can be found on D-Link’s support announcement.

(04/11/2024): Clarification on CVE-2024-3273 & CVE-2024-3272

Exploitation of the CVE-2024-3273 command injection vulnerability requires the two valid `user=` and `passwd=` parameters. There is a companion vulnerability tracked as CVE-2024-3272 and describes the issue as "manipulation of the argument user with the input messagebus leads to hard-coded credentials". It is important to note that the "credentials" as described are only the username for the user "messagebus".

"messagebus" is not a backdoor account. It is one of many common pre-configured linux system users that functionally cannot "log in", and thus have no password. Other common example system users include avahi, syslog, nobody, ntp, rtkit, and whoopsie. D-Link correctly validates that the username exists and also correctly validates that the provided password is correct. The logic flaw exercised by CVE-2024-3273 is that the empty (correct) password for the "messagebus" user is never validated that the user should ever be able to log in using a password, if at all.

(04/09/2024): Update on number of vulnerable devices

Upon further analysis, it appears the number of vulnerable devices is much lower than initially reported.  According to our friends at Censys, the number is closer to 5,500 devices.

GreyNoise quickly released a tag for tracking under D-Link NAS CVE-2024-3273 RCE Attempt, which was relatively easy for us because our Sift tooling surfaced the exploit to us automatically. Sift curates a report of new/interesting traffic observed by GreyNoise sensors daily after doing much of the analysis and triage work itself.

You can read more about Sift and check it out for yourself at

Sift’s analysis above is correct! Taking it a step further, the command the above IP is attempting to execute is a generic shell script pattern used by botnet operators to try to execute malware for every possible CPU architecture in the expectation that at least one will work. The malware is fetched from 38[.]6[.]224[.]248 over HTTP.

We have retrieved the sample skid.x86 and uploaded it to VirusTotal for sharing and further analysis:

NetNoiseCon: Amplifying the Future of InfoSec

In the InfoSec community, sharing knowledge and expertise is key to moving the industry forward and crucial to creating the next generation of security professionals. As part of our commitment to building and investing in the community, we’re excited to announce our new online conference series: NetNoiseCon.

NetNoiseCon is a livestream conference viewable on the GreyNoise YouTube channel on April 19th, starting at 12pm ET / 9am PT.

The conference will feature both technical and career-advice focused talks, with speakers from  across the InfoSec industry and the GreyNoise researcher community. We’ve curated a set of talks with the goal in mind that all viewers should come away with new skills or insights that they can use in their work ASAP.

Here’s our NetNoiseCon v1 speaker lineup:

  • Matt Johansen, Vulnerable U newsletter
  • Santiago Holley, VP of Threat Management at RedTrace
  • Kimber Duke, Senior Product Manager at GreyNoise
  • Greg Lesnewich, Senior Threat Researcher at Proofpoint & GreyNoise Ambassador
  • Joseph McDonagh, GreyNoise Ambassador
  • floofpwn, independent security researcher

YouTube Livestream event:

Click the “Notify Me” button to receive a notification when we go live or sign-up for a reminder here. Join us on the livestream for the event and hang out in our community Discord server to join our post-event voice chat / StarCraft sessions 👾.

We hope to see you there!!

- Sam Houston, Senior Community Manager, GreyNoise

What We're Reading: March 2024

Welcome to our Monthly Roundup, where we curate a unique mix of articles, books, podcasts, and more that have captured the attention of the GreyNoise team. From deeply technical articles to literary treasures, join us on this eclectic journey through the media that sparks our curiosity each month. Explore + discover as we share the gems that have fueled our inspiration!

Louis Evans // Director of Product Marketing

Travel Light | Naomi Mitchinson (from Rich Horton's recommendation)

🐲 Thoughts: It's a Norse-inspired fairytale incongruously grounded in the very real history of the Byzantine Empire and Eastern Europe; beautifully humane and strikingly alien. It also might be the lost ancestor of all the princess-and-dragon subversions that are so (thankfully!) common these days.

Brianna Cluck // Researcher

👻 Camp Damascus | Chuck Tingle 

Why I like it: It's a real page turner of a horror novel about quite literally facing your demons.  Highly recommend it if you like horror, if you are socially awkward and want a relatable protagonist or if you like books about queer people taking down a conversion therapy camp.

Ronnie Villarini // Senior Software Engineer

🕰️ Four Thousand Weeks: Time Management for Mortals | Oliver Burkeman

Thoughts: Great book that I think I'll keep coming back to; this is my second time, as I always seem to find something new. It's a nice, albeit brutal, reminder that life is short and time cannot be "managed" the way other productivity books would make it seem. You will always have to make sacrifices; just make sure you pay attention to what you're sacrificing.

🦥 Slow Productivity: The Lost Art of Accomplishment Without Burnout | Cal Newport 

Why I liked it: In a similar vein, I read Slow Productivity, Not my favorite by Cal Newport, but it was still a good read. Probably not a lot in here that you haven't heard before but probably don't think about regularly. Still, there was some great insight, especially in regard to the difference between "obsessing over quality" and "perfectionism." Definitely recommend it for the the productivity nerds.

Frank Severic // Sales Development Rep

💰 The Challenger Sale: Taking Control of the Customer Conversation | Matthew Dixon + Brent Adamson

Why I like it: A recommendation by a co-worker, Mike Baker, exploring the results of a study done by CEB on behaviors and attitudes that drive performance in complex sales in-spite-of market fluctuations. The authors were surprised that they did not arrive at their hypothesis, so it makes a highly interesting read backed by research data.

Fossil Capital: The Rise of Steam Power and the Roots of Global Warming | Andreas Malm

Thoughts: This one is taking some time, clocking in at a thick 400 pages, but Andreas Malm did an impressive amount of cited research constructing a narrative that challenges the traditional thinking that energy production was driven by market forces, arguing instead their hypothesis that it was not economic incentive, but centralized control of labor and means of production. Malm offers a deep dive into the political and social ramifications of disrupting the status quo of fossil fuel-driven infrastructure.

Where are they now? Starring: Atlassian's Confluence CVE-2023-22527

Ever wonder what happens to vulnerabilities after they're forgotten? 

In a new blog from the GreyNoise Labs team, we look at CVE-2023-22527, an Atlassian Confluence vulnerability that was all over the news back in January/2024, then forgotten a week later. But even though the media has forgotten, attackers haven't!

The Labs team digs a little into who the attacker is and their techniques - killing other malware, deleting log files, and even using SSH keys to infect other hosts.

If you're interested in how attackers use old vulnerabilities and what they do once they're on a host, check it out

Hunting for Fortinet's CVE-2024-21762

Here at GreyNoise, we’re pretty lucky to see a lot of proof of concepts on the wire as they’re released, but sometimes we have to seek them out ourselves. When CVE-2024-21762, an out-of-bounds write vulnerability in Fortinet FortiOS and FortiProxy, was added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog, it became one such case. With no writeup or proof of concept available, follow along as our researcher h0wdy goes down the rabbit hole to get enough information to develop a detection for our sensors. 

Check out the blog!

If you’re just looking for the tag, you can track Fortinet's CVE-2024-21762 here:

Anatomy of a GreyNoise Tag

Tags allow users to see the GreyNoise data from a non-IP-centric view. The difference between how we view tags from an IP-Centric perspective and a non-IP-Centric perspective can be seen in the differences between the visualizer’s Today and Tags view.

At the time of writing this, the Today view gives us a list of a list of 348,125 IPs, all seen within the last day. Each of these IPs contains different data points like the Source Countries, Destination Countries, ASN, and Top Tags. Approaching the data in this way shows IPs that contain tags. This lets users get a general overview of the characteristics 283,765 machines have shared over the past 24 hours. This is useful and fun information when trying to see the overarching landscape. However, when in need of a blocklist or alert about IPs that may be targeting a specific piece of software or hardware that your network contains, this is an instance where tags come in handy. This is because when looking at GreyNoise data from the visualizer’s Tags view, tags have IPs attributed to specific things that users may be interested in rather than just the IPs themselves. For example, if you’re using Cisco routers, you might go to the Tags view and just query Cisco, resulting in a list of tracked events related to Cisco devices.

The hope is that this design results in an experience more like Googling and less like writing an SQL query to find things that may interest users.

To reiterate, the technical goal of tags is to sort the data from outside the scope of the IP, and this is where GreyNoise classifications come into play. Classifications are split into Intent and Category. Intent is divided into Unknown, Malicious, and Benign, and Category is divided into Activity, Tool, Actor, Worm, and Search Engine. These sets are not limited to CVE based activity. They include behaviors, attribution, and unique traffic characteristics.  This is what the bulk of GreyNoise tags boils down to: either tracking “behaviors,” like in the case of Malicious Activity, and “attribution,” like in the case of a Benign Actor. What’s particularly interesting about these two examples is that there shouldn’t be any overlap between them. When there is, that indicates the potential need to rewrite a tag, which leads to the topic you’ve probably all been waiting for: how a tag gets written.

A Malicious Activity and Benign Actor tag work well as examples because of the difference in how they’re tracked. A Malicious Tag is heavily based on the contents of captured web packets (pcap). In contrast, a Benign Actor tag will ideally be based on an IP list, and when that can’t be gathered, a combination of rDNS and ASN will be used if these variables are consistent. This makes writing a Benign Actor tag the most straightforward, and typically most time intensive of the two.

Writing a Benign Actor starts with finding an actor. This is usually suggested by consistent rDNS with a word like bot, scanner, or crawl in its name. We can easily search this in the viz with metadata.rdns:crawl. This returns a lot of GoogleBot hits. Refine the search some more: metadata.rdns:crawl -actor:”GoogleBot” and we can see some crawlers and actors that have not been tagged yet.

That first unknown IP in the list has as its rDNS. The next question is, have we seen other IPs with dataproviderbot, or something like it, as it’s rDNS, and if so, are they also benign? A search for metadata.rdns:*dataprovider* will work.

There is no malicious activity to speak of, so they seem benign. This can be verified by trying to find any information about the source. Following the rDNS trail is a good start. The initial crawl link times out, but the parent rDNS resolves to They seem like a good candidate for a Benign Actor tag, but before reaching out, it’s always worth checking if a tag already exists, and to my surprise, it does: 

However, we don’t seem to be getting any hits for it. After reviewing the query we’re running on the backend, it looks like we’re tagging based on rDNS, but it’s not a match for what we’re seeing. They must have changed their crawler’s name! This is going to need some further investigation. A Google search for dataproviderbot leads to a page about their crawler specifically. Looks like they identify themselves with a User-Agent: 

The spider identifies itself with a user agent, which makes it visible in logs and site statistics programs you may use. Look for the following agent:"Mozilla/5.0 (compatible;"

This won’t do because User-Agent’s can be easily spoofed. Fortunately, they have a contact link just for questions about the bot! At this point, I would usually just reach out to them, verify that the traffic we’re seeing is theirs, and ask if they can share their IP list. If they cannot share this, it does seem that we may have had enough information to write a tag for tracking them—the search for metadata.rdns:*dataprovider* done earlier had some promising results that I hadn’t mentioned.

This information and what we know about their User-Agent and rDNS could suffice.

When tagging this benign actor without an IP list, the primary points of interest are ASN, ORG, and rDNS. The only thing we might consider grabbing from the PCAP’s data field in this case would be the User-Agent. However, when tracking Malicious Activity, or Activity in general, we primarily focus on the data field of PCAP.

Here’s a scrubbed packet that matches a tag I wrote:

GET /device.rsp?opt=user&cmd=list HTTP/1.1
Connection: close
Accept: */*Accept-Encoding: gzip, deflate
Connection: close
Cookie: uid=adminUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:22.0) Gecko/20130405 Firefox/22.0

What information can we gather from this? When discussing this event, we can translate it to: “This is an HTTP GET request requesting the device.rsp endpoint on the server. The GET request queries for opt=user&cmd=list and the contents of its Cookie is uid=admin.” Experience and a basic understanding of standard protocols are a considerable help when recognizing anomalies or notable features of a web packet. We can't all have experience, but a plain-text protocol like HTTP has plenty of resources to help us understand what’s going on in this packet. This basic understanding allows us to infer the request for /device.rsp?opt=user&cmd=list and the user=admin cookie are likely part of an authentication bypass, making them defining features of this packet. We can check this with a Google search for allintext:”/device.rsp?opt=user&cmd=list”. And what do you know!? The first hit is for CVE-2018-9995; the description of this vulnerability makes it pretty clear we’ve found our match!

allow remote attackers to bypass authentication via a "Cookie: uid=admin" header, as demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response.

This is an excellent time to pause and point out that the intention of tags is not only to generate data regarding a vulnerability but also to aid in the proliferation of related knowledge. This is achieved through the tag’s description and providing resources found in the research process. Once we’ve added these, we can form a query to search GreyNoise for similar packets. This is one of the more nuanced aspects of writing tags. Finding the balance between making the signature general enough to catch variations of the same event but specific enough so there are no false positives. An accurate query to the internal GN data set for this event would look something like this:

select * from packets where data like 'GET /device.rsp~?opt=user&cmd=list%user=admin%' escape '~'

The query for this event is pretty straightforward, but in many cases, exploitation may work regardless of capitalization or order of request operands like opt and cmd. In these cases, the query has to be adjusted accordingly.

If you have any more questions about detection engineering and how we write tags here at GreyNoise, please feel free to reach out to me via email or socials: @h0wdy! Also! Please don’t hesitate to message me if you’re new to hacking! I’m also just starting my journey, and I am always down to connect and share knowledge with my fellow n00bs! <3 

Bluetooth Unleashed: Syncing Up with the RattaGATTa Series! Part 1

Are you ready to dive into the fascinating world of Bluetooth Low-Energy (BTLE) and its implications for privacy and security? GreyNoise Labs is thrilled to present the first installment of our series, "RattaGATTa: Scalable Bluetooth Low-Energy Survey." This blog post is not just a narrative—it's an adventure into the intricacies of BTLE, the challenges of hardware and radio frequency, and the importance of rate-limiting algorithms.

Join Remy as he recounts the journey from a simple act of kindness—using BTLE to locate a lost Fitbit—to the development of a sophisticated system capable of identifying and cataloging BTLE devices. Discover the complexities of the domain, the hurdles in measuring security impacts, and the tools that can provide quantitative and qualitative measures. This is a tale of technology, cybersecurity, and the quest for understanding a technology that surrounds us invisibly yet significantly.

In this series, he'll explore the depths of BTLE, from the basics of device identification to the nuances of connection protocols. He'll share insights on custom hardware design, iterative software development, and the real-world challenges that come with radio frequency communications. Whether you're a cybersecurity professional, a tech enthusiast, or simply curious about the wireless world around you, this series promises to enlighten and engage. Stay tuned for more as we unravel the mysteries of Bluetooth Low-Energy together.

Check out the first blog in this series here.

What We're Reading: February 2024

Welcome to our Monthly Roundup, where we curate a unique mix of articles, books, podcasts, and more that have captured the attention of the GreyNoise team. From deeply technical articles to literary treasures, join us on this eclectic journey through the media that sparks our curiosity each month. Explore + discover as we share the gems that have fueled our inspiration!

Bob Rudis // VP Data Science & Research

⚡  Book Series: CyberStorm | Matthew Mather 

TLDR: The premise is to demonstrate the catastrophic consequences of cyber warfare in a modern-day, fictional setting. The series starts with "CyberStorm," and is centered around a blizzard that's compounded by a cyber attack. Mather uses it to explore the fragility of urban life when faced with the breakdown of logistical systems and the ensuing chaos that disrupts the fabric of civilization.

In "CyberSpace," the story picks up six years after the events of "CyberStorm," with the original protagonist reuniting with old friends amidst rising international tensions and a new wave of satellite destruction that cripples global communication. "CyberWar" concludes the series with a depiction of the world's militaries struggling to cope with the aftermath of a Chechen separatist attack that has decimated thousands of satellites, leading to widespread power and communication failures. It does require some suspension of disbelief, but it's not "farcical" and would likely be a good read for cyber folk. The narration in the audiobooks is 👍

Abigail Whidden // VP Sales

🤬  Book: Plunder: Private Equity's Plan to Pillage America | Brendan Ballou

Thoughts: If you ever wonder why everything's fucked in Housing, Healthcare, Retail, Prisons, Income Inequity- this book will shine a light on the people screwing up America and how the government made it easy for them. They gobbled up your houses and affordable/quality healthcare, and now they're trying to get their grimy paws on your 401K (I'm feeling...angry but informed). [ Editor was told not to remove profanity, that’s how worked up this book has gotten her] 

Guillermo Menjivar // VP Engineering

🚂  Book: Staff Engineer: Leadership Beyond the Management Track | Will Larson

Thoughts: I Love Will Larson's insight. He has given so much insight into how effective Engineering organizations should run. Staff Engineer focuses on the technical leadership career track.

📚  Book: Management of Organizational Behavior Leading Human Resources | Paul Hersey

Why I like it: If you ever thought that "good management" is just a "gift" or something people just get. This "textbook" (Yes, I read textbooks for fun 🤓) breaks down mgmt into system-level constructs. One of the best books I have read in a long time. 

Brianna Cluck // Researcher

🎵  Book: The Women in Me | Britney Spears 

Why I like it: I've always felt like there was more to her story than what I saw on the news, and it turns out that was true in ways that make me want to drop kick half the music industry into the sun.

💥  Podcast: Smashing Security | Graham Cluley + Carole Theriault

Why I like it: I make it a point to listen to Smashing Security. It's equal parts useful security news and funny quips. 

🕵️  Book: Extreme Privacy: What It Takes to Disappear + Book: OSINT Techniques: Resources for Uncovering Online Information | Michael Bazzell

Why I like it: I am reading both of these books at the same time, I like to play both sides, so I always end up on top. These books are great if you want to feel just a little bit paranoid

Ronnie Villarini // Senior Software Engineer

🥸 Book: The Imposter's Handbook | Rob Conery

Why I like it: As a college dropout and "self-taught" dev, I've always felt like a bit of an outsider when folks start talking about computer science topics. This has been filling in those gaps in a really approachable way that I feel will make me a better engineer in the end.

🕶️  Podcast: Darknet Diaries | Jack Rhysider

Why I like it: Continuously binging this podcast, which probably doesn't need an explanation to anyone who's going to be reading this lol. 

Sam Houston // Senior Community Manager

💰 Podcast: BG2 Pod // Ep2 | Bill Gurley + Brad Gerstner 

Why I like it: If you're interested in the tech market and enjoy financial analysis from insiders, check out this new podcast from VC investors Bill Gurley & Brad Gerstner. I'll shoutout the episode with Box's CEO/cofounder Aaron Levie as especially interesting and entertaining. 

Derek Athy // Regional Sales Manager

🔬 Book: Homo Deus: A History of Tomorrow | Yuval Noah Harari

Thoughts: My former genetic engineering self revels in Sapiens’ ending on essentially the intro of RNAi and CRISPR into the realm of medicine, Homo Deus is more on the “what’s going to happen next” for humans with the continued advancement of technology (not just medicine). 

(Bonus Article: in case anyone wants to nerd out on those RNAi days of mine when my friends referred to me as the “Lord of the Flies.”)

Practical Vulnerability Archaeology Starring Ivanti's CVE-2021-44529

While everybody has been talking about Ivanti vulnerabilities such as CVE-2024-21887 (remote code execution via path traversal - our tag) and CVE-2024-21893 (remote code execution via server-side request forgery - our tag), our labs' team ran into some online discussions about CVE-2021-44529. According to Ivanti's advisory), it's due to "code injection," but online sources claimed it's actually a backdoor. A mystery!   

In a brand new GreyNoise Labs Grimoire blog, Ron pulls out his archaeology tools and investigates what little evidence of this vulnerability remains. While most details have been flushed down the memory hole, tools like the Wayback Machine still have archives that we can explore.

Would you like to know more? Check out the blog!

No blog articles found

Please update your search term or select a different category and try again.