You’re in a dark room, and your screen is crawling with alerts from your IDS/IPS about an IP address trying an exploit on one of your internet-facing devices. You scramble to investigate the event, checking VirusTotal, IPinfo, Whois, and even Google to try to figure out how dangerous the IP might be, only to figure out after an hour that it's actually just Shodan… or Censys… or Pingdom… or a brain-dead bot script.
GreyNoise recently met with Robert*, Manager of Cybersecurity Incident Response & Operations at a large food service & hospitality company. Robert lives this reality every day as he and his Incident Response team respond to network events from their MSSP and internal detections. Recently Robert found a way to leverage GreyNoise Intelligence data integrated into Cortex XSOAR incident response to help his team answer these questions much more quickly and effectively. We caught up with Robert recently to learn how he had done it.
* Customer names have been changed to maintain anonymity
Robert: Sure — I lead the incident response and security operations team at my company. I've been here for about six years and was previously an individual contributor on a joint team that combined security engineering, incident response, and security operations.
A few years ago, we figured it probably doesn't make sense to keep this one giant team, and it would be nice to start developing some specialization. So we chunked the team into two groups — a security engineering team, and an incident response and security operations team. I was fortunate to be selected to run the new IR and Ops team, and I’ve been doing it for about two years now.
Robert: We work with several external partners that triage alerts for us, as well as conduct our own custom detections and investigations. We actually have four different alert classifications:
So basically, we use our MSSP partner as Tier 1 analysts, with my teams handling Tier 2 and above. We're not a 24x7 shop, so we push 24x7 monitoring of our assets to our partners, basically saying, “Here's your escalation plan during business hours; here's your escalation plan outside of business hours. Go get them.”
Once we get an alert through any of these sources, we'll do triage, and beyond the initial triage, we’ll do remediation, and then resilience. Any kind of gaps that we have in those tools, we supplement with our own detections, or if it's a use case that’s specific to the company, we'll do it internally as well.
Robert: I remember seeing Andrew [Morris, founder and CEO of GreyNoise] talking about it on Twitter, and I checked it out and thought, wow, this is really awesome. I think the biggest sort of “aha” for me was looking at the amount of time it could save me during an investigation.
What was happening quite often to us was that we would get these IDS/IPS alerts about an exploitation attempt. And we’d have to run the alerts to the ground, and it was taking forever.
I realized, looking at GreyNoise, that this tool would tell me if this is a targeted attack or if it’s a piece of automation that some attacker is using to try to build their botnet. Because if it's an automated attack, and the script fails even slightly, then the whole attack is probably a wash at that point. There's not an operator with hands-on-keyboard to make the adjustments needed, so the automation just fails and moves on to the next IP.
Having that kind of insight was a game-changer for us in how we analyzed those alerts and how we looked at that type of attack surface. So we started using the Community edition of GreyNoise with our old homegrown incident response tool to query things, and it was tremendously helpful.
For example, one of the things we were looking at was vulnerability scans. If we’re getting vulnerability scanned by somebody who’s scanning everybody else too, okay, welcome to the Internet. But if somebody’s scanning us that GreyNoise has never heard of, that's interesting — why are they just scanning us? Are we being targeted? GreyNoise majorly short-cycled a lot of investigations on these kinds of events.
Another example, we would see somebody slinging an Apache Struts exploit. Okay, are they doing this just to us, or are they doing this to everybody? And again, that kind of changed the dynamic of how we responded to that event.
Robert: A while back, we started to look at various SOAR platforms, and I ended up doing evaluations of what was then Demisto (it’s Cortex XSOAR now), Splunk Phantom, Swimlane, and Siemplify. I engaged with the vendors, downloaded the software, ran an evaluation environment, and actually kicked the tires on each of them. Ultimately we landed on XSOAR, and that started the clock of bringing things over from our existing incident response queue.
As we started to bring events into XSOAR, particularly the ones where we had been using GreyNoise, I realized there was a great opportunity to integrate GreyNoise into XSOAR to automate the process. I went to my director and made the case that we've been using this tool called GreyNoise, and it's super helpful. Now that we've got these events coming from our MSSP into XSOAR, we could start leveraging automation to query GreyNoise, instead of having to manually copy the IP, open up a new tab, paste it in and run a search.
I had been talking to Andrew a fair amount on Twitter, and he sent me over an integration between GreyNoise and XSOAR (there was no marketplace at the time), and it worked really well. So we signed up for a paid plan with GreyNoise to get more IP lookups and more context information. We now use GreyNoise on most of our network detection-based alerts to give context and alleviate a lot of strain from a research perspective on those events. So it's been great.
The way we’ve integrated GreyNoise into XSOAR is that any time we see an IP address, XSOAR invokes the IP enrichment command for every integration that supports it. This includes GreyNoise, Virus Total, IPinfo.io, whatever. It'll run them all, bring all that data back, and show it to the analyst. One of the areas where GreyNoise is really useful with this approach is inside of our playbook for the IDS/IPS alerts from our MSSP.
In addition to alerts coming from our MSSP, we do custom detections in our SIEM, Splunk Enterprise Security. So while we will write content in Splunk, and raise these as notable events in ES, all of the results get mirrored into XSOAR. We try to make XSOAR the “one-stop-shop” for every event that we’re working.
Robert: Just being able to tell the background noise of the Internet, that was huge for us and made us go “wow.” To see that this activity is just a consequence of being online, but that activity over there GreyNoise hadn't seen, so they're only paying attention to us, and it actually merits us looking into more deeply because they're not just slinging exploits or vulnerability scans at every IP address on the Internet. And we've also seen the opposite, where we see yes, they are a benign scanner, and it's Shodan, cool, we can ignore it.
Because GreyNoise is good at providing context around what IPs are doing in the broader Internet, it typically plays a lot with the IDS/IPS stuff that our MSSP handles — the primary data that we pivot off of for these events is the IP address. We also use GreyNoise on an ad hoc basis — for example, if I see a weird IP on a login to our identity provider, I’ll look it up in GreyNoise and see if it does anything funky on the Internet. And so it's often just helpful context.
Another use case that’s been really helpful is the new RIOT tagging, which identifies known legitimate traffic. For example, if I'm doing an investigation on a host that's been compromised and I've got a list of IPs it's talked to in the last 24 hours, I just want to rip out all the stuff that is legitimate, like Office 365 or Slack or cloud solutions that our users should be talking to. I can go to the analysis page on GreyNoise and just drop this big block of IPs in there, and it will tell me if any of these are ones that I should really be caring about, and help me eliminate the ones that I don’t. It gives me a good way to filter for a first pass — I can rule this stuff out for now and focus on what's left. Then if I still can't find anything, I can go back to the Office 365 IP and look for anomalies there. Because If there's an Eastern European IP address buried in amongst the Office 365 ones, I know which one I want to look at first.
Robert: Every time we find an IP that GreyNoise knows about, we ask ourselves, “Hey, is this IP trying to exploit CVE fill-in-the-blank here? Do we run that software? No? OK, done.” Because it's an opportunistic scanner, and GreyNoise is saying the IP is focused on this particular CVE, or it loves these six CVEs for this product suite. This allows us to conclude that, because we don't use that product suite, we're good, and we can ignore it.
Alternatively, the answer might be, “yes, we do use that product suite.” In that case, I’ll go read about the CVE and see what versions are vulnerable, and then look at our system and see if it’s something we need to dig into or whether we already patched for it.
As part of our triage, we also check in with our vulnerability management team. If we see a scanner out on the Internet scanning through our IPs, we’ll go dig up our internal scan results for the same IP and see what we found. Because we can pretty much know that anything we found, the bad guys just did too.
There’s some nice visibility we get with GreyNoise around vulnerability scans. For example, for events that we get, we can look at our firewall and easily see that this particular IP scans all of these public IPs. Then we can check in GreyNoise to see, what ports does this scanner like to scan? We obviously know they scan port 80 because that's why we're here. But do they scan 443 (SSL)? Recently Andrew tweeted about some new behavior GreyNoise tracks looking at whether scanners follow 301 or 302 redirects.
Say we determine that this IP only scans port 80 — cool. Now we can go into XSOAR and CURL all of the IPs that they scanned on port 80 and check to see if there’s a common vulnerability they might be looking for. Or do we get our load balancer telling them they need to go to 443? Because if we get that, and this IP doesn’t follow redirects, and this IP doesn't scan 443, then he's hitting a load balancer appliance, and I don't care. In XSOAR, that playbook will close the event if this is the condition that's met. And no analyst ever has to interact with this event.
Robert: I remember first seeing Andrew talking about GreyNoise on Twitter. When I checked it out, I thought, wow, this is really awesome. I think the biggest sort of “aha” for me was looking at the amount of time it could save me during an investigation.
We started using the GreyNoise Community edition with our old homegrown incident response tool, and it was tremendously helpful. That experience allowed me to go to my director and make a case for leveraging automation to query GreyNoise, instead of having to manually copy the IP, open up a new tab, paste it in and run a search. Today we use GreyNoise on most of our network detection-based alerts, and to enrich every event we get from our MSSP. I would estimate that GreyNoise is saving us probably an hour of work every time we get one of these vulnerability scan events — we’ve automated our approach completely, so an analyst doesn’t even have to touch it (and we see around 8-10 of these events every week). So long story short, GreyNoise really does shorten the cycle of some of these vulnerability scan investigations and is saving us about 40 hours per month that we can apply to other high-priority security problems.
I’m also getting some good value out of using GreyNoise for ad hoc investigation context help — for example, when I've got a bunch of IPs and I just want to filter out the ones that I don't need to care about. We use GreyNoise to give context and alleviate a lot of strain from a research perspective on those events. So it's been great.
Curious how GreyNoise can save your SOC time? Try the product for free.
GitLab CE RCE Attempt [Intention: Malicious]
Apache Storm Supervisor RCE Attempt [Intention: Malicious]
Hikvision IP Camera RCE Attempt [Intention: Malicious]
SonicWall SMA100 Factory Reset Attempt [Intention: Malicious]
SonicWall SSL-VPN RCE Attempt [Intention: Malicious]
Legacy Web Server RCE Attempt [Intention: Malicious]
D-Link DIR-825 R1 RCE Attempt [Intention: Malicious]
D-Link DNS-320 RCE Attempt [Intention: Malicious]
Micro Focus OBR RCE Attempt [Intention: Malicious]
Yealink Device Management RCE Attempt [Intention: Malicious]
Wednesday, October 20, 2021, is the first ever SOC Analyst Appreciation Day™ - and in our opinion, it couldn’t have come sooner! We’d like to acknowledge the hard work and dedication of all the SOC analysts who help defend institutions across the globe. Thank you.
A SOC analyst’s life can be frustrating and stressful, with the weight of your organization’s security on your shoulders. Our goal here at GreyNoise is to help make your life easier by increasing SOC analyst efficiency, and by telling teams what not to worry about. We do this by helping you filter out “noisy” alerts associated with opportunistic internet scanning or common business services, not targeted threats. SOC teams can use GreyNoise data by using our web-based Visualizer, accessing our API via REST, SDK, or CLI, or integrating directly with your security tech stack.
If you’re a SOC analyst or manager interested in learning more about how you can use GreyNoise
On October 4th, 2021, Apache disclosed a path traversal vulnerability CVE-2021-41773 that affects HTTP Server version 2.4.49. The vulnerability was introduced in this version (2.4.49) and is patched in version 2.4.50.
This path traversal vulnerability allows sensitive files outside of the expected document root to be accessed, such as configuration files and Common Gateway Interface (CGI) scripts. This allows for specially crafted requests to read arbitrary files as well as perform Remote Code Execution (RCE) on systems that have the Apache “mod_cgi” module enabled.
On October 3rd, 2021, at 08:44 UTC, GreyNoise observed the first scan for this vulnerability from 36.68.53.196. This predates the mailing list announcement from Apache on October 5th as well as the release of 2.4.50 on October 4th, but after the patch was committed on September 29th. [View 36.68.53.196 in GreyNoise]
As of October 5th, 2021, the first Proof of Concept (POC) code became available which demonstrated arbitrary file read. It was closely followed by a POC demonstrating RCE.
GreyNoise has released the following tag to enable monitoring of relevant activity:
As of 7-Oct-21, GreyNoise is seeing 47 unique IP addresses that have scanned for this vulnerability, 39 of which are “malicious” and 8 of which are “benign."
* Editor’s Note: If this tag returns “No results found’,' this means that GreyNoise has not observed any IP addresses scanning the internet for this CVE in the past 90 days. You can use GreyNoise to notify you if this changes by using our Alerts feature.
10/15/21: This blog has been updated with Figure 1 to depict the timeline of events.
Today at GreyNoise, we’re thrilled to announce our selection as the Most Innovative Security Solution of 2021, as recognized by the Tech Ascension Awards. The awards are starting to pile up at GreyNoise, and our team's excitement grows after repeated confirmation from analysts and customers. As the name of the award implies, this honor is granted to those proving themselves innovative in the tech community around specific criteria. GreyNoise was selected from a pool of more than 500 applicants for excellence in technology innovation, market research, and unique competitive differentiators.
Our CEO and Founder, Andrew Morris, welcomes the industry compliment: “…we are honored by all of this validation, as it shows that we are making progress toward our ultimate mission—to solve the problem of alert fatigue and information overload in the cybersecurity arena. Every day, we see a staggering number of internet scans barraging internet-facing computers and software, and generating massive volumes of security alerts. Some of this activity is malicious, but a significant amount is not, and it’s getting to the point where it’s tough for security analysts to discern real threats from background noise. GreyNoise enables security teams to focus on the threats that really matter, rather than wasting their time investigating insignificant alerts. This is the heart of what makes GreyNoise an innovative security solution: we sift the haystack so you can pay attention to the needles."
Because the Tech Ascension Awards are innovation-centered, best-in-class vendors that receive recognition solve critical industry challenges differently. “The proliferation of ransomware, nation-state threats, and an uptick in cybercriminal activity due to COVID-19 are just some of the factors that have made a strong cybersecurity defense paramount for every business that touches sensitive data,” said David Campbell, CEO of Tech Ascension Awards. “We’re honored to recognize these industry leaders that have demonstrated their ability to defend organizations with unique approaches, innovative technology, and world-class talent.”
Here are some of our most recent accolades:
Try GreyNoise for free, and find out for yourself why we are the "Most Innovative Security Solution."
Azure OMI RCE Attempt [Intention: Malicious]
Azure OMI RCE Check [Intention: Unknown]
VMWare VCSA File Upload Attempt [Intention: Malicious]
VMWare VCSA File Upload Check [Intention: Unknown]
LDAP Crawler [Intention: Unknown]
Veeder-Root ATGs Crawler [Intention: Unknown]
VMware vCenter File Disclosure [Intention: Malicious]
PJL Crawler [Intention: Unknown]
PowerShell Generic Shell Attempt [Intention: Malicious]
Cisco IMC Supervisor and UCS Director Backdoor [Intention: Malicious]
Our research team is always looking for ways to improve our tagging methodology to enable GreyNoise users to understand actor behavior and tooling. GreyNoise already identifies clients with JA3 and HASSH data.
To expand on this work, GreyNoise recently added 3 new tags to shed more light on how various internet background noise-makers using HTTP clients manage their internal state. The below tags improve client fingerprinting for HTTP-based protocols.
On their own, each individual tag contributes a small indication of how the HTTP client manages its internal state. While that alone has value in helping to profile the actor behind the IP and possibly track them across IPs, the more interesting insights can be seen when these tags are viewed holistically.
As seen above, the tagged activity is not homogenous, allowing us a glimpse into the diversity of tooling or techniques used in scanning and opportunistic exploitation. While many actors may use the same exploit vector or payload, they may launch them from tools that support different HTTP features. These new tags may help the analyst determine if two IPs appear to be using the same tools.
For example, in Figure 3, we are able to determine with a high degree of confidence that the IP shown above is orchestrating a full-featured web browser (such as Puppeteer) to scan the internet. We see this because the IP exhibits browser-like behavior and attributes, including carrying a referer header, accepting cookies, and following redirects.
We hope these new tags offer our users greater insight into the tooling and libraries utilized by internet background noise-makers. Let us know what you think by sharing your feedback on the GreyNoise Community Slack channel (must have a GreyNoise account).
Imagine this scenario: You’re running a security operations center, and your team is processing a bunch of alerts coming out of Splunk Enterprise Security. As you add new detections and log sources, the volume of alerts begins to rise, your analysts start to get overwhelmed, and that familiar alert fatigue starts to kick in. Your security engineering team jumps in with yet another cycle of tuning to get the alert volumes back down to manageable levels. Then the cycle starts all over again...
Hurricane Labs lives this reality every day as a managed services provider that is 100% focused on Splunk and Phantom. The company manages these platforms for customers, providing 24x7 monitoring services supported by a team of Splunk ninjas to handle the heavy lifting.
Recently the Hurricane team found a way to leverage GreyNoise Intelligence data to identify the noise in Splunk and Phantom alert traffic, reducing the load on their analysts by 25%.
We had the good fortune to chat with Hurricane Labs Director of Managed Services, Steve McMaster, to learn how the company had done it.
STEVE MCMASTER: Sure - to set the stage, we manage Splunk and Phantom deployments for our customers, running the gamut from infrastructure management, to search and SPL creation, to security analysis and alerting, to rapid incident response. As part of these services, we provide 24x7 security monitoring, and I oversee the two teams that deliver this service. I’ve been with Hurricane for almost 14 years at this point - it's actually the only job I've ever had. I started here at age 17, right out of high school, and along the way, I've done a little bit of everything.
STEVE MCMASTER: We process a high volume of alerts on behalf of our customers, and as part of this traffic, we often see a lot of noisy alerts. This includes everything from known benign scanners (such as Shodan) to what we call "internet background noise," scanners that are constantly scanning the internet as a whole, looking for things to poke at.
The alert volumes we see are a constant ebb and flow, and we spend a lot of time tuning our customer’s environments to turn down the noise to a manageable level. But then, as we add new customers and more detections, the alert volumes start to creep back up. That’s when we see our analysts getting overwhelmed and feeling alert fatigue. It’s a normal cycle for our business, alert volumes go up, and then we need to dig in and tune our implementations to bring the volumes back down.
STEVE MCMASTER: We were starting a new cycle of tuning to get alert volumes to come back down when I stumbled on Andrew [Morris, GreyNoise founder]. I saw my boss and Andrew exchanging views on Twitter, and I thought, “Who is this guy, and why does the stuff he’s saying make so much sense?” So I took a look at the GreyNoise product.
I have to say, I’ve always been a big skeptic of threat intelligence as an industry because once enough people know about a piece of intelligence to publish it for general consumption, it’s already burned infrastructure. Yes, you might find some threats with it, but it's not worth the $150K per year that they charge for it.
But GreyNoise was different. I always refer to GreyNoise now as “anti-threat intelligence.” It’s specifically the opposite of traditional threat intelligence. Instead of saying, “pay attention to this,” GreyNoise says, “STOP paying attention to this; go spend your time on other things.”
So this approach fit into an argument I was having with our customers a lot at the time - my point was that the things that you’re detecting are not actionable. They’re not targeted at you; they’re not somebody trying to exploit you; they’re JUST scanning the internet. So you shouldn’t worry about them or spend time on them.
Shodan makes a really good example of this, because Shodan is scanning everybody and showing up in a lot of alerts. But this is not something YOU need to care about, Mr. Customer; therefore, it's not something WE need to care about as part of our monitoring service. The problem is that this is really hard to quantify. You can show people that alerts from Shodan should be ignored — that's easy, but trying to identify broader Internet background noise was a lot harder to do. To be able to say, “Okay, we've seen this thing across our 40 customers, so let’s ignore it,” that's not really enough scale to be able to make this conclusion definitively.
And then along came this guy who had a product that did exactly that. So GreyNoise let us expand our service in a way that customers kind of already expected from us. Now we could say, “Look, this is opportunistic, this is generalized, this is global, this is not targeted.” And we could say this definitively because of the scale that GreyNoise operates.
And it really just happened to fit at a time when that was a problem we were trying to tackle with our customers.
STEVE MCMASTER: We’re using GreyNoise in two ways - we use the data inside Splunk to eliminate alerts before they ever get to us, and then we do enrichment of alerts in Phantom once they reach us. We integrate the GreyNoise data into these environments using pre-built integrations that we initially developed, although we have turned these over to GreyNoise to maintain and extend for all their customers.
Our goal with these integrations is that if the IP address is in GreyNoise, then we eliminate it from alerting. GreyNoise actually returns 3 basic categories of “noise:”
The reality is that some customers are not totally comfortable with the accuracy of these classifications (at least at first), so for some customers, we still raise a low-priority alert so they can have a human look at it. I think that this comes down to trust --and based on OUR experience-- if GreyNoise is confident the IP address is a scanner, then we are happy to ignore it. I would say about two-thirds of our customers are there today.
I’m also really excited about something Andrew mentioned at the last Open Forum conference GreyNoise held, the new RIOT service. Instead of identifying internet scanner “noise,” RIOT looks at the flip side of this by identifying the “known good,” common business services that everyone uses, like Slack or Office365, or Google IP addresses. So now we can easily tell the difference between a legitimate service like a Microsoft update and a "not legitimate" service like a malware download.
STEVE MCMASTER: Sure, so when we use GreyNoise to filter noisy alerts out of Splunk, we use the GreyNoise-Splunk integration. We install that in our customer’s Splunk environment and add it to the search language for various detections. The logic is straightforward: if something in the search results matches GreyNoise, it gets excluded.
More specifically, we apply GreyNoise to any correlation search or detection inside of Splunk that we think is relevant. The big ones are IDS events and Splunk’s vulnerability scanner detection rules; those are the main ones that we use it for.
For Phantom, on the other hand, we use GreyNoise as an enrichment. The way our monitoring service works, we bring all of our customers’ alerts into a single Phantom instance, and we have the GreyNoise-Phantom integration installed. For our analysts looking at the alerts, one of the first things they do is look at the GreyNoise data. If the verdict is “noise,” then we know we don't need to do a lot more digging beyond that. This ends up saving us a lot of time because rather than investigating whether this is a targeted attack and figuring out whether anything was exploited, we can just short circuit the process, note it as a scanner, and send it over. Today we’re doing this as a manual process, but it's on our list to automate this into our incoming Phantom playbooks.
STEVE MCMASTER: When I first told Andrew that we'd be interested in subscribing, I told him I had no concept of how much something like this would be worth. I didn’t know if we were going to turn this on and see matches with 10 alerts per day across our customers or 100. But the impact on alerts is really the only thing I had to help quantify the value of GreyNoise.
So Andrew gave us a two week trial, and I added it to our triage tool (this was before we stood up Phantom). And I just counted up how many alerts over a week would have been something we could totally ignore with GreyNoise versus what we would not have been able to. We were somewhere in the vicinity of saving the equivalent of one to one and a half analysts per day, out of 22 total analysts at the time, based on the alerts that we could safely eliminate with GreyNoise.
Today, after implementation and with more customers in hand, GreyNoise helps my teams eliminate background noise and focus on the most actionable and relevant alerts for our customers. Rather than presenting our analysts with even more data to investigate, GreyNoise has allowed us to reduce the volume of alerts that are triggered by 25%, which makes for a happier and more effective SOC team.
And for us as an MSSP, this is even more significant than it might be for an enterprise. When you’re in a normal enterprise business, you can make a decision to spend money on a person or spend money on a product that eliminates alerts--you kind of have to pick your poison. But for us, the calculus is a bit different. When we invest in a person, that analyst can do, say, 20 alerts per day. But if we invest in a product, that product can triage a certain number of alerts at every one of our customers. And for every new customer, it can repeat that work. So even if GreyNoise could only eliminate 8 alerts per day across 40 different customers, that’s 320 alerts. As we add more customers, GreyNoise scales in a way a person wouldn’t.
On September 21, 2021, VMWare published an advisory for several vulnerabilities. This included, most notably, CVE-2021-22005, which affects their vCenter Server product. This vulnerability is an arbitrary file upload vulnerability that can lead to remote code execution (RCE) via upload of a specially crafted file. This works regardless of the configuration settings of vCenter Server.
Due to the severity of this vulnerability, VMWare published workaround instructions detailing how to manually or automatically patch the affected products. The automated patching script (available in the right-hand panel in the link above) includes logic to validate if your product is vulnerable to CVE-2021-22005, as well as confirm the patch has worked as expected.
As of September 23, 2021, there is no known publicly available proof-of-concept (PoC) code for the CVE that enables arbitrary file upload or RCE. However, GreyNoise is observing a significant number of checks for vulnerable instances of vCenter Server based off of the automated patching script provided by VMWare, most of these egressing via Tor.
The following tags have been released to enable monitoring of relevant activity:
Editor's Note: If either of these tags return "no results," this means that we have not observed any recent activity. You can be notified if this changes by using our Alerts feature.
Atlassian Confluence Server OGNL Injection Attempt [Intention: Malicious]
Atlassian Confluence Server OGNL Injection Vuln Check [Intention: Unknown]
Oracle WebLogic RCE CVE-2021-2109 [Intention: Malicious]
Seagate BlackArmor RCE Attempt [Intention: Malicious]
ASUS GT-AC2900 Auth Bypass Attempt [Intention: Malicious]
Apache SkyWalking GraphQL SQL Injection [Intention: Malicious]
Carries HTTP Referer [Intention: Unknown]
Stores HTTP Cookies [Intention: Unknown]
Follows HTTP Redirects [Intention: Unknown]
RSYNC Crawler [Intention: Unknown]
University of Michigan [Intention: Benign]
As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.
ADB Check [Intention: Unknown]
ADB Attempt [Intention: Malicious]
EDITORS NOTE: This blog post has been updated as of Sep. 2 to reflect edits to the Atlassian Confluence Server OGNL Injection tags.
Tag: Exchange ProxyShell Vuln Attempt [Intention: Malicious]
Tag: Exchange ProxyShell Vuln Check [Intention: Unknown]
Tag: Javascript Enabled [Intention: Unknown]
Tag: Aerospike RCE Attempt [Intention: Malicious]
Tag: Docker API Container Creation Attempt [Intention: Malicious]
Tag: Buffalo Router RCE Check [Intention: Unknown]
Tag: Buffalo Router RCE Attempt [Intention: Malicious]
Tag: FirebirdSQL Crawler [Intention: Unknown]
Tag: Ruijie EG Command Injection Attempt [Intention: Malicious]
As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.
Tag: X Server Connection Attempt [Intention: Malicious]
Tag: ADB Worm [Intention: Malicious]
During BlackHat 2021, security researcher Orange Tsai demonstrated a proof-of-concept exploit for Microsoft Exchange vulnerabilities, including a Pre-auth Path Confusion leading to Access-Control List (ACL) bypass (tracked as CVE-2021-34473, also called ProxyShell). Since Tsai’s talk, multiple researchers have published write-ups about the vulnerabilities [1, 2]. GreyNoise had not observed any mass scanning activity until Aug. 9, and has seen a significant uptick in scanning as of Thursday, Aug. 12. GreyNoise has created two tags to track activity related to these vulnerabilities.
Exchange ProxyShell Vuln Check: The vulnerability check for CVE-2021-34473 has several public variations. These include checking for access to /mapi/nspi which results in exposure of potentially sensitive information such as Version, User, UPN, SID, and Organization. Out of caution, GreyNoise tags this as malicious intent despite being a Vuln Check. [View In GreyNoise]
Exchange ProxyShell Vuln Attempt: Active attempts that leverage and chain the Pre-Auth Path Confusion for further exploitation through Elevation of Privilege on Exchange PowerShell Backend (CVE-2021-34523) or Post-auth Arbitrary-File-Write leading to remote code execution (CVE-2021-31207) are included in this tag. [View In GreyNoise]
Editor's Note: If either of these tags, or any tags for that matter, return "no results," this means that we have not observed any recent activity. You can be notified if this changes by using our Alerts feature.
CVE-2009-0545, CVE-2019-12725, CVE-2020-29390
Tag: Zeroshell RCE Attempt [Intention: Malicious]
Tag: Cisco Smart Install RCE Attempt [Intention: Malicious]
CVE-2021-35464
Tag: ForgeRock OpenAM Pre-Auth RCE Vuln Check [Intention: Unknown]
CVE-2021-35464
Tag: ForgeRock OpenAM Pre-Auth RCE Attempt [Intention: Malicious]
CVE-2021-33544 to CVE-2021-33544 (11 CVEs)
Tag: UDP Technology IP Camera Attempt [Intention: Malicious]
CVE-2021-33544, CVE-2021-33548, CVE-2021-33550 to CVE-2021-33554
Tag: UDP Technology IP Camera Check [Intention: Unknown]
CVE-2017-12149
Tag: Jboss Application Server RCE Attempt [Intention: Malicious]
CVE-2021-30497
Tag: Ivanti Avalanche Path Traversal [Intention: Malicious]
Tag: Double URL Encoding [Intention: Malicious]
Tag: Apache OFBiz Deserialization RCE [Intention: Malicious]
These tags have been removed because they no longer exist, scan, and/or can no longer be accurately identified
Multiple RDP tags have been deprecated in favor of RDP Crawler, which more accurately accounts for much of the behavior we see. We are currently working to create more accurate and narrowly scoped tags for RDP scanning and exploitation.
The RDP Bruteforcer tag was created around the same time as BlueKeep and aggressively assigned `malicious` intent to basic RDP connection attempts. After re-evaluating this, we feel this was incorrect and have taken actions to improve our RDP tags in general.
As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.
Tag: Cisco Smart Install Endpoint Scanner [Intention: Unknown]
Tag: Linksys E-Series TheMoon Worm [Intention: Malicious]
Anomali: Now supports RIOT and the Community API.
CVE-2020-36289
Tag: Jira User Enumeration Attempt [Intention: Unknown]
CVE-2021-1497, CVE-2021-1498
Tag: Cisco HyperFlex HX RCE Attempt [Intention: Malicious]
CVE-2021-1497, CVE-2021-1498
Tag: Cisco HyperFlex HX RCE Vuln Check [Intention: Unknown]
CVE-2020-35846, CVE-2020-35847, CVE-2020-35848
Cockpit CMS Command Injection [Intention: Malicious]
These tags have been removed because they no longer exist, scan, and/or can no longer be accurately identified
You may have noticed that we have announced a couple of new relationships in the last several months with the US federal government. We announced our partnership with the Defense Innovation Unit (DIU) of the US Department of Defense (DoD) to help optimize their investigations, and recently announced our partnership with In-Q-Tel (IQT). I wanted to talk a bit about what this means for GreyNoise and why we’re excited about it.
First, I’m very excited about cracking the nut of working with the defense and intelligence communities of the US federal government. We already work with a number of intelligence and defense agencies around the world, as we have mentioned in the past, but these new relationships really serve to validate the value of our solution. Specifically, DIU helps us provide our existing product to DoD customers more quickly, and IQT facilitates feedback and helps us fast-track features that solve customer problems, which will ultimately benefit all federal and non-federal customers.
Second, while we work closely with our commercial customers to ensure that we have prioritized their needs, we’ve found it can be harder to get these requirements from government agencies because of the nature of their programs. In other words, government customers are harder to solicit product feedback from due to the classified nature of their work. DIU and In-Q-Tel help to bridge that gap.
And finally, I wanted to finish with a note on our security and privacy policies. We passively collect and analyze a massive amount of internet scan traffic as part of our solution, but we will NEVER share user account and customer data or usage data with anyone outside of our organization. Our customers’ and users’ trust is extremely important to what we do, and we don’t want to compromise that trust in any way. It is common for corporate entities to defer announcement of government customers to reduce the risk of entangling themselves in complex geopolitical dynamics, but we felt strongly that we should publicly acknowledge our relationships. Transparency isn’t a bumper sticker to us; it’s a way of being, and a core value of the company.
The reality is that both government and commercial organizations are struggling with the same pressures and challenges in areas like alert fatigue and analyst investigative efficiency. These new partnerships with DIU and IQT will help make GreyNoise better for ALL of our users and customers.
Onward.
--Andrew
CVE-2020-25494
Tag: SCO OpenServer RCE Attempt [Intention: Malicious]
CVE-2021-22911
Tag: Rocket.Chat server RCE Attempt [Intention: Malicious]
Tag: Vesta Control Panel RCE Attempt [Intention: Malicious]
CVE-2021-27144/46 | CVE-2021-27148/55 | CVE-2021-27158/59 | CVE-2021-27162/66 | CVE-2021-27168/69 | CVE-2021-27172
Tag: FiberHome Telnet Backdoor [Intention: Malicious]
Tag: LokiBot C2 Crawler [Intention: Unknown]
Tag: Aerospike Crawler [Intention: Unknown]
As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.
Tag: Tomcat Manager Scanner [Intention: Unknown]
GreyNoise sees a lot of botnet activity, both benign and malicious, through our fleet of global sensors. We enlisted Black Lotus Labs®, the threat research arm of Lumen, to help us bring you more information about these botnets and their Command and Control (C2) hosts. A botnet’s C2, as the name implies, is a host from which bots receive their commands, download malicious files, and/or simply report back. Effectively, the C2 is the brain of the operation, and without one, a bot may simply sit dormant.
Black Lotus Labs' mission is to find and disrupt C2s to make the internet a cleaner and safer place. The amount of noise generated by these botnets, driven by their C2s, is astounding. For example, check out the traffic for May just for the Mozi botnet:
Some reports estimate that bots generate 25% of all internet traffic. This reflects what we see at GreyNoise - for example, on any given day, we tag around 30k IPs as ‘Mirai’ or ‘Mirai Variant,' one of the most prevalent bots in the wild. We are always looking for ways to identify sources of internet noise, so hunting botnets and their C2s with the Black Lotus Labs team was a natural fit.
To kick off our project, Black Lotus Labs enriched their netflow data using IPs tagged as ‘Mirai Variant’ in GreyNoise and applied some basic graph algorithms to identify a list of potential C2 IPs. These algorithms mapped 23 suspected C2 IPs in Black Lotus Labs’ data that communicated the most with several hundred GreyNoise ‘Mirai Variant’-tagged IPs. This one-to-many relationship is indicative of a traditional C2. Some of the potential C2 IPs in Black Lotus Labs’ data were previously identified Mirai C2s, but, interestingly enough, others were identified as a botnet family known as Mozi, a newer family that eschews the traditional C2 model.
Mozi exhibits many of the characteristics of Mirai, with one major exception: it has no central C2. Instead, Mozi is a peer-to-peer (P2P) botnet where every infected host is both a bot and a C2. Each peer propagates configurations and hosts payloads while also performing bot duties such as participating in DDoS, scanning the internet, and exploiting hosts to expand the botnet. For more on Mozi and P2P botnet technology, check out Black Lotus Labs’ analysis.
From the GreyNoise side of the project, we decided to look at request payloads within scanner traffic to see if we could identify C2s. We observed that, despite their difference in centralization, botnets like Mirai and Mozi are both notorious for inserting C2 addresses (IPs or domains) into their initial exploit attempt. Typically these exploits will execute a script that fetches a malicious payload from the C2 address and initializes the bot.
If you’ve ever looked at traffic hitting your network perimeter, you have probably seen a request like this:
If you extract and check the IP, you might discover, unsurprisingly, that the host is a C2. That’s it. No advanced analytics. No machine learning. No blockchain. Just IP and domain extraction.
We decided to leverage this insight and test if this was an accurate way to identify P2P Mozi family C2s - that is, IPs that scan like a bot AND deliver peer-to-peer C2 addresses. Our approach was to extract a set of IPs matching this request pattern from our data and then compare the results with Black Lotus Labs C2 data.
Using this method, we compiled a list of 3,368 suspected C2 IPs that appeared to be delivering requests with embedded C2 addresses. Our free Analysis tool confirmed that 97% of these IPs scanned the internet within the last 90 days. So our hypothesis was that this combination of bot and C2 behaviors allows us to accurately identify P2P Mozi family C2s.
To test the hypothesis, we asked Black Lotus Labs to analyze the IP list and identify any C2s already known to them. They found that our list contained 962 IPs previously identified as C2s or botnet peers.
In total, 28% of our potential Mozi IPs were identified by Black Lotus Labs as C2s. Of those, 98% were confirmed as Mozi. So while this is a promising start at identifying suspected C2 IPs, it doesn’t provide conclusive evidence that IPs exhibiting this behavior belong to the Mozi family. Further research is required to profile the remaining 71%, which are most likely simple bots.
Why is it important to identify C2 IPs like Mozi? Using the confirmed C2 data in hand, we found we can now pivot around the addresses (both IPs and domains) to help identify the vulnerabilities being exploited. For example, take the following C2 domain:
bp65pce2vsk7wpvy2fyehel25ovw4v7nve3lknwzta7gtiuy6jm7l4yd[.]onion[.]ws
We found that more than 50% of traffic containing this C2 domain belonged to IPs, probably bots, exploiting the same three vulnerabilities: TerraMaster TOS (CVE-2020-28188), Zend Framework (CVE-2021-3007), and Liferay Portal (CVE-2020-7961).
The FreakOut botnet is known to exploit this unholy trinity. Although we already have tags for all three of these vulnerabilities, this demonstrates how we can use C2 addresses to automate the process of identifying and tagging known unknowns: vulnerabilities used by botnets.
Recall that bot traffic comprises almost a quarter of all internet traffic. Developing and expanding these techniques allow us to closely examine some of the most common noise on the internet. Any vulnerability checks or exploit used by a botnet like Mirai or Mozi is bound to be one of the most well used on the internet. By knowing botnets, we know noise.
Additionally, we want to refine and share these fun C2 addresses, like cnc[.]tacobelllover[.]tk, with our customers and community as a data feed for your projects, research, and work. If this interests you, create a GreyNoise account and join our Community Slack to give us feedback.
Please update your search term or select a different category and try again.
