GitLab CE RCE Attempt [Intention: Malicious]
Apache Storm Supervisor RCE Attempt [Intention: Malicious]
Hikvision IP Camera RCE Attempt [Intention: Malicious]
SonicWall SMA100 Factory Reset Attempt [Intention: Malicious]
SonicWall SSL-VPN RCE Attempt [Intention: Malicious]
Legacy Web Server RCE Attempt [Intention: Malicious]
D-Link DIR-825 R1 RCE Attempt [Intention: Malicious]
D-Link DNS-320 RCE Attempt [Intention: Malicious]
Micro Focus OBR RCE Attempt [Intention: Malicious]
Yealink Device Management RCE Attempt [Intention: Malicious]
Wednesday, October 20, 2021, is the first ever SOC Analyst Appreciation Day™ - and in our opinion, it couldn’t have come sooner! We’d like to acknowledge the hard work and dedication of all the SOC analysts who help defend institutions across the globe. Thank you.
A SOC analyst’s life can be frustrating and stressful, with the weight of your organization’s security on your shoulders. Our goal here at GreyNoise is to help make your life easier by increasing SOC analyst efficiency, and by telling teams what not to worry about. We do this by helping you filter out “noisy” alerts associated with opportunistic internet scanning or common business services, not targeted threats. SOC teams can use GreyNoise data by using our web-based Visualizer, accessing our API via REST, SDK, or CLI, or integrating directly with your security tech stack.
If you’re a SOC analyst or manager interested in learning more about how you can use GreyNoise
On October 4th, 2021, Apache disclosed a path traversal vulnerability CVE-2021-41773 that affects HTTP Server version 2.4.49. The vulnerability was introduced in this version (2.4.49) and is patched in version 2.4.50.
This path traversal vulnerability allows sensitive files outside of the expected document root to be accessed, such as configuration files and Common Gateway Interface (CGI) scripts. This allows for specially crafted requests to read arbitrary files as well as perform Remote Code Execution (RCE) on systems that have the Apache “mod_cgi” module enabled.
On October 3rd, 2021, at 08:44 UTC, GreyNoise observed the first scan for this vulnerability from 36.68.53.196. This predates the mailing list announcement from Apache on October 5th as well as the release of 2.4.50 on October 4th, but after the patch was committed on September 29th. [View 36.68.53.196 in GreyNoise]
As of October 5th, 2021, the first Proof of Concept (POC) code became available which demonstrated arbitrary file read. It was closely followed by a POC demonstrating RCE.
GreyNoise has released the following tag to enable monitoring of relevant activity:
As of 7-Oct-21, GreyNoise is seeing 47 unique IP addresses that have scanned for this vulnerability, 39 of which are “malicious” and 8 of which are “benign."
* Editor’s Note: If this tag returns “No results found’,' this means that GreyNoise has not observed any IP addresses scanning the internet for this CVE in the past 90 days. You can use GreyNoise to notify you if this changes by using our Alerts feature.
10/15/21: This blog has been updated with Figure 1 to depict the timeline of events.
Today at GreyNoise, we’re thrilled to announce our selection as the Most Innovative Security Solution of 2021, as recognized by the Tech Ascension Awards. The awards are starting to pile up at GreyNoise, and our team's excitement grows after repeated confirmation from analysts and customers. As the name of the award implies, this honor is granted to those proving themselves innovative in the tech community around specific criteria. GreyNoise was selected from a pool of more than 500 applicants for excellence in technology innovation, market research, and unique competitive differentiators.
Our CEO and Founder, Andrew Morris, welcomes the industry compliment: “…we are honored by all of this validation, as it shows that we are making progress toward our ultimate mission—to solve the problem of alert fatigue and information overload in the cybersecurity arena. Every day, we see a staggering number of internet scans barraging internet-facing computers and software, and generating massive volumes of security alerts. Some of this activity is malicious, but a significant amount is not, and it’s getting to the point where it’s tough for security analysts to discern real threats from background noise. GreyNoise enables security teams to focus on the threats that really matter, rather than wasting their time investigating insignificant alerts. This is the heart of what makes GreyNoise an innovative security solution: we sift the haystack so you can pay attention to the needles."
Because the Tech Ascension Awards are innovation-centered, best-in-class vendors that receive recognition solve critical industry challenges differently. “The proliferation of ransomware, nation-state threats, and an uptick in cybercriminal activity due to COVID-19 are just some of the factors that have made a strong cybersecurity defense paramount for every business that touches sensitive data,” said David Campbell, CEO of Tech Ascension Awards. “We’re honored to recognize these industry leaders that have demonstrated their ability to defend organizations with unique approaches, innovative technology, and world-class talent.”
Here are some of our most recent accolades:
Try GreyNoise for free, and find out for yourself why we are the "Most Innovative Security Solution."
Azure OMI RCE Attempt [Intention: Malicious]
Azure OMI RCE Check [Intention: Unknown]
VMWare VCSA File Upload Attempt [Intention: Malicious]
VMWare VCSA File Upload Check [Intention: Unknown]
LDAP Crawler [Intention: Unknown]
Veeder-Root ATGs Crawler [Intention: Unknown]
VMware vCenter File Disclosure [Intention: Malicious]
PJL Crawler [Intention: Unknown]
PowerShell Generic Shell Attempt [Intention: Malicious]
Cisco IMC Supervisor and UCS Director Backdoor [Intention: Malicious]
Our research team is always looking for ways to improve our tagging methodology to enable GreyNoise users to understand actor behavior and tooling. GreyNoise already identifies clients with JA3 and HASSH data.
To expand on this work, GreyNoise recently added 3 new tags to shed more light on how various internet background noise-makers using HTTP clients manage their internal state. The below tags improve client fingerprinting for HTTP-based protocols.
On their own, each individual tag contributes a small indication of how the HTTP client manages its internal state. While that alone has value in helping to profile the actor behind the IP and possibly track them across IPs, the more interesting insights can be seen when these tags are viewed holistically.
As seen above, the tagged activity is not homogenous, allowing us a glimpse into the diversity of tooling or techniques used in scanning and opportunistic exploitation. While many actors may use the same exploit vector or payload, they may launch them from tools that support different HTTP features. These new tags may help the analyst determine if two IPs appear to be using the same tools.
For example, in Figure 3, we are able to determine with a high degree of confidence that the IP shown above is orchestrating a full-featured web browser (such as Puppeteer) to scan the internet. We see this because the IP exhibits browser-like behavior and attributes, including carrying a referer header, accepting cookies, and following redirects.
We hope these new tags offer our users greater insight into the tooling and libraries utilized by internet background noise-makers. Let us know what you think by sharing your feedback on the GreyNoise Community Slack channel (must have a GreyNoise account).
Imagine this scenario: You’re running a security operations center, and your team is processing a bunch of alerts coming out of Splunk Enterprise Security. As you add new detections and log sources, the volume of alerts begins to rise, your analysts start to get overwhelmed, and that familiar alert fatigue starts to kick in. Your security engineering team jumps in with yet another cycle of tuning to get the alert volumes back down to manageable levels. Then the cycle starts all over again...
Hurricane Labs lives this reality every day as a managed services provider that is 100% focused on Splunk and Phantom. The company manages these platforms for customers, providing 24x7 monitoring services supported by a team of Splunk ninjas to handle the heavy lifting.
Recently the Hurricane team found a way to leverage GreyNoise Intelligence data to identify the noise in Splunk and Phantom alert traffic, reducing the load on their analysts by 25%.
We had the good fortune to chat with Hurricane Labs Director of Managed Services, Steve McMaster, to learn how the company had done it.
STEVE MCMASTER: Sure - to set the stage, we manage Splunk and Phantom deployments for our customers, running the gamut from infrastructure management, to search and SPL creation, to security analysis and alerting, to rapid incident response. As part of these services, we provide 24x7 security monitoring, and I oversee the two teams that deliver this service. I’ve been with Hurricane for almost 14 years at this point - it's actually the only job I've ever had. I started here at age 17, right out of high school, and along the way, I've done a little bit of everything.
STEVE MCMASTER: We process a high volume of alerts on behalf of our customers, and as part of this traffic, we often see a lot of noisy alerts. This includes everything from known benign scanners (such as Shodan) to what we call "internet background noise," scanners that are constantly scanning the internet as a whole, looking for things to poke at.
The alert volumes we see are a constant ebb and flow, and we spend a lot of time tuning our customer’s environments to turn down the noise to a manageable level. But then, as we add new customers and more detections, the alert volumes start to creep back up. That’s when we see our analysts getting overwhelmed and feeling alert fatigue. It’s a normal cycle for our business, alert volumes go up, and then we need to dig in and tune our implementations to bring the volumes back down.
STEVE MCMASTER: We were starting a new cycle of tuning to get alert volumes to come back down when I stumbled on Andrew [Morris, GreyNoise founder]. I saw my boss and Andrew exchanging views on Twitter, and I thought, “Who is this guy, and why does the stuff he’s saying make so much sense?” So I took a look at the GreyNoise product.
I have to say, I’ve always been a big skeptic of threat intelligence as an industry because once enough people know about a piece of intelligence to publish it for general consumption, it’s already burned infrastructure. Yes, you might find some threats with it, but it's not worth the $150K per year that they charge for it.
But GreyNoise was different. I always refer to GreyNoise now as “anti-threat intelligence.” It’s specifically the opposite of traditional threat intelligence. Instead of saying, “pay attention to this,” GreyNoise says, “STOP paying attention to this; go spend your time on other things.”
So this approach fit into an argument I was having with our customers a lot at the time - my point was that the things that you’re detecting are not actionable. They’re not targeted at you; they’re not somebody trying to exploit you; they’re JUST scanning the internet. So you shouldn’t worry about them or spend time on them.
Shodan makes a really good example of this, because Shodan is scanning everybody and showing up in a lot of alerts. But this is not something YOU need to care about, Mr. Customer; therefore, it's not something WE need to care about as part of our monitoring service. The problem is that this is really hard to quantify. You can show people that alerts from Shodan should be ignored — that's easy, but trying to identify broader Internet background noise was a lot harder to do. To be able to say, “Okay, we've seen this thing across our 40 customers, so let’s ignore it,” that's not really enough scale to be able to make this conclusion definitively.
And then along came this guy who had a product that did exactly that. So GreyNoise let us expand our service in a way that customers kind of already expected from us. Now we could say, “Look, this is opportunistic, this is generalized, this is global, this is not targeted.” And we could say this definitively because of the scale that GreyNoise operates.
And it really just happened to fit at a time when that was a problem we were trying to tackle with our customers.
STEVE MCMASTER: We’re using GreyNoise in two ways - we use the data inside Splunk to eliminate alerts before they ever get to us, and then we do enrichment of alerts in Phantom once they reach us. We integrate the GreyNoise data into these environments using pre-built integrations that we initially developed, although we have turned these over to GreyNoise to maintain and extend for all their customers.
Our goal with these integrations is that if the IP address is in GreyNoise, then we eliminate it from alerting. GreyNoise actually returns 3 basic categories of “noise:”
The reality is that some customers are not totally comfortable with the accuracy of these classifications (at least at first), so for some customers, we still raise a low-priority alert so they can have a human look at it. I think that this comes down to trust --and based on OUR experience-- if GreyNoise is confident the IP address is a scanner, then we are happy to ignore it. I would say about two-thirds of our customers are there today.
I’m also really excited about something Andrew mentioned at the last Open Forum conference GreyNoise held, the new RIOT service. Instead of identifying internet scanner “noise,” RIOT looks at the flip side of this by identifying the “known good,” common business services that everyone uses, like Slack or Office365, or Google IP addresses. So now we can easily tell the difference between a legitimate service like a Microsoft update and a "not legitimate" service like a malware download.
STEVE MCMASTER: Sure, so when we use GreyNoise to filter noisy alerts out of Splunk, we use the GreyNoise-Splunk integration. We install that in our customer’s Splunk environment and add it to the search language for various detections. The logic is straightforward: if something in the search results matches GreyNoise, it gets excluded.
More specifically, we apply GreyNoise to any correlation search or detection inside of Splunk that we think is relevant. The big ones are IDS events and Splunk’s vulnerability scanner detection rules; those are the main ones that we use it for.
For Phantom, on the other hand, we use GreyNoise as an enrichment. The way our monitoring service works, we bring all of our customers’ alerts into a single Phantom instance, and we have the GreyNoise-Phantom integration installed. For our analysts looking at the alerts, one of the first things they do is look at the GreyNoise data. If the verdict is “noise,” then we know we don't need to do a lot more digging beyond that. This ends up saving us a lot of time because rather than investigating whether this is a targeted attack and figuring out whether anything was exploited, we can just short circuit the process, note it as a scanner, and send it over. Today we’re doing this as a manual process, but it's on our list to automate this into our incoming Phantom playbooks.
STEVE MCMASTER: When I first told Andrew that we'd be interested in subscribing, I told him I had no concept of how much something like this would be worth. I didn’t know if we were going to turn this on and see matches with 10 alerts per day across our customers or 100. But the impact on alerts is really the only thing I had to help quantify the value of GreyNoise.
So Andrew gave us a two week trial, and I added it to our triage tool (this was before we stood up Phantom). And I just counted up how many alerts over a week would have been something we could totally ignore with GreyNoise versus what we would not have been able to. We were somewhere in the vicinity of saving the equivalent of one to one and a half analysts per day, out of 22 total analysts at the time, based on the alerts that we could safely eliminate with GreyNoise.
Today, after implementation and with more customers in hand, GreyNoise helps my teams eliminate background noise and focus on the most actionable and relevant alerts for our customers. Rather than presenting our analysts with even more data to investigate, GreyNoise has allowed us to reduce the volume of alerts that are triggered by 25%, which makes for a happier and more effective SOC team.
And for us as an MSSP, this is even more significant than it might be for an enterprise. When you’re in a normal enterprise business, you can make a decision to spend money on a person or spend money on a product that eliminates alerts--you kind of have to pick your poison. But for us, the calculus is a bit different. When we invest in a person, that analyst can do, say, 20 alerts per day. But if we invest in a product, that product can triage a certain number of alerts at every one of our customers. And for every new customer, it can repeat that work. So even if GreyNoise could only eliminate 8 alerts per day across 40 different customers, that’s 320 alerts. As we add more customers, GreyNoise scales in a way a person wouldn’t.
On September 21, 2021, VMWare published an advisory for several vulnerabilities. This included, most notably, CVE-2021-22005, which affects their vCenter Server product. This vulnerability is an arbitrary file upload vulnerability that can lead to remote code execution (RCE) via upload of a specially crafted file. This works regardless of the configuration settings of vCenter Server.
Due to the severity of this vulnerability, VMWare published workaround instructions detailing how to manually or automatically patch the affected products. The automated patching script (available in the right-hand panel in the link above) includes logic to validate if your product is vulnerable to CVE-2021-22005, as well as confirm the patch has worked as expected.
As of September 23, 2021, there is no known publicly available proof-of-concept (PoC) code for the CVE that enables arbitrary file upload or RCE. However, GreyNoise is observing a significant number of checks for vulnerable instances of vCenter Server based off of the automated patching script provided by VMWare, most of these egressing via Tor.
The following tags have been released to enable monitoring of relevant activity:
Editor's Note: If either of these tags return "no results," this means that we have not observed any recent activity. You can be notified if this changes by using our Alerts feature.
Atlassian Confluence Server OGNL Injection Attempt [Intention: Malicious]
Atlassian Confluence Server OGNL Injection Vuln Check [Intention: Unknown]
Oracle WebLogic RCE CVE-2021-2109 [Intention: Malicious]
Seagate BlackArmor RCE Attempt [Intention: Malicious]
ASUS GT-AC2900 Auth Bypass Attempt [Intention: Malicious]
Apache SkyWalking GraphQL SQL Injection [Intention: Malicious]
Carries HTTP Referer [Intention: Unknown]
Stores HTTP Cookies [Intention: Unknown]
Follows HTTP Redirects [Intention: Unknown]
RSYNC Crawler [Intention: Unknown]
University of Michigan [Intention: Benign]
As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.
ADB Check [Intention: Unknown]
ADB Attempt [Intention: Malicious]
EDITORS NOTE: This blog post has been updated as of Sep. 2 to reflect edits to the Atlassian Confluence Server OGNL Injection tags.
Tag: Exchange ProxyShell Vuln Attempt [Intention: Malicious]
Tag: Exchange ProxyShell Vuln Check [Intention: Unknown]
Tag: Javascript Enabled [Intention: Unknown]
Tag: Aerospike RCE Attempt [Intention: Malicious]
Tag: Docker API Container Creation Attempt [Intention: Malicious]
Tag: Buffalo Router RCE Check [Intention: Unknown]
Tag: Buffalo Router RCE Attempt [Intention: Malicious]
Tag: FirebirdSQL Crawler [Intention: Unknown]
Tag: Ruijie EG Command Injection Attempt [Intention: Malicious]
As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.
Tag: X Server Connection Attempt [Intention: Malicious]
Tag: ADB Worm [Intention: Malicious]
During BlackHat 2021, security researcher Orange Tsai demonstrated a proof-of-concept exploit for Microsoft Exchange vulnerabilities, including a Pre-auth Path Confusion leading to Access-Control List (ACL) bypass (tracked as CVE-2021-34473, also called ProxyShell). Since Tsai’s talk, multiple researchers have published write-ups about the vulnerabilities [1, 2]. GreyNoise had not observed any mass scanning activity until Aug. 9, and has seen a significant uptick in scanning as of Thursday, Aug. 12. GreyNoise has created two tags to track activity related to these vulnerabilities.
Exchange ProxyShell Vuln Check: The vulnerability check for CVE-2021-34473 has several public variations. These include checking for access to /mapi/nspi which results in exposure of potentially sensitive information such as Version, User, UPN, SID, and Organization. Out of caution, GreyNoise tags this as malicious intent despite being a Vuln Check. [View In GreyNoise]
Exchange ProxyShell Vuln Attempt: Active attempts that leverage and chain the Pre-Auth Path Confusion for further exploitation through Elevation of Privilege on Exchange PowerShell Backend (CVE-2021-34523) or Post-auth Arbitrary-File-Write leading to remote code execution (CVE-2021-31207) are included in this tag. [View In GreyNoise]
Editor's Note: If either of these tags, or any tags for that matter, return "no results," this means that we have not observed any recent activity. You can be notified if this changes by using our Alerts feature.
CVE-2009-0545, CVE-2019-12725, CVE-2020-29390
Tag: Zeroshell RCE Attempt [Intention: Malicious]
Tag: Cisco Smart Install RCE Attempt [Intention: Malicious]
CVE-2021-35464
Tag: ForgeRock OpenAM Pre-Auth RCE Vuln Check [Intention: Unknown]
CVE-2021-35464
Tag: ForgeRock OpenAM Pre-Auth RCE Attempt [Intention: Malicious]
CVE-2021-33544 to CVE-2021-33544 (11 CVEs)
Tag: UDP Technology IP Camera Attempt [Intention: Malicious]
CVE-2021-33544, CVE-2021-33548, CVE-2021-33550 to CVE-2021-33554
Tag: UDP Technology IP Camera Check [Intention: Unknown]
CVE-2017-12149
Tag: Jboss Application Server RCE Attempt [Intention: Malicious]
CVE-2021-30497
Tag: Ivanti Avalanche Path Traversal [Intention: Malicious]
Tag: Double URL Encoding [Intention: Malicious]
Tag: Apache OFBiz Deserialization RCE [Intention: Malicious]
These tags have been removed because they no longer exist, scan, and/or can no longer be accurately identified
Multiple RDP tags have been deprecated in favor of RDP Crawler, which more accurately accounts for much of the behavior we see. We are currently working to create more accurate and narrowly scoped tags for RDP scanning and exploitation.
The RDP Bruteforcer tag was created around the same time as BlueKeep and aggressively assigned `malicious` intent to basic RDP connection attempts. After re-evaluating this, we feel this was incorrect and have taken actions to improve our RDP tags in general.
As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.
Tag: Cisco Smart Install Endpoint Scanner [Intention: Unknown]
Tag: Linksys E-Series TheMoon Worm [Intention: Malicious]
Anomali: Now supports RIOT and the Community API.
CVE-2020-36289
Tag: Jira User Enumeration Attempt [Intention: Unknown]
CVE-2021-1497, CVE-2021-1498
Tag: Cisco HyperFlex HX RCE Attempt [Intention: Malicious]
CVE-2021-1497, CVE-2021-1498
Tag: Cisco HyperFlex HX RCE Vuln Check [Intention: Unknown]
CVE-2020-35846, CVE-2020-35847, CVE-2020-35848
Cockpit CMS Command Injection [Intention: Malicious]
These tags have been removed because they no longer exist, scan, and/or can no longer be accurately identified
You may have noticed that we have announced a couple of new relationships in the last several months with the US federal government. We announced our partnership with the Defense Innovation Unit (DIU) of the US Department of Defense (DoD) to help optimize their investigations, and recently announced our partnership with In-Q-Tel (IQT). I wanted to talk a bit about what this means for GreyNoise and why we’re excited about it.
First, I’m very excited about cracking the nut of working with the defense and intelligence communities of the US federal government. We already work with a number of intelligence and defense agencies around the world, as we have mentioned in the past, but these new relationships really serve to validate the value of our solution. Specifically, DIU helps us provide our existing product to DoD customers more quickly, and IQT facilitates feedback and helps us fast-track features that solve customer problems, which will ultimately benefit all federal and non-federal customers.
Second, while we work closely with our commercial customers to ensure that we have prioritized their needs, we’ve found it can be harder to get these requirements from government agencies because of the nature of their programs. In other words, government customers are harder to solicit product feedback from due to the classified nature of their work. DIU and In-Q-Tel help to bridge that gap.
And finally, I wanted to finish with a note on our security and privacy policies. We passively collect and analyze a massive amount of internet scan traffic as part of our solution, but we will NEVER share user account and customer data or usage data with anyone outside of our organization. Our customers’ and users’ trust is extremely important to what we do, and we don’t want to compromise that trust in any way. It is common for corporate entities to defer announcement of government customers to reduce the risk of entangling themselves in complex geopolitical dynamics, but we felt strongly that we should publicly acknowledge our relationships. Transparency isn’t a bumper sticker to us; it’s a way of being, and a core value of the company.
The reality is that both government and commercial organizations are struggling with the same pressures and challenges in areas like alert fatigue and analyst investigative efficiency. These new partnerships with DIU and IQT will help make GreyNoise better for ALL of our users and customers.
Onward.
--Andrew
CVE-2020-25494
Tag: SCO OpenServer RCE Attempt [Intention: Malicious]
CVE-2021-22911
Tag: Rocket.Chat server RCE Attempt [Intention: Malicious]
Tag: Vesta Control Panel RCE Attempt [Intention: Malicious]
CVE-2021-27144/46 | CVE-2021-27148/55 | CVE-2021-27158/59 | CVE-2021-27162/66 | CVE-2021-27168/69 | CVE-2021-27172
Tag: FiberHome Telnet Backdoor [Intention: Malicious]
Tag: LokiBot C2 Crawler [Intention: Unknown]
Tag: Aerospike Crawler [Intention: Unknown]
As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.
Tag: Tomcat Manager Scanner [Intention: Unknown]
GreyNoise sees a lot of botnet activity, both benign and malicious, through our fleet of global sensors. We enlisted Black Lotus Labs®, the threat research arm of Lumen, to help us bring you more information about these botnets and their Command and Control (C2) hosts. A botnet’s C2, as the name implies, is a host from which bots receive their commands, download malicious files, and/or simply report back. Effectively, the C2 is the brain of the operation, and without one, a bot may simply sit dormant.
Black Lotus Labs' mission is to find and disrupt C2s to make the internet a cleaner and safer place. The amount of noise generated by these botnets, driven by their C2s, is astounding. For example, check out the traffic for May just for the Mozi botnet:
Some reports estimate that bots generate 25% of all internet traffic. This reflects what we see at GreyNoise - for example, on any given day, we tag around 30k IPs as ‘Mirai’ or ‘Mirai Variant,' one of the most prevalent bots in the wild. We are always looking for ways to identify sources of internet noise, so hunting botnets and their C2s with the Black Lotus Labs team was a natural fit.
To kick off our project, Black Lotus Labs enriched their netflow data using IPs tagged as ‘Mirai Variant’ in GreyNoise and applied some basic graph algorithms to identify a list of potential C2 IPs. These algorithms mapped 23 suspected C2 IPs in Black Lotus Labs’ data that communicated the most with several hundred GreyNoise ‘Mirai Variant’-tagged IPs. This one-to-many relationship is indicative of a traditional C2. Some of the potential C2 IPs in Black Lotus Labs’ data were previously identified Mirai C2s, but, interestingly enough, others were identified as a botnet family known as Mozi, a newer family that eschews the traditional C2 model.
Mozi exhibits many of the characteristics of Mirai, with one major exception: it has no central C2. Instead, Mozi is a peer-to-peer (P2P) botnet where every infected host is both a bot and a C2. Each peer propagates configurations and hosts payloads while also performing bot duties such as participating in DDoS, scanning the internet, and exploiting hosts to expand the botnet. For more on Mozi and P2P botnet technology, check out Black Lotus Labs’ analysis.
From the GreyNoise side of the project, we decided to look at request payloads within scanner traffic to see if we could identify C2s. We observed that, despite their difference in centralization, botnets like Mirai and Mozi are both notorious for inserting C2 addresses (IPs or domains) into their initial exploit attempt. Typically these exploits will execute a script that fetches a malicious payload from the C2 address and initializes the bot.
If you’ve ever looked at traffic hitting your network perimeter, you have probably seen a request like this:
If you extract and check the IP, you might discover, unsurprisingly, that the host is a C2. That’s it. No advanced analytics. No machine learning. No blockchain. Just IP and domain extraction.
We decided to leverage this insight and test if this was an accurate way to identify P2P Mozi family C2s - that is, IPs that scan like a bot AND deliver peer-to-peer C2 addresses. Our approach was to extract a set of IPs matching this request pattern from our data and then compare the results with Black Lotus Labs C2 data.
Using this method, we compiled a list of 3,368 suspected C2 IPs that appeared to be delivering requests with embedded C2 addresses. Our free Analysis tool confirmed that 97% of these IPs scanned the internet within the last 90 days. So our hypothesis was that this combination of bot and C2 behaviors allows us to accurately identify P2P Mozi family C2s.
To test the hypothesis, we asked Black Lotus Labs to analyze the IP list and identify any C2s already known to them. They found that our list contained 962 IPs previously identified as C2s or botnet peers.
In total, 28% of our potential Mozi IPs were identified by Black Lotus Labs as C2s. Of those, 98% were confirmed as Mozi. So while this is a promising start at identifying suspected C2 IPs, it doesn’t provide conclusive evidence that IPs exhibiting this behavior belong to the Mozi family. Further research is required to profile the remaining 71%, which are most likely simple bots.
Why is it important to identify C2 IPs like Mozi? Using the confirmed C2 data in hand, we found we can now pivot around the addresses (both IPs and domains) to help identify the vulnerabilities being exploited. For example, take the following C2 domain:
bp65pce2vsk7wpvy2fyehel25ovw4v7nve3lknwzta7gtiuy6jm7l4yd[.]onion[.]ws
We found that more than 50% of traffic containing this C2 domain belonged to IPs, probably bots, exploiting the same three vulnerabilities: TerraMaster TOS (CVE-2020-28188), Zend Framework (CVE-2021-3007), and Liferay Portal (CVE-2020-7961).
The FreakOut botnet is known to exploit this unholy trinity. Although we already have tags for all three of these vulnerabilities, this demonstrates how we can use C2 addresses to automate the process of identifying and tagging known unknowns: vulnerabilities used by botnets.
Recall that bot traffic comprises almost a quarter of all internet traffic. Developing and expanding these techniques allow us to closely examine some of the most common noise on the internet. Any vulnerability checks or exploit used by a botnet like Mirai or Mozi is bound to be one of the most well used on the internet. By knowing botnets, we know noise.
Additionally, we want to refine and share these fun C2 addresses, like cnc[.]tacobelllover[.]tk, with our customers and community as a data feed for your projects, research, and work. If this interests you, create a GreyNoise account and join our Community Slack to give us feedback.
Please check out Andrew Morris' guest blog on IOActive
It turns out that alert fatigue is not unique to cybersecurity - who knew? Given the fact that alert overload is a problem across industries like healthcare, manufacturing, transportation, and utilities, you’d think that we in the cybersecurity industry would have some better tools and insights about how to handle it. Unfortunately, that’s not the case.
This is why Andrew Morris, founder and CEO of GreyNoise, pulled together his thoughts on the topic and shared them in a guest blog for IOActive. The post is titled “Cybersecurity Alert Fatigue: Why It Happens, Why It Sucks, and What We Can Do About It.” In the article, he covers the main contributing factors to alert fatigue for cybersecurity practitioners, the impact it has on analysts and SOC teams, and some thoughts about addressing the problems at multiple levels.
You know you might have an alert fatigue problem if any of these technical causes of alert fatigue sound familiar:
And all of these factors are made worse by a SOC ecosystem that’s not set up for success. This includes vendors who sell on fear, build products that don’t play well with others, focus only on the signal (not the noise), and price their products in ways that drive them to raise as many alerts as possible. And SOCs are equally culpable, putting enormous pressure on analysts to catch every single attack in an environment where the alert volumes just keep growing, and half of them are false positives. Is it any wonder that security analysts exhibit serious alert fatigue and burnout, and that SOCs have extremely high turnover rates?
Please check out the blog post here to learn more about the causes of alert fatigue, why it sucks, and what we can do about it.
Please update your search term or select a different category and try again.
