On Monday, May 1, 2023, CISA added CVE-2021-45046, CVE-2023-21839, and CVE-2023-1389 to the Known Exploited Vulnerabilities (KEV) list. For all three CVEs, GreyNoise users had visibility into which IPs were attempting mass exploitation prior to their addition to the KEV list. GreyNoise tags allow organizations to monitor and prioritize the handling of alerts regarding benign and, in this case, malicious IPs.
TP-LINK ARCHER AX21 COMMAND INJECTION VULNERABILITY SCAN | CISA KEV UPDATE: CVE-2023-1389
ORACLE WEBLOGIC CVE-2023-21839 RCE ATTEMPT | CISA KEV UPDATE: CVE-2023-21839
APACHE LOG4J RCE ATTEMPT | CISA KEV UPDATE: CVE-2023-45046
On Thursday, April 27, 2023, GreyNoise released a tag for the critically scored CVE-2023-21554, QueueJumper, a Microsoft message queuing remote code execution vulnerability.
As of this publication, we have not observed mass exploitation attempts, but have observed >600 IPs that are attempting to discover Internet-facing Microsoft Windows devices that respond over Microsoft Message Queuing (MSMQ) binary protocol.
GreyNoise researchers now have a tag, classified as malicious, for the full QueueJumper RCE Attempt. As of the time of this post, no active RCE scanning attempts have been seen in GreyNoise for the past 90 days.
Check Point Research is slated to reveal full technical details later in the day on Friday, April 28, 2023.
MICROSOFT MESSAGE QUEUING (MSMQ) QUEUEJUMPER RCE ATTEMPT | CVE-2023-21554
MICROSOFT MESSAGE QUEUING (MSMQ) CRAWLER | CVES: No associated CVEs
MICROSOFT MESSAGE QUEUING (MSMQ) HTTP CRAWLER | CVES: No associated CVEs
Check Point Research discovered three vulnerabilities in Microsoft Message Queuing (MSMQ) service, patched in April's Patch Tuesday update. The most severe, QueueJumper (CVE-2023-21554), is a critical vulnerability allowing unauthenticated remote code execution. The other two vulnerabilities involve unauthenticated remote DoS attacks:
MSMQ, though considered a “legacy” service, is still available on all Windows operating systems.
According to Check Point researchers, over 360,000 IPs have the 1801/tcp port open, running the MSMQ service. The service may be enabled without user knowledge when installing certain software, such as Microsoft Exchange Server. Exploiting MSMQ vulnerabilities could allow attackers to take over servers. It's crucial for administrators to check their servers and install Microsoft's official patch. If unable to apply the patch, blocking inbound connections for 1801/tcp from untrusted sources can serve as a workaround.
GreyNoise researchers have two activity (vs exploitation attempt) tags that detect when someone is scanning to find exposed instances of the MSMQ service:
When we combine these tags, we presently see (at the time of publishing this post) just over 500 unique IP addresses — all from sources we’ve qualified as benign (👋🏼 Censys and Shadowserver!). The most prolific scanning is happening on the non-HTTP endpoint.
GreyNoise strongly recommends that organizations use our blocklists to shut down any identified malicious IPs with extreme prejudice before they have a chance to cause harm.
Our researchers are also hard at work digging into the details of each of the three weaknesses to craft specific exploitation detections which will, by default, be coming from malicious sources.
GreyNoise's detection capabilities for inventory scans of MSMQ protocols provide a reliable and essential tool in identifying and blocking malicious IPs targeting these vulnerabilities. With the accuracy of GreyNoise tags, security professionals can trust the system to highlight potential threats, allowing them to focus on other critical aspects of their organization's security. These IP Blocklists are available to all GreyNoise users now.*
*You must be signed in to access Blocklists. Create an account today.
On Friday, April 21, 2023, CISA added CVE-2023-27350 (a critical unauthenticated remote code execution vulnerability) impacting PaperCut MF and PaperCut NG to the Known Exploited Vulnerabilities (KEV) list. PaperCut MF and PaperCut NG are both enterprise printer management software.
Originally ZDI-23-233, CVE-2023-27350 (CVSS 9.8) impacts both application servers and site servers for PaperCut MF and NG version 8.0 or later, according to PaperCut, and have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later.
PAPERCUT RCE ATTEMPT | CISA KEV UPDATE: CVE-2023-27350
PAPERCUT AUTHENTICATION BYPASS CHECK | CISA KEV UPDATE: CVE-2023-27350
The inclusion of this vulnerability on the KEV list implies that exploitation has been confirmed in the wild. Additionally, the PaperCut advisory also points out reports of exploitation dating back to April 13, 2023, 15:29 UTC.
GreyNoise has published two tags related to this PaperCut vulnerability:
At the time of publication, GreyNoise has not observed mass exploitation for this vulnerability but has observed two IPs mass scanning for the vulnerability; this could be for a few reasons. It could be that exploitation is happening in a more targeted fashion or simply because scanning for this vulnerability isn’t technically necessary as a specific Google search will return a few thousand hits which attackers can use to focus exploitation attempts on.
GreyNoise recommends that organizations that use PaperCut follow the vendor's guidance to upgrade and review systems for signs of compromise. (This information is included in PaperCut’s advisory).
While signed in to GreyNoise, click below to set up a daily alert to be notified of new results.
Today, in collaboration with our partner Trinity Cyber, GreyNoise has a new tag for scan traffic related to CVE-2023-1389, a pre-auth command injection weakness in TP-Link Archer routers.
TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.
The following is a sample of traffic related to these exploit attempts.
There has not been an observed, successful injection detected to-date, so we have published a “scan/crawler” tag — TP-Link Archer AX21 Command Injection Vulnerability Scan — to help organizations identify this activity and will be working closely with Trinity Cyber and other partners to identify successful exploit attempts to help identify successful malicious mass exploitation attempts.
Tenable initially identified this weakness, and has confirmed that successful exploitation is only likely across WAN interfaces under rare conditions. The Zero Day Initiative (ZDI) has also detected exploit activity and has suggested that their telemetry indicates that the Mirai botnet has updated its arsenal to include this new exploit. They further indicate that exploitation across the WAN interface will likely be difficult, but not impossible
Organizations should work to patch any known, official deployments of these routers and advise their remote workforce to ensure they apply the appropriate vendor updates as soon as possible if they have them installed at their remote location(s).
Our engineering team is performing a retroactive tagging exercise to determine if we have seen mass exploitation attempts within the previous ninety days. However, Trinity Cyber has shared that they have observed 193.32.162.189 actively engaged in current exploitation attempts.
GreyNoise suggests that, where possible, organizations block this IP address and use our hourly-updated block lists to help keep their infrastructure safe from mass exploitation attempts.
We will provide an update once we have a tag for a confirmed, successful malicious activity for this vulnerability.
While signed in to GreyNoise, click below to set up a daily alert to be notified of new results.
On Tuesday, April 25, 2023, GreyNoise is changing how we classify environment file crawlers from unknown intent to malicious intent. At the time of publication, this change will result in the reclassification of over 11,000 IPs as malicious. Users who use GreyNoise’s malicious tag to block IPs based on malicious intent will see an increase in blocked IPs.
An environment file crawler is a bot that scours the internet for publicly available env files. The use of these files have been popular for over a decade and are used to pass dynamic environmental variables to software and services.
Environment files are dotfiles; dotfiles are hidden files that are hidden from the user by default but are editable by any text editor and contain configuration settings for various applications. An example of an environment file is:
They almost always contain sensitive data such as authentication information (ex. keys or passwords) and often their specific connection paths. For this reason, env files should never be exposed publicly; anyone who obtains the file can potentially access sensitive information. Adding insult to injury, organizations often are unaware that they are exposing these files to the public, and these crawlers have been historically overlooked.
For years, GreyNoise has monitored env scanners and classified them as unknown intent. However, we continuously strive to enhance our datasets to safeguard organizations and increase the effectiveness of SOCs; thus, we have decided to reclassify these crawlers as malicious.
Click/tap here for more information on GreyNoise classifications.
The reclassification of intent will affect the following tags:
These files should never be publicly exposed since they typically contain sensitive information; the internet noise generated by the constant searching for these files is indicative of the scale of opportunistic attackers looking for credentials.
Using environment files to compromise organizations is a well-established tactic
There are numerous CVEs related to env files as information disclosure or code execution, including but not limited to:
Organizations should take proactive measures to regularly look for exposed .env files; scanning once won’t cut it as they can appear at any time. Searching for unsecured env files should be a part of an organization's vulnerability management program. If you do find a publicly available .env file for your organization, it is imperative that you immediately remediate the exposure and rotate any credentials that were leaked. GreyNoise will continue to review the classifications of our tags to ensure their efficacy.
Sign up for a free GreyNoise account or request a demo to see how GreyNoise can help provide immediate protection from threats like these, especially when activity mutates from "unknown" or "benign" to "malicious.”
SOC teams have struggled with false positive alerts since, well, the beginning of security centers. There are a lot of studies (by security vendors) on how much time SOC analysts spend on false positive alerts. Unfortunately, we are not IPO rich (yet) - so we didn’t conduct our own study - but we did take the average from a few (1, 2, 3) reports. According to our sources, a single analyst wastes an average of 8.4 hours per week triaging false positive alerts.*
GreyNoise can help SOC teams reduce false positives by providing context to the alerts on internet-wide scanners, crawlers, and other suspicious activity that may trigger false alarms. How many times have you got an alert that turns out to be [insert security company] just scanning the internet?
By integrating GreyNoise into your alerting workflow, your team can eliminate background noise and focus on the most actionable and relevant alerts.
So what can you do with ~8+ hours of your life back each week?
By using GreyNoise to filter out benign internet scanners, SOC teams can improve decision-making, reduce alert fatigue, and enable teams to focus their time and resources on genuine threats. Start exploring our data today.
*Yes, we know that the actual time spent varies based on the size of the security team and organization.
We recently built out a new Premium Feed for Anomali ThreatStream. Anomali customers can now pull in all malicious IPs GreyNoise has seen hitting our sensors in the past 24 hours, on a daily basis.
While most feeds in Anomali are used to build lists of observables that will trigger alerts or investigations within their other security tools, GreyNoise is not your typical threat feed and should be treated differently. In this post, we’ll walk through how Anomali users should leverage the GreyNoise feed, how you can access a trial, and a couple other loose ends.
Observables that show up in the GreyNoise Malicious Threat Feed in Anomali all have three things in common:
Because of these, customers trust that GreyNoise Malicious Feed observables are associated with an IP that has been seen blasting large swaths of the internet, and likely not indicative of a targeted attack worth an analyst’s time to review.
GreyNoise’s Malicious Feed in Anomali is best used as a feed for opportunistic attack activity that should be automatically blocked. Our data is highly reliable so many of our customers trust our data to leverage in automated actions, like blocking, to save their analysts’ time. Our malicious feed should NOT add to an analysts triage queue.
In order to try out the GreyNoise Malicious Feed in Anomali, you need a GreyNoise account with an active Enterprise trial. Start by Signing Up Here then clicking on the Activate Trial button on the GreyNoise Account page. Once you have the trial enabled, grab your GreyNoise API key, and head over to the Anomali Marketplace.
In the Anomali Marketplace, find the Premium Feed for GreyNoise, then click Get Access and drop in your API key. This will provide you with 14 days of trial access to the feed.
If after the trial you’d like to make it a permanent feature in your Anomali instance, you can review our pricing page and reach out to the sales team with any questions. The GreyNoise Malicious Feed can be an add on to any of our standard packages!
While we’re on the topic, we’d be remiss to not mention the original use case for GreyNoise in Anomali. For observables coming from other sources within Anomali, we provide additional context through enrichment that other services don’t. If you're triaging an event and using Anomali to understand the details of an observable, the GreyNoise Enrichment for Anomali provides you with all the details you need to understand if the IP has been observed performing internet-wide scanning and what it has been scanning for. It will also highlight for you if the IP belongs to a common business service from our RIOT data set, in which instance blocking that IP may break something for your users.
Our Anomali Enrichment feature also recently got an upgrade, with IP Similarity and IP Timeline now available if included in your GreyNoise Subscription. These are great tools for folks looking to for a granular view of the scanning activity observed by GreyNoise for an observable or to identify other scanning IPs that may be leveraging similar scan and attack tactics.
GreyNoise is a powerful cybersecurity solution that provides valuable context on internet-wide scan and attack data. By collecting and analyzing this data, we help organizations distinguish between targeted attacks and background noise, reducing false positives and improving security operations efficiency and overall security outcomes for every organization that uses both our Visualizer or API. Today, we'll explore the GreyNoise integrations universe, discuss how these extensions can benefit every category of security tool and service, plus explain why both vendor flexibility and community support is essential.
Cyber tools and solutions of every kind can greatly benefit from integrating with the GreyNoise API, even at the community tier. Here are a few ways that these tools can leverage GreyNoise data:
The GreyNoise integrations universe is vast and designed to support a variety of security tools and platforms. This includes Security Information and Event Management (SIEM), Extended Detection and Response (XDR), Security Orchestration, Automation, and Response (SOAR), Threat Intelligence Platforms (TIP), and Analyst Tools/Open-Source Intelligence (OSINT). You can see just how vast it is for yourself! By integrating GreyNoise into each of these solution areas, organizations can enrich their security alerts, enhance visibility, streamline operations, and make far more informed decisions.
Vendor flexibility is crucial in the cybersecurity landscape. By supporting a wide range of security tools and platforms, GreyNoise empowers organizations to tailor their security ecosystem to meet their unique needs. According to buzzword-laden analysts and experts alike, adopting an open and flexible approach to security integrations enables organizations to leverage best-of-breed solutions, maximize the value of their existing tools, and enhance overall security posture. What that truly means, though, is that GreyNoise meets you where you are at, regardless of budget cycle. When that three- or five-year contract is up on that SIEM, rest assured that it’s more than likely GreyNoise will work with that fancy new tool you spotted at RSA. GreyNoise's commitment to vendor flexibility ensures seamless integration with your preferred tools, ultimately improving your organization's security capabilities.
Integrating GreyNoise across your entire environment is highly beneficial. By incorporating GreyNoise data into all the acronyms you own — SIEM, XDR, SOAR, TIP, and OSINT — you can enrich your security alerts with valuable context, reduce false positives, improve incident response times, and centralize threat intelligence data. By leveraging GreyNoise's context across your systems and services, you can gain a more comprehensive understanding of your security landscape and make better-informed decisions to protect your organization.
Our API can help you hone in on anomalies, cast a wider net when it comes to identifying and blocking malicious sources, and provide actionable context on today’s “internet weather”.
GreyNoise has a vibrant and thriving community of practitioners, with members that collaborate on developing open-source integrations with GreyNoise. These community-driven integrations enhance the functionality of a plethora of Free and Open-Source Software (FOSS) cyber tools, demonstrating the versatility and value of GreyNoise data.
Members of the GreyNoise Community invest their time and effort into integrating GreyNoise into open-source projects for several reasons:
If you're developing or using FOSS cyber tools, consider integrating the GreyNoise API to unlock the full potential of your security solutions. Join the GreyNoise Community and collaborate with like-minded individuals to improve the cybersecurity landscape and make the internet a safer place for everyone.
Are you ready to harness the power of GreyNoise? Sign up for a free GreyNoise account and start exploring the benefits of GreyNoise integrations. Experience firsthand how GreyNoise data can enhance your security operations and threat intelligence. For organizations looking to unlock the full potential of GreyNoise, navigate to your GreyNoise account section to sign up for a free enterprise trial and begin integrating GreyNoise into your security ecosystem today. Don't miss out on the opportunity to strengthen your organization's defenses with the power of GreyNoise.
Cyber threats are constantly evolving, and organizations need to stay on top of the latest techniques and tools to protect themselves against attacks. One of the most critical aspects of this is having an effective threat intel program in place. But how do you upgrade your program to keep up with the ever-changing threat landscape? Our answer: start looking for patterns in attack telemetry.
David Bianco’s ‘Pyramid of Pain’ illustrates the relationship between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them. Organizations can better identify and defend against threats by moving from simple indicators like domains, hashes, and IPs to focusing on more difficult to change indicators such as TTPs. While gaining this additional insight can take more time, defenders can do more to detect and prevent future attacks.
GreyNoise data is awesome, but in order to move from IPs -> TTPs, we have built new features to help you upgrade your Threat Intel program (thanks to the Pyramid of Pain)!
It is now easier than ever to fingerprint attacker infrastructure. This new feature clusters activity based on similar behavior, like similar HASSH and JA3 fingerprints, RDNs, user agents, and ports scanned. Based on the results from IP Similarity, you can hunt within your own network to proactively find other related malicious activity.
The IP Timeline displays activity as seen by GreyNoise sensors of a particular IP Address over the past thirty days. By checking our timeline graph, you can see when an IP interacts with our sensors. This chron data helps CTI teams identify if an attacker is using an automated process or if the scan/attack process is manual.
Understanding how adversaries operate and adopting a defined strategy to detect and remediate can lead to a more effective threat intelligence program. GreyNoise can be used to easily enrich threat feeds to gain deeper insight into how attacker infrastructure is being used and quickly understand what services, devices, and vulnerabilities they want to leverage as part of their campaign.
If you are interested in learning more about any of these new features, request a demo.
Co-Authors include: Austin Price & Jen Dooley
For April Fools this year, the GreyNoise team created GhostieBot, an Artificial Unintelligence bot serving you all the answers you didn’t need.
We had a lot of fun creating it and thought it was a good example of the ideation, design, development, and release process at GreyNoise. Here we hope to walk you through that process so you can understand a little better how we work.
We knew we wanted to have a fun April Fools joke this year, but everyone was already working on a ton of projects to make GreyNoise a more useful product. We decided to take a group of volunteers and just grab an hour here or there to work the problem.
Our first stop was a Figma brainstorming session. Just set up some space for everyone to jot down ideas, start a 5-10 minute timer, play some smooth jazz, and go to work.
After all our ideas were gathered, we discussed them and added +1s to the ideas we liked. Since the world has been taken over by chatbots and large language models, we ultimately ended up with a GreyNoise chatbot that we could use to make jokes and expose some of the other ideas from the brainstorming session that weren’t big enough for their own show. Though you never know, the Internet Weather Report from the brainstorming session might pop up sometime…
Next up, we had to create some mocks for what we wanted the GhostieBot interface to look like. Chatbots and messaging interfaces, in general, have some pretty established patterns. To keep things as simple and quick as possible, we leaned heavily on our design system and went with a standard chat/messaging layout. There were a few new elements in the design, like the message bubbles and Ghostie avatar, that we needed to create. We also needed to make sure it was responsive and handled small and large screens well. Altogether, these were pretty simple items, and we were able to have the finished mockups ready in under an hour.
Since our chatbot is not a real chatbot, we had to actually come up with the responses we wanted, arguably a tougher task than creating a real chatbot. Luckily, we have a ton of nerds on staff who like terrible jokes. After spinning up a quick Notion page, we were able to crowdsource some ideas.
Now it is time to make it all real; we took the mock-ups, created a new page, and started building. We compiled the list of questions and properly formatted them for display. Then built out the basic structure of a chat interface; once that was set up, we added a few nice to haves:
Once the interface was completed, we hid the Chat behind a feature flag as well as set a date window for the chat to be available to the public. This allowed us to test the chat before it went live.
And while we went with a more informative page for 127.0.0.1, y’all almost ended up with:
We had a ton of fun putting this all together, and we hope you enjoyed it too. To keep in touch with GreyNoise as we figure out how to build an amazing product for the cyber security community, sign up for a free account (https://viz.greynoise.io/signup), join our Slack community (greynoiseintel.slack.com) and follow us on Twitter https://twitter.com/GreyNoiseIO. We also have a couple of positions open (https://www.greynoise.io/careers#Current-Openings).
At GreyNoise, we're excited to announce that our Voluntary Product Accessibility Template (VPAT) is now available. We believe that everyone should have equal access to our product and service, regardless of their disabilities or abilities. By providing a document that evaluates our product's accessibility for people with disabilities, we are taking a step forward in ensuring that our product meets the needs of all users. We are committed to creating an environment that is inclusive and accessible to everyone, and we believe that our VPAT is an essential part of this initiative.
VPAT stands for Voluntary Product Accessibility Template, which is a document that outlines how accessible a product or service is to individuals with disabilities. It provides information on how well the product or service conforms to the Web Content Accessibility Guidelines (WCAG) and other accessibility standards. It's an important tool for ensuring that everyone, regardless of their abilities, can use and benefit from our product and service.
A VPAT is a detailed report on how well a product or service conforms to accessibility guidelines such as Section 508 of the Rehabilitation Act in the United States. It typically contains information on the product's conformance to accessibility standards, including how it complies with various criteria related to accessibility, such as keyboard accessibility, color contrast, and assistive technology compatibility. Additionally, the VPAT provides details on any known limitations or barriers that may exist for users with disabilities and any plans for future development or improvement.
Accessibility is a fundamental human right, and it's crucial that our product and service are designed with everyone in mind. People with disabilities make up a significant portion of the population and deserve equal access to information and services. A VPAT is a valuable tool for organizations to demonstrate their commitment to creating and providing accessible products and services, as well as fulfilling legal obligations. By completing a VPAT, we're ensuring that GreyNoise is accessible to as many people as possible.
Accessibility is important because it ensures that everyone, regardless of their abilities or disabilities, can access and use our platform. In the United States, approximately 61 million adults have a disability*, representing a significant portion of the population. By making our platform accessible, we're opening up our product and service to a much broader audience, leading to increased engagement, more meaningful interactions, and, ultimately, better outcomes for everyone.
In addition, accessibility can lead to better user experiences. People with disabilities may face significant challenges when accessing websites or online tools not designed with their needs in mind. By making our platform accessible, we're reducing these barriers and making it easier for everyone to use our product and service.
At GreyNoise, we're committed to continuous improvement. We're constantly looking for ways to make our platform more accessible and inclusive. In addition to providing a VPAT, we're also working on other accessibility initiatives, such as improving our keyboard navigation, adding alternative text to images, and ensuring that we meet accessibility standards.
We believe that accessibility is an essential part of our platform, and we're committed to making our tools and services accessible to everyone. By providing a VPAT, we demonstrate our commitment to accessibility and inclusivity, which can lead to a better experience and outcomes for everyone. We look forward to continuing our accessibility efforts and making GreyNoise a platform everyone can use and enjoy.
Reference:
https://www.section508.gov/sell/vpat/
.png)
We briefly introduced IP Similarity previously, but now we want to dive deep and show how we made this idea a reality.
The first goal of IP Similarity is to encode a GreyNoise record as a numerical feature vector. This is just an array of numbers that somehow represent all of the data we have in a GreyNoise record.
This representation is extremely useful for machine learning and any numerical analysis. From this point we can quantitatively measure how far away two records are, cluster groups of records together, and build all sorts of classifiers. This is the ground floor basis for applying machine learning to GreyNoise data.
But, getting there is hard. Our records contain a vast amount of unstructured and semi-structured textual data. User-Agents can be nearly anything you want, from
to
Web paths can be as simple as
or complicated like
Ports can be any or all of the 65,535 available values. The list goes on.
In order to turn this complex multi-modal data into a fixed size numerical feature vector we employ a few tricks, primarily: tokenization and “the hashing trick”.
Books could be (and have been) written on tokenization, but for our purposes we can implement a simple regex.
This matches everything but alphanumeric characters and replaces them with whitespace, with which we can split the string on and lowercase all values. This turns our
into the list of item
Once we have more consistent tokens, we can put them all into a fixed bucket with the hashing trick. This works as follows:
Now that we have a method to turn unbounded text into a fixed numerical vector, we can do this with many more of our fields and concatenate the results , along with boolean variables (e.g. is this IP coming from a VPN? T/F), to create one long feature vector to represent each record. Success!
But weight, there’s more!
Not all features have equal importance, so we need to create weights so some features have more significance than others in the analysis.
For IP Similarity we are using a combination of relatively static IP centric features, things we can derive just from knowing what IP the traffic is coming from or their connection metadata, and more dynamic behavioral features, things we see inside the traffic from that IP. These features are:
IP Centric
Behavioral
Features like JA3 can be less important while features like Web Paths can really show good similarity between records.
We are curating an ever growing collection of pairs of GreyNoise records that we think are good matches and bad matches. With these, we can randomly go through our collection, compare the feature vectors for the records and adjust the weights to make those matches (or non-matches) better and better. This creates a weight vector that we can use to adjust our base feature vector.
We take our GreyNoise record, extract the features we want to use, apply the hashing trick or other numerical logic, apply our weights, and we are left with a final vector that is ready to be used in comparison and machine learning. For example:
With this new representation we can do a lot of ML, but our first use case is IP Similarity, which answers the following question:
Given an IP address and all that GreyNoise knows about it, show me all other IPs GreyNoise has seen that have similar characteristics and behaviors.
To do this we compare two feature vectors and calculate L2Norm. Just like in geometry where you use the Pythagorean theorem, a2 + b2 = c2 or c = sqrt(a2+b2), L2Norm just extends that to a larger space, so it is simply a measure of how far two points/vectors are from each other. If L2Norm is small, the feature vectors are close and thus very similar. If it is large, the feature vectors are far from each other and thus dissimilar.
We put all of this feature vector information into ElasticSearch alongside our GreyNoise records and voilà, we can now find any GreyNoise records that are similar to any other. Some of the use cases are:
We can take a single IP from our friends at Shodan.io, https://viz.greynoise.io/ip-similarity/89.248.172.16, and return 21 (at the time of writing) other IPs from Shodan,
And we can compare the IPs side by side to find out why they were scored as similar.
While we have an Actor tag for Shodan which allows us to see that all of these are correct, IP Similarity would have picked these out even if they were not tagged by GreyNoise.
We can take an IP from the tagged with NETGEAR DGN COMMAND EXECUTION, https://viz.greynoise.io/ip-similarity/182.126.118.174, and return many other IPs that could be part of that attack,
We can see they share OS, Ports, Web Paths, and rDNS.
We can take an IP from another prolific scanner like ReCyber, https://viz.greynoise.io/ip-similarity/89.248.165.64, and return a large number of IPs, many from ReCyber, but others that simply act like ReCyber,
Ultimately, we hope this tool is insanely useful to you and you’ve developed a better understanding of how it works under the hood. Be on the lookout for more features, machine learning applications, and explanations! To try IP Similarity for yourself, sign-up for a free trial or request a demo to learn more.
(*Create a free GreyNoise account to begin your enterprise trial. Activation button is on your Account Plan Details page.)
OpenAI ChatGPT has recently released a new feature that allows for plugins to fetch live data from various providers. This feature has been designed with "safety as a core design principle", which means that the OpenAI team has taken steps to ensure that the data being accessed is secure and private.
However, there are some concerns about the security of the example code provided by OpenAI for developers who want to integrate their plugins with the new feature. Specifically, the code examples utilize a docker image for MinIO RELEASE.2022-03-17. This version of MinIO is vulnerable to CVE-2023-28432, which is a security vulnerability resulting in information disclosure of all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD.
While we have no information suggesting that any specific actor is targeting ChatGPT example instances, we have observed this vulnerability being actively exploited in the wild. When attackers attempt mass-identification and mass-exploitation of vulnerable services, “everything” is in scope, including any deployed ChatGPT plugins that utilize this outdated version of MinIO.
To avoid any potential data breaches, it is recommended that users upgrade to a patched version of MinIO (RELEASE.2023-03-20T20-16-18Z) and integrate security tooling such as docker-cli-scan or use Github’s built-in monitoring for supply chain vulnerabilities, which already contains a record referencing this vulnerability.
GreyNoise has posted an issue to the affected OpenAPI GitHub project to help ensure this weakness gets addressed as soon as possible.
While the new feature released by OpenAI is a valuable tool for developers who want to access live data from various providers in their ChatGPT integration, security should remain a core design principle.
If you’re looking for an extremely wholesome conference to attend, look no further than PancakesCon. This conference requires speakers to talk about 2 things: (1) a brief talk about any cybersecurity topic and (2) a brief talk about something which is not IT-related. As you might imagine, this leads to some great talks! Some of our favorites from this year included:
Grace led us through why sharing in CTI matters (spoiler alert: it's how we all win) and some of the best coop games (Spirit Island, anyone?!) around to play with family and friends.
Extremely talented performer Tina live-demoed Metasploit shenanigans (bless the demo gods) and shared her experience as a semi-professional Clown!
Jonathan gave an incredible and nuanced background on what cybersecurity looks like in China (with some Mandarin to boot). We also got educated on the customs of Baiju, a Chinese fermented grain alcohol best shared with friends.
We were also lucky enough to talk a little bit about our hobbies and cyber investigations.
3 years ago on a Sunday afternoon, I was baking when I got a call from an out-of-state number inquiring to buy a house I owned. Except, I don't own any house. Since then, I have received dozens of calls inquiring about the property and I have always wondered - why me? Who is the owner? Why do people want this house so badly? I got to explore this and more, all while sharing my best tips for weekend baking with Oreos. (or uh generic chocolate wafer cookies). (Why Oreos? It rhymed!)
Brianna has a keen eye for fashion (and hardware) and has combined this into the ultimate manicure - “smart” NFC nails. Bri took nail “tip taps” to a whole new level with a true DIY demo. Beyond that, we got a firsthand fan-girl account of the American rail system - the true way to get your fill of adventure in a safe and comfortable environment!
A major thank you to Lesley Carhart, and the entire PancakesCon organizing committee & volunteers - you made the internet feel a little cozier this weekend!
Whether you’re working with netflow data collected from your own devices, flow logs from a cloud provider, or purchasing data from netflow providers, you may find it challenging to get immediate value out of it. Not only is there a vast amount of data to hunt through, but it can be challenging to fully understand what is happening based on netflow logs alone. While there are plenty of benefits to collecting and analyzing flow data, these challenges can make it difficult to use the data day-to-day to support investigations.
In order to start using netflow effectively in an investigation, it’s important to have a good understanding of the network and an established baseline of activity. This makes it easier to distinguish between normal traffic on the network and anomalous traffic that should trigger alerts to your team. Beyond defining these baselines, netflow data often needs to be correlated with additional sources such as alerts from the firewall and threat intelligence data to better understand particular flows and further establish patterns and relationships in the connections.
Even with these baselines defined and alerts being created using correlated data, oftentimes users still need to hunt though a massive amount of flow data to identify malicious activity that might have been missed. Outside of looking at deviations from a baseline it can be challenging to determine where to start investigating.
This is where GreyNoise can help! Filtering opportunistic and mass scan activity with data gathered from GreyNoise’s sensor network fast-forwards the process, allowing analysts and threat hunters to identify suspicious activity and find targeted threats that might have been missed by other detections . GreyNoise also provides information on infrastructure used by common business services, which can be used to filter egress netflow traffic and hunt for malicious activity leaving the network.
Taking this one step further, let’s look at organizations purchasing commercial netflow data from different sources. Oftentimes these groups combine this data with internet scanning services like Censys or Shodan in order to identify C2 beacons. While taking a proactive approach like this can help identify infrastructure and compromised systems earlier, there is still a lot of data to sift through. Instead, let’s use GreyNoise as a first pass filter to remove IP addresses that are saturating these sources and focus the investigation to find the signal in the noise.
While the volume of data may present a challenge, flow data also does not always contain all of the necessary information needed to act on. Oftentimes this data needs to be correlated with other sources of data to have a true understanding of the activity observed. Using VPC flow logs as an example, instead of just filtering out the noise, users may also want to identify malicious IP addresses accessing their assets. In this case, enriching the data with GreyNoise provides insight into how these IPs operate and highlights access attempts that may violate defined policies.
Netflow data provides a solid option for understanding who is doing what on the network but comes with an operational challenge based on the volume of traffic and the lack of details in the data. In order to address these challenges:
GreyNoise doesn’t have much common need for detailed firmware analysis. If it’s happening on the internet, we already see it. However, when we do need to investigate vulnerabilities in embedded devices, things can get very complicated, very quickly if no information is publicly available. It can be fun and insightful to learn these skills in the rare case we need them.
In late October 2022, we became aware of CVE-2022-41140, a buffer overflow and remote code execution vulnerability in D-Link routers, which D-Link had been notified of on February 17th. Noting the months-long turnaround time, we decided this was a good chance to perform a learning and discovery exercise.
On March 13th, 2023 we became aware of CVE-2023-24762, a command injection vulnerability in D-Link DIR-867 devices. This recent CVE spurred us to share some of our internal documentation regarding a research spike into D-Link devices.
This blog aims to explain the process of gaining a foothold in firmware or a physical device for vulnerability research and achieving a debuggable interface. While existing Proof-Of-Concept code for (yet another) D-Link vulnerability CVE-2022-1262 is utilized within this document, as well as strong hints at suspect areas of code, don’t expect to find any new ready-to-fire exploits buried in the contents below.
D-Link was notified of CVE-2022-41140, a buffer overflow vulnerability on February 17th, 2022. By November 15th, 2022, no additional information was available, which sparked an investigation into discovering available hints about the nature of the vulnerability. While this accurately speaks to the current state of public vulnerability tracking, we start off our investigation with a simple search on Google for the CVE and find two relevant links:
While the Zero Day Initiative lists the vulnerability as
(…) flaw exists within the lighttpd service, which listens on TCP port 80 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.
the D-Link Technical Support page provides more detailed information
(…) a 3rd party security research team reported Buffer Overflow & RCE vulnerabilities in the Lighttpd software library utilized in DIR-867, DIR-878, and DIR-882/DIR-882-US router firmware.
A stack-based buffer overflow in the prog.cgi binary in D-Link DIR-867. A crafted HTTP request can cause the program to use strcat() to create a overly long string on a 512-byte stack buffer. Authentication is not required to exploit this vulnerability.
Additionally, the D-Link support page provides a table of the Affected Models
From this information, we can derive that the vulnerability is triggered by an HTTP request to TCP port 80, which will hit the lighttpd service and route to the prog.cgi binary resulting in an overflow on a 512-byte stack buffer.
We can also derive that the vulnerability can be patched/mitigated on some hardware models, but not others.
The D-Link support pages provide links to download firmware images for the DIR-878, including base firmware versions like v1.30B08 as well as security advisement firmware versions like v1.30B08 Hotfix_04b.
Knowing that we can access the firmware images before/after the security patch for CVE-2022-41140, we will attempt the following steps:
We start by downloading a known vulnerable version of the firmware for a model that also offers a patched version. We download DIR-878_REVA_FIRMWARE_v1.30B08.zip and extract the firmware image DIR_878_FW1.30B08.bin.
We run the file command to quickly determine if it’s a commonly known file type. Unfortunately, this returns generic information.
Next, we use a more specialized tool, binwalk, which assists in searching binary images for embedded files and executable code. Again, this produces no results.
A handy feature of binwalk is the -E, --entropy command line flags, which allow you to measure the entropy or “randomness” of a file.
As an example, here is an entropy graph of 1024 bytes of Lorem ipsum:
And here is an entropy graph of DIR_878_FW1.30B08.bin
As you can see, the entropy of our firmware image is very high. Typically, this is indicative that a file is in a compressed archive format or is encrypted. Since neither file nor binwalk identified it as a compressed archive format, it’s reasonable to assume that it may be encrypted.
If you believe a file is encrypted, it’s always a good idea to take a peek at the bytes at the start of the file, just in case there’s an identifiable file header:
At the start of the file is a 4-byte sequence that maps to the ASCII characters “SHRS”.
A quick Google search for “SHRS firmware” turns up relevant results, indicating that we’re on the right track.
After a bit of reading, we can determine that D-Link does indeed encrypt some of their firmware, which is identifiable by the “SHRS” header. The blogs linked above go into depth on how they obtained a copy of the imgdecrypt binary and reverse engineer the binary to determine how to decrypt the firmware and produce the relevant python script.
Since we will be dealing with encryption again later in this blog, we won't go into depth on this specific layer of encryption. Our firmware can be decrypted with:
Taking our decrypted firmware and running it through binwalk again we can see that some file signatures are recognized.
Since file signatures were recognized, we can recursively extract them by using the -e, --extract, and -M, --matryoshka, command line flags.
This creates nested folders for each extracted layer of the file, ultimately resulting in a cpio-root folder containing the root filesystem for the firmware.
The desired prog.cgi file is located exactly where those familiar with *nix directory structures would expect it to be. However, for completeness, the file can be located by name using:
Now we have a copy of the entire root filesystem, including prog.cgi.
Repeating the same steps on the patched firmware sets us up for the next step.
In the previous step, we obtained an unpatched and patched copy of prog.cgi. We’ll rename them prog_old.cgi and prog_new.cgi, respectively, to help keep track.
BinDiff is a comparison tool for binary files, that assists vulnerability researchers and engineers to quickly find differences and similarities in disassembled code
For this blog, we’ll be using Binary Ninja with the BinDiff Viewer Plugin. There are roughly comparable free alternatives and plugins like Ghidra.
Following the relevant plugin steps to generate a bindiff, we open old/new and begin to look for functions that are very similar but not 1.00, indicating that a small change such as a patch may have been performed.
Using our list of similar (but not exact duplicate!) functions, we work our way down the list, looking for uses of strcat() that have changed between old/new. In this example, the main function:
Here we can see that the old binary used strcat() and the new binary has a different set of logic.
The strcat() function concatenates the destination string and the source string, and the result is stored in the destination string.
A quick check of the destination var_20c shows that its size is 0x200, or 512 bytes. For a sanity check, we can list all uses of strcat() throughout the binary.
There are 22 uses of strcat(). After reviewing them, none but the usage within main operate on a 512-byte buffer.
We now have a reasonable candidate for the location of the vulnerability.
Now that we have a reasonable candidate for a vulnerable code path, the next step is to start determining what conditions are required to actually reach the vulnerable code path. While wiser minds may be able to determine these conditions without needing a debugger, it’s always a safe bet to make getting a debugging interface a priority.
We want to run the necessary components and attach a debugging interface to a running program.
First, we need to determine the attributes of the file we would like to emulate. The file command we used earlier can be used to identify important information about the architecture the binary is meant to run on.
Using QEMU is an easy way to run binaries for other architectures, but with the same operating system as the current one. In this case, we want qemu-mipsel-static which is provided from the qemu-user-static package.
However, we need to know what to run.
There are init scripts that run when a system boots, and we can find the relevant one in /etc_ro/rcS:
It’s best to start at the top and work your way down and Google things where applicable.
/var/log folder is created if it doesn’t exist
Understanding the functionality of the init_system binary is elementary:
If init_system start is run, it checks for the presence of /var/run/nvramd.pid. If the pid file is not found, it enters a loop printing lighttpd: waiting for nvram_daemon. If the pid file is found, it branches into the following logic.
nvram is init then closed. sub_400e50 starts a number of .cgi binaries from /etc_ro/lighttpd/www/cgi-bin/, and finally the lighttpd web server is started with:
Using a combination of chroot and qemu-mipsel-static we can minimally and directly launch the lighttpd web service like so:
This results in an error of:
(network.c.747) SSL: Private key does not match the certificate public key, reason: error:02001002:system library:fopen:No such file or directory /var/private/lighttpd.pem
By simply commenting out the SSL related lines in /etc_ro/lighttpd/lighttpd.conf config file, we can just run the web service in HTTP mode exclusively and bypass the error.
Upon further review of the config, we can observe that the lighttpd web service is running in fastcgi mode and HTTP requests to the path /HNAP1/ are routed to be handled by prog.cgi.
If we navigate to our emulated system in a web browser, we can see that a page is loaded, and numerous UI assets load successfully, but the page is blank due to a malformed XML response from the /HNAP1 endpoint.
The root cause of the malformed XML response is due to the default values for nvram not being set. I spent a large amount of time trying to fix this by using LD_PRELOAD tricks and eventually ended up ordering a physical DIR-867 model (guaranteed vulnerable, no patch available) in frustration.
By the time the physical router was about to be delivered, I had a mostly working proxy for calls to functions from libnvram-0.9.28.so, at which point I remembered that the vulnerability was Pre-Authentication. I was trying to fix something that was part of the login flow which, I thought, was necessary.
After taking a bit of time to find a different endpoint to sanity check myself, I found that most of the other pre-auth functions of prog.cgi respond without issue. They are missing default values which would have been stored in nvram, but do not result in errors.
For our purposes, this is enough to work with and proceed forward. Getting a debugger attached by invoking prog.cgi in QEMU with the -g flag starts a GDB connection on port 1234.
As stated earlier, I purchased a used physical model DIR-867 router, which is guaranteed to be vulnerable as no patches are available.
After opening the box, I began the setup process and set a device admin password of Password1 and set updates to “manual”.
After completing the setup steps, the router reboots.
Most importantly, I figured out how to reset the router using the button on the back and re-do the setup steps again to make sure nothing that I’d set so far has persisted across a reset.
Now that the router is set up in its most basic state, I do a quick scan for open ports.
Much to my chagrin, there is no 23/tcp open telnet result, despite the telnetd service appearing in the /etc_ro/rcS init scripts I’d found during emulation. I’ll need to find another way to get an interactive interface on the router to run a debugger.
At this point, physically opening the router up and trying to find a UART interface would probably be the quickest path to success. However, as I wasn’t in any particular rush, I decided to try to figure out how to just re-enable the telnet interface since I know from extracting the firmware that the telnetd binary already exists in the firmware.
Running a recursive grep on our extracted firmware shows that “telnet” shows up in many binary files, as well as what appears to be factory and default settings shipped with the device.
Note the telnetEnabled=0. This probably explains why telnet isn’t running. It also seems to indicate that it’s a setting.
While poking around earlier looking for command injection, I located the “System” menu, which allows exporting/importing settings. If we’re lucky, telnetEnabled is a hidden setting we can just flip on and re-import.
Clicking “Save Settings To Local Hard Drive” results in downloading a 5.9kB config.bin file.
We use binwalk to check for known file formats.
It looks like we have a SEAMA firmware header and the config is encrypted. Again, we turn to Google and search for the starting bytes of the file 0x5EA3A417 which returns a very useful C header file that defines the structure of a SEAMA file.
In the same folder on GitHub there’s a corresponding .c file for a command line tool to unpack a SEAMA file, but a quick review does not show any usage of OpenSSL. This likely means D-Link is doing some additional layer of encryption on top of SEAMA, and we’re better off doing some more static analysis on the firmware itself and using the GitHub repo for sanity checking ourselves.
Re-Opening prog.cgi in Binary Ninja and searching for usages of the string “config.bin” we see that it’s used in a single section of code at sub_42ad78.
Taking a closer look at sub_42ad78 we see the following flow graph:
At a high level:
Taking a closer look at the call with mkconfig:
snprintf(&var_14c, 0x100, "mkconfig -a enca -m %s -i %s -o %s", &var_18c, "/var/backup_tmp.tar.gz", "/var/backup.tar.gz", 0x4f1530)
This results in &var_14c containing mkconfig -a enca -m DIR-867_A1 -i /var/backup_tmp.tar.gz -o /var/backup.tar.gz
Now that we know the command being run to generate the encrypted config.bin, we take a look at /bin/mkconfig to determine what those flags do. We can just run it in QEMU without any arguments to view the help message.
As the description states, it can encapsulate or de-encapsulate a config. However, it’s unclear where the suspected presence of encryption comes into play. A reasonable assumption from looking at the available flags indicates that the -m flag may be used in some sort of key derivation function. Remember that the -m flag is the model_name and hw_version. If the model and hardware version are used for a key derivation function, this would prevent someone from uploading a config from a different D-Link router model and potentially breaking their device.
We can confirm this by taking a peek at the enca function of mkconfig in Binary Ninja:
Indeed, we see the usage of openssl as well as a new, but fully expected binary seama.
In the first relevant part of the program flow, the -m flag (DIR-867_A1) is used in sub_400e30
Then the logic enters a loop that writes the MD5 hash as a hex string to &buffer
The OpenSSL command is as follows:
If we had preferred not to disassemble the function to figure out how the encryption key was generated, we could have simply added the -E "QEMU_STRACE=1" flag when running mkconfig and the resulting key would have shown in the strace output.
Command:
qemu-mipsel-static -E "QEMU_STRACE=1" /bin/sh -c "mkconfig -a de-enca -m DIR-867_A1 -i config.bin -o config.dec"
Strace output:
39 execve("/bin/sh",{"sh","-c","openssl enc -e -aes-256-ecb -k 81F9A6E40BDEC26DB67FE53A555D0E8E -in config.dec -out config.dec.enc >/dev/null 2>&1",NULL})
As expected, 81F9A6E40BDEC26DB67FE53A555D0E8E is the hex string representation of the MD5 hash of “DIR-867_A1”.
Knowing this is true, we can make a simple shell script to recreate this logic and patch in Telnet support:
The result being telnetpatched.bin, which should be a valid settings file for us to upload and enable telnet.
Indeed, another nmap scan shows the desired results of an open telnet port.
Unfortunately, when trying to connect, we are instantly prompted for authentication.
After a quick peek at the disassembly of prog.cgi, we can see that the password is set to the value we provided originally, Password1 + @twsz2018
A guess that the username is admin allows us to log in successfully with a password of Password1@twsz2018
While we have successfully logged in over telnet, we are dropped into a limited shell with only a select number of commands available to run. We cannot directly use this shell to load a gdb server and attach it to prog.cgi.
Here we will cheat a bit and leverage CVE-2022-1262, a command injection vulnerability in the protest binary that is available to us in the limited shell. Using the Proof-Of-Concept exploit included in this writeup from Tenable, we spawn another telnetd instance running on port 1337 and running as root.
From here, we can get a hint about the version of Linux headers the firmware was built with by running:
Finally, we can either cross-compile a mips32el uclibc GDB server against Linux headers 3.10.14+ ourselves by using something like crosstool-NG … or we can download a pre-built toolchain matching our criteria from https://toolchains.bootlin.com/
This allows us to transfer a gdb server to /tmp on the physical router and attach gdb to prog.cgi for remote debugging purposes.
Learning how to gain a debuggable interface with both emulated and real D-Link devices is a valuable skill for anyone interested in vulnerability research and network security. By using emulated devices, you can experiment and test in a safe environment before attempting changes to real hardware. The ability to debug real devices can help you identify and fix issues, as well as determine how firmware operates “in the real world”. While it may seem daunting at first, with the right tools and resources, anyone can learn these skills. With this knowledge, you can enhance your understanding of network security and device development, and apply these concepts to future projects, such as writing network signatures for malicious traffic.
GreyNoise tags for command injection CVE-2023-24762 and stack-based buffer overflow CVE-2022-41140 are live and available to all users for tracking related activity:
To ensure we have as much visibility into activity on the internet as possible, we regularly deploy new sensors in different “geographical” network locations. We’ve selected two sensors for a short “week in the life” series to give practitioners a glimpse into what activity new internet nodes see. This series should help organizations understand the opportunistic and random activity that awaits newly deployed services, plus help folks understand just how little time you have to ensure internet-facing systems are made safe and resilient.
We initially took a look at what the sources of "benign" traffic are slinging your way. Today, we're going to look at the opposite end of the spectrum. We stripped away all the benign sources from the same dataset and focused on incoming tagged traffic from malicious or unknown sources. After all, these detection rules are the heart and soul of the GreyNoise platform, and are also what our customers and community members depend upon to keep their organizations safe.
If we hearken back to our previous episode, it took over an hour for even the best-of-the-best of the "benigns" to discover our freshly deployed nodes. This makes sense, since there aren't too many legitimate organizations conducting scans, and they do not have infinite resources. Sure, they could likely spare some change to scan more frequently, but they really don't need to.
In contrast, we tagged 8,697 incoming IP addresses in that first week, and the first packet of possible ill-intent appeared ten seconds after the nodes were fully armed and operational. However, the first tagged event — RDP Alternative Port Crawler — was seen three hours later. The difference between those two events lies in one of our core promises: our tags are 100% reliable. We don't just take every IP address hitting our unannounced sensor nodes and shove it into a list of indicators of compromise (IoCs).
The above chart is the raw, non-benign connection data to those sensors for that week. You're likely wondering what those spikes are. We did to!
Let's look at some summary data by tallies of:
The August 28th malicious traffic spike (for an hour) focused mainly on SMB exploits, and originated from the "Data Communication Business Group" autonomous system in Taiwan. It is odd that we saw so little other activity, and that the port volume was an order of magnitude less. There are any number of reasons for this. Given where these sensors are (which we're not disclosing), it could have been a day of deliberate country network isolation. Or, it could just mean that the botnet herders were super-focused on SMB.
Over the course of those seven days, non-benign nodes hit over thirteen-thousand ports, and you can likely guess which ones made the top of the list.
Port numbers associated with Telnet, RDP, SSH, and SMB were, by far, the most common.
Since we called out one autonomous system, we should be fair and call them all out.
These are very common autonomous systems to see in malicious attack logs. What should concern you, however, is that "high reputation" sources such as Linode, OVH SAS, Google LLC, and Microsoft Corporation are all in the visible treemap cells. Even if you don't consider them as high reputation sources, you cannot permanently block communication to/from them. These are all hosting providers, and we see other hosting providers with decent IP reputation also hosting malicious traffic sources. The hourly updated nature of our API-downloadable block lists, combined with the scheduled roll off of IP addresses when they stop sporting malicious activity after a while, means you can make your organization safe from these IPs while they are trying to do harm.
What you, and we, truly care about is the tagged, non-benign traffic.
Of the 115 identified tags, those associated with RDP, SMB, and MS SQL attacks topped the list, along with scrapers looking for useful information. If you still haven't removed RDP from your perimeter, please stop reading and take the opportunity to do so now.
Head on over to the Observable notebook that houses all these charts and data for a more interactive version of the chart and data tables.
You can see the aforementioned yellow SMBv1 Crawler August 28th spike right after "12 PM".
When you deploy a new internet-facing system, you have only seconds until unwanted traffic comes knocking on your door. After that, there's a constant drumbeat, and sometimes even an entire off-key orchestra, of unsought after:
You can sign up for a GreyNoise account to start exploring the tags and networks identified in this post, and check out some of our freshly minted new features such as IP Similarity — which lets you hunt for bad actors exhibiting behavior similar to ones we've tagged — and, IP Timeline — where you can see what sources have been up to, and how their behavior has changed over time.
Yesterday, our founder & CEO, Andrew Morris, got to join Ed Bailey from Cribl for a live stream conversation discussing how to help SOC analysts overcome common struggles and improve security detections. Over the years, we’ve built a great relationship with Cribl and truly believe in our “Better Together” message. The Cribl + GreyNoise integration is available now, so if you want to learn more about it, let us know.
During the conversation, Andrew mentions our new product features. We put out a series of blogs and a press release last week if you want to learn more.
You can feel Andrew’s excitement when Ed poses this question. Here is how Andrew broke it down:
In addition, Ed explains that 30% of your detections are things that just don’t matter. With better data & context (like GreyNoise) you can finally ignore the noise. This prevents wasting hours and hours analyzing alerts and events that don’t matter.
Some security teams are left with a problem of determining which logs matter. Or that storing logs or processing data is all or nothing. Those with years of experience in the SOC know this isn’t true. Not only do different event types have different analytical value, but also logs from certain places matter more than others. So, how do you scale this knowledge?
So what does GreyNoise do? We help our customers understand the alerts and events that DON’T matter. It’s kind of the opposite of a typical threat intel feed. By eliminating the noise you can focus on what really matters.
Big thanks to Ed Bailey and the Cribl team for letting us join. Hopefully you found this information interesting and insightful. If you want to learn more about our Cribl integration, contact us.
Please update your search term or select a different category and try again.
