Key Insight: Why This Matters

The 2025 DBIR highlights a critical area of importance for vulnerability management teams: edge vulnerabilities. 

Exploitation of edge vulnerabilities in breaches has surged eightfold. Yet, nearly one in three edge KEVs remain fully unpatched — despite being widely recognized as critical risks.

This isn’t a matter of awareness (they’re on CISA’s KEV). It’s about action and prioritization. Real-time intelligence is a must in this situation, giving insight into what attackers are targeting now — ensuring the most pressing threats are identified and resolved quickly. 

This year’s DBIR findings necessitate swift action on the part of defenders, particularly as it relates to edge exploitation. 

‍

Executive Summary 

New findings from the 2025 Verizon Data Breach Investigations Report (DBIR) reveal a critical shift in how attackers breach organizations — and how defenders are simultaneously making strides and falling short:  

‍

Speed and Awareness:

• Exploitation of edge KEVs begins immediately — the median time from disclosure to mass exploitation for edge KEVs is zero days, compared to five days for all KEVs. 
• Defenders are prioritizing edge vulnerabilities more than others:
  
  • 54% of edge KEVs were remediated, compared to 38% of all KEVs.
  • Median time to remediate edge KEVs was 32 days, faster than the 38-day median for all KEVs. 
• ‍This presents a concerning duality — on one hand, time-to-exploit for edge vulnerabilities is zero days; meanwhile, it takes defenders an average of 32 days to remediate these flaws. This significant window of exposure represents a critical risk for most organizations on their edge.

‍

Scale: 

• Vulnerability exploitation is second only to credential theft as a means of breaching organizations.  
• Edge vulnerabilities were used in 22% of breaches involving vulnerability exploitation — an eightfold increase from 3% last year. 

‍

Action Gap: 

• Despite this prioritization, nearly one in three edge KEVs remain fully unremediated — the highest rate of full non-remediation among CVEs and KEVs tracked in the DBIR. 

‍

GreyNoise research reveals a deeper complication: Old edge vulnerabilities are resurging, magnifying the risks defenders face. 

‍

Vulnerability Exploitation Is a Growing Breach Method — and Edge Vulnerabilities Are Central

Vulnerability exploitation is rising as a breach method — and edge vulnerabilities, in particular, are being exploited far more often to break into organizations. 

The Verizon DBIR shows: 

• One in five breaches involved vulnerability exploitation, a 34% rise from last year — second only to credential theft. 
• Among those breaches, exploitation of edge vulnerabilities surged eightfold. 

Despite heightened attention, edge KEVs remain the most likely vulnerabilities to be left unpatched — even though they are already recognized as critical risks. 

This points to a widening gap between risk awareness and defensive action. 

‍

GreyNoise Research Reveals the Growing Risk of Vulnerability Resurgence

The DBIR highlights how quickly attackers exploit vulnerabilities — especially those in edge technologies. 

GreyNoise research reveals a deeper problem: attackers also return to older edge vulnerabilities defenders may have deprioritized. 

• Edge vulnerabilities are already slipping through defenders’ patching efforts. 
• GreyNoise observes attackers opportunistically reviving overlooked vulnerabilities — creating unexpected exposure long after the initial disclosure fades from focus. 

Our research uncovered that resurgent vulnerabilities follow three main attack patterns, visualized as follows (read the full report here): 

‍

Static patching models, focused on CISA KEV, CVSS, and EPSS alone, can miss these shifts. 

Dynamic, exploitation-driven intelligence can reveal when old vulnerabilities become active risks again — cutting through the complex attack patterns above by relying on near real-time alerts of heightened activity. 

‍

Resurgence Disproportionately Affects the Edge 

Our analysis revealed that half of the top exploited resurgent vulnerabilities affect edge assets — with 70% of Black Swans, the most unpredictable class of resurgent flaws, affecting the edge. 

‍

The DBIR and GreyNoise research indicate that edge assets are becoming one of the most attractive targets for attackers. 

‍

What Defenders Must Do

Today’s edge threat environment demands a new approach: 

• Prioritize vulnerabilities based on observed, active exploitation, not just severity ratings. 
• Continuously monitor for resurgence — because old threats can quietly reemerge.
• Adopt dynamic, real-time intelligence models that evolve with attacker behavior. 
• Dynamically block threats with real-time intelligence. Attackers are pivoting infrastructure, utilizing trusted IPs to engage in reconnaissance and launch attacks at scale — limiting the effectiveness of static defenses. 

‍

Read the full report: A Blindspot in Cyber Defense: How Resurgent Vulnerabilities Jeopardize Organizational Security.

‍

— — — 

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

Attackers from every corner of the internet are exploiting a uniquely dangerous class of cyber flaws: resurgent vulnerabilities. 

These aren’t being exploited as zero-days — and spikes in activity rarely make headlines. They’re older flaws that quietly return to relevance as attacker interest reignites. Some were deprioritized years ago. Others were never seen as serious. But today, they’re being opportunistically exploited at scale, often in edge technologies like firewalls, routers, and VPNs — the very internet-facing assets attackers use for initial access and persistence. 

GreyNoise’s latest research breaks down these vulnerabilities — how they behave, why they’re dangerous, and what defenders and policymakers need to know to stay ahead. 

‍

‍

Key Takeaways:  

• Resurgent vulnerabilities fall into three distinct behavioral categories: Utility, Periodic, and Black Swan. Each category has unique exploitation patterns, with Black Swan being the most unpredictable. 
• Over half of the top exploited resurgent CVEs and nearly 70% of Black Swan vulnerabilities affect edge technologies, such as routers and VPNs — the very technologies attackers use for initial access and persistence. 
• Some CVEs are first exploited years after disclosure, creating long-standing blind spots in many patching programs. 
• Resurgent exploitation often arrives without warning, underscoring the need for adaptive patch management and dynamic blocking strategies that account for dormant but dangerous vulnerabilities. 
• Government and private threat intelligence providers have reported state-sponsored exploitation of old vulnerabilities. GreyNoise Intelligence continues to observe widespread opportunistic activity against many of the same flaws. 

‍

Inside the report: 

• A new framework for understanding how vulnerabilities resurface.
• Behavioral patterns of resurgence — and what they mean for defenders. 
• Visuals and examples of resurgent CVEs exploited at scale. 
• Tactical insights for security professionals and policymakers to improve patch prioritization, dynamic blocking, and risk mitigation.

‍

Download the full report and prepare before the next wave hits. 

‍

‍

— — —

‍

^{Noah Stone contributed to this writeup in collaboration with GreyNoise Research. Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

Mass Internet Exploitation in 2024: A Rapidly Escalating Threat

In 2024, attackers didn’t just exploit vulnerabilities — they automated them at scale, turning the internet into a playground for mass exploitation. 

• Attackers exploited vulnerabilities within hours of disclosure. 
• 40% of exploited CVEs were at least four years old — some dating back to the 1990s. 
• Ransomware groups leveraged nearly 30% of KEV-listed vulnerabilities that GreyNoise tracked. 

GreyNoise observed widespread internet scanning and exploitation attempts across thousands of IPs, showing how attackers are scaling operations faster than defenders can respond. 

‍

‍

The GreyNoise 2025 Mass Internet Exploitation Report provides a detailed breakdown of how mass exploitation evolved in 2024, which vulnerabilities were most targeted, and how CISOs and security professionals can stay ahead in 2025. 

‍

Key Findings from the 2025 Mass Internet Exploitation Report

• The most exploited vulnerability of 2024 targeted home internet routers, fueling massive botnets used in cyberattacks. 
• Legacy vulnerabilities remain among the most widely exploited, with attackers continuing to target publicly known flaws, sometimes dating back to the 1990s. 
• GreyNoise observed multiple CVEs showing signs of exploitation before being added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, reinforcing the need for real-time intelligence. 
• Ransomware groups leveraged 28% of KEV-listed vulnerabilities tracked by GreyNoise, showing mass exploitation is a key enabler of financially motivated attacks. 
• A surge in May 2024 was traced to 12,000+ unique IPs involved in an exploitation event targeting Android devices. 

‍

The Speed and Surprise of Mass Exploitation: New and Old CVEs Under Attack

This report confirms that mass exploitation is not just a zero-day problem — it’s a persistent issue across both new and old vulnerabilities. 

“Mass exploitation isn’t just about zero-days — it’s about attackers industrializing vulnerability exploitation at scale,” said Andrew Morris, Founder and Chief Architect at GreyNoise. "They care less about CVSS scores or KEV lists. They scan the entire internet — it’s quick and cheap to do — they find what’s exposed, and go after it immediately. This report shows just how fast and unpredictable mass exploitation really is — and why security teams need real-time intelligence to keep up.” 

‍‍

Why This Matters Now

• Most patching strategies can’t keep up — attackers automate exploits faster than teams can assess, prioritize, and deploy fixes. 
• Mass exploitation is moving faster than traditional security workflows — organizations need real-time intelligence, not just alerts. 
• Ransomware groups are automating attacks. Exploitation of known vulnerabilities remains a primary initial access method. 
• Home routers and IoT devices are increasingly being exploited at scale. Many organizations fail to account for these attack surfaces. 

‍

The Most Observed Exploitation Activity in 2024

Attackers aren’t just targeting newly disclosed vulnerabilities — many of the most exploited CVEs in 2024 are years old, proving that security teams must rethink patching priorities. 

GreyNoise tracked the most frequently observed vulnerability exploitation attempts across the internet in 2024. Some of the most targeted vulnerabilities included:

• CVE-2018-10561 (GPON Router Worm) – 96,042 unique IPs
• CVE-2014-8361 (Realtek Miniigd UPnP Worm) – 41,522 unique IPs
• CVE-2016-6277 (NETGEAR Command Injection) – 40,597 unique IPs
• CVE-2023-30891 (Tenda AC8 Router Exploit) – 29,620 unique IPs
• CVE-2016-20016 (MVPower CCTV DVR RCE) – 17,496 unique IPs

These vulnerabilities were frequently targeted throughout 2024, often in large-scale scanning campaigns, botnet-building operations, or ransomware-driven attacks. 

‍

‍

Defensive Takeaways for 2025

The 2025 Mass Internet Exploitation Report confirms that:

• Mass exploitation begins rapidly after disclosure, making real-time intelligence critical for prioritization. 
• Legacy vulnerabilities remain prime targets, often exploited alongside newer flaws. 
• Security teams need real-time exploitation intelligence to make informed decisions. 

‍

‍

— — —

‍

Noah Stone contributed to this writeup in collaboration with GreyNoise Research. Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.

‍

Update: February 18, 2025

• GreyNoise now sees 25 malicious IPs actively exploiting CVE-2025-0108, up from 2 on February 13. 
• Top 3 source countries of attack traffic: United States, Germany, Netherlands. 
• Palo Alto Networks confirmed active exploitation and classified the CVE as ‘Highest Urgency’ for defenders. 

CISA added CVE-2025-0108 to its Known Exploited Vulnerabilities (KEV) catalog.

‍

GreyNoise has observed active exploitation attempts targeting a newly disclosed authentication bypass vulnerability, CVE-2025-0108, affecting Palo Alto Networks PAN-OS. This high-severity flaw allows unauthenticated attackers to execute specific PHP scripts, potentially leading to unauthorized access to vulnerable systems.

Active Exploitation Detected in the Wild

GreyNoise can confirm active exploitation of CVE-2025-0108.

Organizations relying on PAN-OS firewalls should assume that unpatched devices are being targeted and take immediate steps to secure them. 

‍

‍

‍

‍

Mitigation Steps: Act Now

Defenders should take the following steps immediately: 

• Apply security patches for PAN-OS as soon as possible. 
• Restrict access to firewall management interfaces — ensure they are not publicly exposed. 
• Monitor active exploitation trends with GreyNoise’s CVE-2025-0108 tag.

GreyNoise will continue tracking this threat as it evolves. Stay ahead of exploitation attempts by leveraging GreyNoise’s real-time intelligence. 

‍

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

---

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

GreyNoise has identified a significant spike in exploitation activity targeting two vulnerabilities — one already flagged by government agencies as a top target, and another flying under the radar despite real-world attacks increasing. 

• CVE-2022-47945 (ThinkPHP LFI) – A local file inclusion vulnerability in ThinkPHP that is not in CISA’s Known Exploited Vulnerabilities (KEV) catalog and has a low EPSS score (7%), yet GreyNoise has observed a surge in exploitation attempts. 
• CVE-2023-49103 (ownCloud GraphAPI Information Disclosure) – A vulnerability already highlighted in a joint advisory from CISA, NSA, and FBI as one of the most exploited in 2023, and exploitation continues to rise. 

Both vulnerabilities highlight a growing concern in how organizations prioritize patching:

• Are security teams overlooking major threats because they don’t appear in KEV or have low EPSS scores?
• How many other actively exploited vulnerabilities are slipping through the cracks?

‍

What We’re Seeing: Surging Exploitation Activity 

GreyNoise has observed a rapid increase in exploit attempts for both vulnerabilities over the past 10 days.

Observed Exploitation Attempts for CVE-2022-47945 (ThinkPHP LFI)

‍

‍

Observed Exploitation Attempts for CVE-2023-49103 (ownCloud GraphAPI)

‍

‍

Attackers are actively scanning and targeting these vulnerabilities yet only one is included in KEV, raising questions about how security teams are prioritizing threats. 

‍

CVE-2022-47945 (ThinkPHP LFI) - A Growing Target

• ThinkPHP before version 6.0.14 is vulnerable to local file inclusion (LFI) via the `lang` parameter when language packs are enabled.
• GreyNoise has observed 572 unique IPs attempting to exploit this vulnerability, with activity increasing in recent days. 
• ThinkPHP vulnerabilities have been targeted by Chinese attackers in past campaigns. 

‍

‍

CVE-2023-49103 (ownCloud GraphAPI) - Still Under Attack

• An information disclosure vulnerability affecting ownCloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1.
• Added to CISA KEV in November 2023, reinforcing its status as a known exploited vulnerability. 
• GreyNoise has observed 484 unique IPs attempting exploitation, with confirmed threat actor activity.

‍

‍

Key Takeaways for Security Teams

• EPSS and KEV don’t always align with real-world risk. CVE-2022-47945 has a low EPSS score (7%) yet is actively being exploited. 
• CVE-2023-49103 remains a high-value target after being listed on KEV over a year ago. 
• Real-time attack data is critical. Organizations overrelying on KEV and EPSS risk overlooking threats that attackers are actively scanning and exploiting. What’s being targeted and when can change in an instant, necessitating a real-time view of attacker activity. 

‍

Mitigation Recommendations

• Patch immediately — Upgrade ThinkPHP to 6.0.14+ and ownCloud GraphAPI to 0.3.1+.
• Monitor and block known malicious IPs — Use real-time GreyNoise data to track and mitigate active threats. 
• Restrict exposure — Reduce access to affected services where possible to limit attack surface. 

Block Known Malicious IPs Now: CVE-2023-49103, CVE-2022-47945

‍

A Larger Trend: Are We Prioritizing the Wrong Vulnerabilities? 

The difference in how these two CVEs are being treated highlights a broader challenge in vulnerability management. 

• How many actively exploited vulnerabilities are being overlooked due to low EPSS scores?
• Are organizations placing too much trust in KEV alone, and EPSS, when prioritizing patching? 
• What role should real-time exploitation intelligence play in risk management? 

Attackers are making their priorities clear. See live exploitation trends now for  CVE-2023-49103 and CVE-2022-47945.

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

2025-01-29 Update
After identifying a significant overlap between IPs exploiting CVE-2024-40891 and those classified as Mirai, the team investigated a recent variant of Mirai and confirmed that the ability to exploit CVE-2024-40891 has been incorporated into some Mirai strains.

‍

GreyNoise is observing active exploitation attempts targeting a zero-day critical command injection vulnerability in Zyxel CPE Series devices tracked as CVE-2024-40891. At this time, the vulnerability is not patched, nor has it been publicly disclosed. Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration. At publication, Censys is reporting over 1,500 vulnerable devices online.

CVE-2024-40891 is very similar to CVE-2024-40890 (observed authentication attempts, observed command injection attempts), with the main difference being that the former is telnet-based while the latter is HTTP-based. Both vulnerabilities allow unauthenticated attackers to execute arbitrary commands using service accounts (supervisor and/or zyuser).

‍

Background

VulnCheck disclosed CVE-2024-40891 to their partners as "Zyxel CPE Telnet Command Injection" on August 1, 2024, but as of this writing, the CVE has not yet been officially published by the vendor, nor have they published an advisory. Last week, researchers from GreyNoise collaborated with VulnCheck to verify the accuracy of the detection, ensuring that the traffic is linked to this CVE specifically. GreyNoise researchers created a tag for this issue on January 21, 2025, and worked with VulnCheck to coordinate this disclosure. Ordinarily, disclosure would be coordinated with the vendor, but due to the large number of attacks, we decided to publish this immediately.

‍

Immediate Recommendations

1. Network Monitoring: Filter traffic for unusual telnet requests to Zyxel CPE management interfaces.
2. Patch Readiness: Monitor Zyxel’s security advisories for updates and apply patches or mitigations immediately, if released. Halt the use of devices that have reached end-of-life.
3. Mitigation: Restrict administrative interface access to trusted IPs and disable unused remote management features.

GreyNoise users can track live exploitation patterns, including attacker IP addresses, for this CVE here.

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

Over 15,000 Fortinet FortiGate firewalls have been exposed in a breach, leaving thousands with exposed login interfaces vulnerable to exploitation. GreyNoise has identified hundreds of these devices actively being weaponized by attackers for malicious purposes, providing defenders with a real-time view into their behavior and intent. 

This breach, tied to CVE-2022-40684 — an authentication bypass vulnerability disclosed in late 2022 — has created new opportunities for attackers to exploit these devices. While patches have been available since October 2022, thousands of firewalls remain exposed as of January 2025, continuing to pose a serious risk. 

But this breach isn’t just about exposure — it's about the active exploitation happening right now. In this blog, GreyNoise reveals how attackers are leveraging these devices in real time and provides critical insights to help defenders respond effectively.

‍

GreyNoise’s Real-Time Insights: What We’re Seeing 

GreyNoise specializes in observing and classifying internet activity in real time. Our global observation grid tracks attacker behaviors by monitoring interactions with thousands of our sensors worldwide. Unlike sources that focus on theoretical risks or exposure, GreyNoise reveals the actual behaviors of these compromised devices as they interact with our sensors. 

Of the 15,000+ affected IPs, according to Censys around 4,600 are still exposing their FortiGate web login interfaces, down from over 5,000 at the time of a Censys blog detailing the figures. The below chart illustrates the steady decline.  

‍

‍

Key Observations from GreyNoise: 

1. In this Case, Interaction with GreyNoise’s Sensors = Harmful Intent

Firewalls hitting GreyNoise’s sensors are behaving abnormally. 

• “The majority of affected IPs are classified as Unknown simply because we don’t yet have tags for their activity,” explains Bob Rudis, VP of Data Science, Security Research & Detection Engineering. “But make no mistake: by hitting our sensor network, all 366 IPs are up to no good.” 
• All 366 IPs are engaging in behaviors indicative of threat activity. While some are confirmed as malicious, others are flagged as Suspicious or Unknown but still require attention. 

‍

2. Behavioral Breakdown and List of Compromised IPs 

GreyNoise classifies observed activity into three categories. Here’s the breakdown for the 366 Fortinet IPs:  

• Malicious (35 IPs): Actively scanning, probing, or delivering malicious payloads. 
• Suspicious (45 IPs): Abnormal or pre-malicious behavior flagged under GreyNoise’s new “Suspicious” classification, designed to provide early warnings. 
• Unknown (286 IPs): Activity that doesn’t match known tags but is inherently suspect, as Fortinet firewalls shouldn’t scan or probe networks. This suggests the devices are being leveraged for malicious purposes.

‍

This activity is not new. GreyNoise has observed compromised Fortinet devices exhibiting harmful behaviors over several years, as shown below. The timeline highlights both the first and most recent sightings of these devices interacting with our sensor network.

‍

‍

To help defenders — particularly firewall administrators — take immediate action, we’re sharing a list of the 366 Fortinet IPs interacting with our sensor network, updated as of January 28: 

Download the full list of observed IPs here. This information may change; to view a dynamic list of all IPs interacting with our network, navigate to the GreyNoise Analysis Tab:

‍

‍

Paste the 15,000+ affected IPs:

‍

‍

Click “ANALYZE,” and explore the results:

‍

‍

3. Threat Trends: What Attackers are Doing

Tags assigned to these devices reveal active reconnaissance or exploitation activity originating from compromised Fortinet systems: 

• SMBv1 Crawlers (82 instances): Scanning for outdated SMB protocols, often linked to WannaCry-like attacks. 
• SSH Connection Attempts (24 instances): Brute-force or reconnaissance targeting S
• WebCrawler (23 Instances): Reconnaissance aimed at mapping networks or identifying exposed assets. 

‍

4. Geographic Distribution 

These compromised devices originate from multiple regions worldwide. The top 10 hotspots are: 

1. Brazil (45%)
2. Thailand (15%)
3. Mexico (8%)
4. Egypt (4%)
5. Malaysia (3%)
6. United Arab Emirates (2%)
7. Colombia (2%)
8. India (2%)
9. Kenya (2%)
10. Israel (1%)

‍

‍

This global spread underscores how widely Fortinet firewalls are deployed and how attackers are leveraging them for malicious purposes. 

‍

Actionable Steps for Defenders

‍

SOC Analysts & Threat Hunters

1. Audit Your IPs and CIDRs

• Cross-check your external-facing IPs against the list of 366 observed IPs to identify any suspicious or malicious activity originating from your infrastructure. Or, obtain a real-time view of compromised IPs by navigating to the GreyNoise Analysis Tab and pasting the 15,000+ affected IPs.
• If you are a firewall administrator using Fortinet devices, ensure your configurations are reviewed immediately to confirm no unnecessary interfaces are exposed.

‍

2. Monitor Your Infrastructure for Compromise

• Use GreyNoise to track malicious behaviors originating from compromised devices and ensure you receive alerts for suspicious activity tied to your infrastructure. 

‍

Firewall Admins & Vulnerability Managers

1. Patch and Secure Your Devices

• Ensure all Fortinet devices are updated to address CVE-2022-40684 and other known vulnerabilities. Review configurations to close any unnecessary access points.

‍

2. Block Compromised Fortinet IPs

• Use GreyNoise to swiftly and instantly block Fortinet IPs hitting our sensor network.

‍

Take Action Now 

With GreyNoise, organizations can monitor their external-facing IPs, reduce noise in their threat landscape, and focus their defenses on the most immediate and significant risks. In the case of Fortinet firewalls, if it’s hitting GreyNoise sensors, it’s already up to no good. 

Take control of your external threat landscape today. Use GreyNoise to monitor malicious activity, track behaviors in real time, and protect your organization. Add your IPs or CIDRs to GreyNoise’s alerts now. 

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

Request a demo today >>

‍

Cybersecurity professionals face mounting pressure to stay ahead of attackers. From zero-days to targeted campaigns, the need for actionable intelligence is clear — but not every team requires a dedicated threat intelligence feed. That’s why GreyNoise created this unbiased, vendor-neutral white paper: to help security professionals navigate the complexity, assess their true needs, and make informed decisions about the type of threat intelligence feed that’s right for them. 

‍

Before investing, it’s essential to ask: 

• Do we actually need a threat intelligence feed?
• If we do, what kind of feed will provide the most value? 

‍

This vendor-neutral, practical white paper offers clear, unbiased guidance to help you:

• Assess your team’s goals and risk profile to determine if a threat intel feed aligns with your needs. 
• Identify gaps in your current capabilities, including blind spots in threat detection or response.
• Learn how to evaluate and compare different threat intelligence options — from embedded feeds to dedicated providers — based on timeliness, context, integration, and scalability.  

‍

Key Insights from the Guide

1. Understand the limitations of embedded feeds and when they’re enough.
2. Spot critical gaps that could leave your organization exposed. 
3. Evaluate providers with confidence to ensure ROI on your security investments. 

‍

Why It Matters

Not every organization requires a dedicated threat intelligence feed. For some, embedded feeds integrated into firewalls or SIEMs are sufficient. For others, targeted adversaries, complex environments, or sector-specific threats demand a more tailored approach. 

This guide cuts through the noise to help you make an informed decision, whether you’re enhancing an existing setup or exploring new options. 

‍

Equip Your Team with Unbiased Advice

This isn’t a sales pitch. It’s a strategic resource to help you assess your needs, evaluate options, and build a proactive cyber defense strategy tailored to your organization. 

Download the guide now to get clarity on whether a threat intelligence feed is the right move for your team

‍

This is a follow-up from our October, 2022 post — Sensors and Benign Scanner Activity

Throughout the year, GreyNoise tends to focus quite a bit on the “naughty” connections coming our way. After all, that’s how we classify IP addresses as malicious so organizations can perform incident triage at light speed, avoid alert fatigue, and get a leg up on opportunistic attackers by using our IP-based block-lists.

At this time of year, we usually take some time to don our Santa hats and review the activities of the “nice” (a.k.a., “benign”) sources that make contact with our fleet.

Scanning the entire internet now drives both cybersecurity attack strategies and defense tactics. Every day, multiple legitimate organizations perform mass scanning of IPv4 space to gather data about exposed services, vulnerabilities, and general internet health. In November 2024, we deployed 24 new GreyNoise sensors across diverse network locations to study the behavior and patterns of these benign scanners.

‍

Why This Matters

When organizations deploy new internet-facing assets, they typically experience a flood of inbound connection attempts within minutes. While many security teams focus on malicious actors, understanding benign scanning activity is equally crucial for several reasons:

1. These scans generate significant amounts of log data that can obscure actual threats
2. Security teams waste valuable time investigating legitimate scanning activity
3. Benign scanners often discover and report vulnerable systems before malicious actors

‍

The Experiment

We positioned 24 freshly baked sensors across five separate autonomous systems and eight distinct geographies and began collecting data on connection attempts from known benign scanning services. We narrowed the focus down to the top ten actors with the most tags in November. The analyzed services included major players in the internet scanning space, such as Shodan, Censys, and BinaryEdge, along with newer entrants like CriminalIP and Alpha Strike Labs.

Today, we’ll examine these services' scanning patterns, protocols, and behaviors when they encounter new internet-facing assets. Understanding these patterns helps security teams better differentiate between routine internet background noise and potentially malicious reconnaissance activity. There’s a “Methodology” section at the tail end of this post if you want the gory details of how the sausage was made.

‍

The Results

We’ll first take a look at the fleet size of the in-scope benign scanners.

The chart below plots the number of observed IP addresses from each organization for the entire month of November vs. the total tagged interactions from those sources (as explained in the Methodology section). Take note of the tiny presence of both Academy for Internet Research and BLEXBot, as you won’t see them again in any chart. While they made the cut for the month, they also made no effort to scan the sensors used in this study.

As we’ll see, scanner fleet size does not necessarily guarantee nimbleness or completeness when it comes to surveying services on the internet.

‍

Contact Has Been Made

The internet scanner/attack surface management (ASM) space is pretty competitive. One area where speed makes a difference is how quickly new nodes are added to the various inventories. All benign scanners save for ONYPHE (~9 minutes) and CriminalIP (~17 minutes) hit at least one of the target sensors within five minutes of the sensor coming online.

BinaryEdge and ONYPHE display similar dense clustering patterns, with significant activity bursts occurring around the 1-week mark. Their sensor networks appear to capture a high volume of unique IP contacts, forming distinctive cone-shaped distributions that suggest systematic scanning behavior.

Censys and Bitsight exhibit comparable behavioral patterns, though Bitsight’s first contacts appear more concentrated in recent timeframes. This could indicate a more aggressive or efficient scanning methodology for discovering new hosts.

ShadowServer shows a more dispersed pattern of first contacts, with clusters forming across multiple time intervals rather than concentrated bursts. This suggests a different approach to host discovery, possibly employing more selective or targeted scanning strategies.

Alpha Strike Labs and Shodan.io demonstrate sparser contact patterns, indicating either more selective scanning criteria or potentially smaller sensor networks. Their distributions show periodic clusters rather than continuous streams of new contacts.

CriminalIP presents the most minimal contact pattern, with occasional first contacts spread across the timeline. This could reflect a highly selective approach to host identification or a more focused scanning methodology.

The above graph also shows just how extensive some of the scanner fleets are (each dot is a single IP address making contact with one of the sensors; dot colors distinguish one sensor node from another).

If we take all that distinct data and whittle it down to count which benign scanners hit the most sensors first, we see that ONYPHE is the clear winner, followed by Censys — demonstrating strong but more focused scanning capabilities — with BinaryEdge coming in third.

The chart below digs a bit deeper into the first contact scenarios. We identified the very first contacts to each of the 24 sensor nodes from each benign scanner. ONYPHE shows a concentrated burst of activity in the 6-12 hour window, while Bitsight’s contacts are more evenly distributed throughout the observation period. Censys demonstrates a mixed pattern, with clusters in the early hours followed by sporadic contacts. ShadowServer exhibits a notably consistent spread of first contacts across multiple time windows.

BinaryEdge’s pattern suggests coordinated scanning activity, with tight groupings of contacts that could indicate automated discovery processes. Alpha Strike Labs shows a selective, possibly more targeted approach to first contact, while CriminalIP has minimal but distinct touchpoints. Shodan rounds out the observation set with periodic contacts that suggest a methodical scanning approach.

‍

Speed Versus Reach

While speed is a critical competitive edge, coverage may be an even more important one. It’s fine to be the first to discover, but if you’re not making a comprehensive inventory, are you even scanning?

We counted up all the ports these benign scanners probed over the course of a week. Censys leads the pack with an impressive 36,056 ports scanned, followed by ShadowServer scanning 19,166 ports, and Alpha Strike Labs covering 14,876 ports.

ONYPHE, Shodan, and even both BinaryEdge and Bitsight seem to take similar approaches when it comes to probing for services on midrange and higher ports. All of them, save for CriminalIP, definitely know when you’ve been naughty and tried to hide some service outside traditional port ranges.

Before moving on to our last section, it is important to remind readers that we are only showing a 7-day view of activity. Some scanners, notably Censys, have much broader port coverage than a mere 55% of port space. The internet is a very tough environment to perform measurements in. Routes break, cables are cut, and even one small connection hiccup could mean a missed port hit. Plus, it’s not very nice to rapidly clobber a remote node that one is not responsible for.

‍

Tag Time

The vast majority of benign contacts have no real payloads. Some of them do make checks for specific services or for the presence of certain weaknesses. When they do, the GreyNoise Global Observation Grid records a tag for that event. We wanted to see just how many tags these benign scanners sling our way.

Given ShadowServer’s mission, it makes sense that they’d be looking for far more weaknesses than the other benign scanners. The benign scanner organizations that also have an attack surface management (ASM) practice will also usually perform targeted secondary scans for customers who have signed up for such inspections.

‍

In Conclusion

We hope folks enjoyed this second look at what benign scanners are up to and what their strategies seem to be when it comes to measuring the state of the internet.

If you have specific questions about the data or would like to see different views, please do not hesitate to contact us in our community Slack or via email at research@greynoise.io.

‍

Methodology

Sensors were deployed between 2024-11-19 and 2024-11-26 (UTC) across five autonomous systems and in the IP space of the following countries:

• Croatia
• Estonia
• Ghana
• Kenya
• Luxembourg
• Norway
• Slovenia
• South Africa
• Sweden

The in-scope benign actors (based on total tag hits across all of November):

• Academy for Internet Research
• BLEXBot
• Alpha Strike Labs
• BinaryEdge.io
• BitSight
• Censys
• CriminalIP
• ONYPHE
• ShadowServer.org
• Shodan.io

Both Palo Alto’s Cortex Expanse and ByteSpider were in the original top ten, but were removed as candidates. Each of those services are prolific/noisy (one might even say “rude”), would have skewed the results, and made it impossible to compare the performance of these more traditional scanners. Furthermore, while ByteSpider may be (arguably) benign, it has more of a web crawling mission that differs from the intents of the services on the rest of the actor list.

We measured the inbound traffic from the in-scope benign actors for a 7-day period.

Unfortunately, neither Academy for Internet Research and BLEXBot reached out and touched these 24 new sensor nodes, therefore have no presence in the results.

‍

‍

Attackers are increasingly capitalizing on newly disclosed vulnerabilities within hours of proof-of-concept (PoC) code becoming public. This shrinking timeline leaves defenders with little time to react. A recent example is the rapid response to two Mitel MiCollab vulnerabilities — CVE-2024-41713 (authentication bypass) and CVE-2024-35286 (SQL injection). On December 5, GreyNoise was ready. The same day the PoC went public, GreyNoise began observing attacker activity, demonstrating the speed at which threat actors exploit new information. 

‍

Timeline: From Disclosure to Observed Activity 

• May 2024: CVE-2024-35286, the SQL injection vulnerability, is patched by Mitel. 
• October 2024: CVE-2024-41713, an authentication bypass vulnerability, is disclosed. No PoC or large-scale visible activity is observed at this time. 
• December 5, 2024: PoC code is publicly released for CVE-2024-41713, chaining it with another vulnerability. GreyNoise immediately deploys detection tags for both CVEs and begins observing attacker activity, including reconnaissance or exploitation, within hours. 

‍

Seeing the Activity: Data from GreyNoise

The following screenshots from GreyNoise’s Visualizer show unique IP addresses associated with attacker activity following the PoC release. These spikes coincide with the deployment of detection tags, providing a clear picture of how quickly attackers respond to new exploit information. 

‍

Leveraging our IP blocklists, GreyNoise customers can immediately block IPs targeting these vulnerabilities. 

‍

CVE-2024-41713 (Authentication Bypass):

The chart below shows unique IP addresses probing for CVE-2024-41713 on December 5, immediately after the PoC release. This activity demonstrates attacker interest, highlighting how quickly attackers act on new exploit opportunities. For defenders, this means prioritizing visibility and mitigation immediately after public disclosures.  

‍

CVE-2024-35286 (SQL Injection): 

While the SQL injection vulnerability showed limited activity, it’s important to monitor for potential escalation. Even low activity levels can indicate attackers testing the waters, making proactive mitigation essential. 

‍

‍

Addressing the Threat: Patches Are Available 

Both vulnerabilities have been addressed by Mitel: 

• CVE-2024-35286: Mitel released a patch in May 2024. Organizations should apply this fix immediately to mitigate risk. 
• CVE-2024-41713: Mitel resolved this issue in MiCollab version 9.6, released in October 2024. Upgrading to this version or later is essential. 

By applying these patches, organizations can reduce their exposure to attacker activity. 

‍

The Value of Real-Time Intelligence 

The divergence between predicted exploit likelihood and real-world attacker behavior highlights the necessity for real-time threat intelligence. Predictive models like EPSS currently list both CVEs at 0% likelihood of exploitation, yet GreyNoise’s data provides concrete evidence of attacker activity. This underscores a critical reality: attackers act on opportunities as soon as they arise, often outpacing static predictions. 

‍

With GreyNoise, defenders can: 

• Gain Immediate Visibility: Real-time data shows attacker activity targeting vulnerabilities as it happens.
• Prioritize Effectively: Knowing where attackers are focusing their efforts helps defenders allocate resources wisely. 
• Preempt Escalation: Use GreyNoise blocklists and intelligence feeds to disrupt attacker workflows before reconnaissance escalates into exploitation. 

‍

Recommendations for Defenders

Organizations leveraging Mitel MiCollab should act quickly: 

1. Apply Available Patches: Ensure that fixes for both CVEs are implemented without delay. 
2. Leverage Real-Time Monitoring: Use platforms like GreyNoise to stay informed about attacker activity targeting your infrastructure.
3. Adopt Layered Defenses: Implement network segmentation, access controls, and continuous monitoring to reduce exposure and contain potential breaches. 
4. Proactively Block Malicious IPs: Leverage real-time intelligence to identify threat actor IPs and dynamically block them.

‍

Staying Ahead of the Curve

The Mitel MiCollab vulnerabilities demonstrate the importance of rapid response in cybersecurity. While defenders cannot always predict when attackers will act, real-time visibility ensures they can respond effectively to reconnaissance or exploitation efforts as they emerge. GreyNoise’s ability to deploy detection tags on the same day as the PoC release exemplifies its commitment to staying ahead of attackers. This readiness is crucial in a world where the window between disclosure and active attacker activity continues to shrink. By detecting reconnaissance or exploitation efforts within hours, GreyNoise gives defenders the critical lead time needed to respond effectively. 

The insights in this blog were made possible by GreyNoise’s Global Observation Grid, a network of internet-facing, primary sensors that passively observe and analyze global attack traffic. GreyNoise recently announced significant enhancements to its sensor and data pipeline technology that deliver deeper insights and broader coverage into cyber threats, equipping security teams with actionable intelligence to better detect, prioritize, and respond to emerging and resurgent threats.

‍

‍Stay ahead of emerging threats with GreyNoise’s real-time intelligence. Contact us today to learn how we can help protect your organization from evolving vulnerabilities.

Over 220 cybersecurity professionals recently shared what they believe to be the most undervalued skill in our industry: the ability to communicate effectively. This revelation came from a Storm⚡️Watch podcast poll and the ensuing discussion highlighted just how critical this "soft skill" truly is.

The crew shared stories that will resonate with anyone who's had to bridge the gap between technical complexity and business reality. Emily, coming from incident response, learned the hard way that executives care less about IOCs and more about how security issues translate to lost deals and damaged relationships. Himaja developed her communication approach by studying how reporters digested her technical reports, using their follow-up questions as a compass for future messaging.

The help desk trenches proved to be an excellent training ground for Kimber, who discovered that success often meant quickly determining whether someone needed visual aids or step-by-step instructions. This adaptability served her well in product management, where she learned that sometimes you need to let people vent before any productive conversation can occur.

Glenn's journey from academia to a customer-facing vendor role emphasized that becoming an effective communicator isn't accidental. It requires intentional effort and constant refinement, especially when dealing with audiences ranging from fresh-faced students to grant-wielding researchers.

The shift to remote work has only amplified the importance of clear communication. Text-heavy platforms like Slack have introduced new challenges in conveying nuance and managing generational differences in communication styles. The solution isn't just about choosing the right words — it's about knowing when to escalate from text to voice, how to distill complex reports into actionable insights, and finding the right balance between professional and personable.

In an industry stereotypically populated by technical "lone wolves", the reality is that cybersecurity's effectiveness hinges on collaboration and relationship building. Whether you're convincing executives to fund critical defenses or helping colleagues understand emerging threats, the ability to connect, explain, and persuade is as crucial as any technical skill.

The path to improved communication isn't about memorizing presentation techniques or mastering email templates. It's about developing emotional intelligence, learning to read your audience, and adapting your message while maintaining its essential truth. In the end, cybersecurity professionals may wield sophisticated tools, but our most powerful asset is the ability to make complex ideas accessible and actionable.

There are many more insights from the full discussion. It’s well-worth a listen.

Critical infrastructure powers the systems we rely on every day — electricity, clean water, transportation. But what happens when these systems are exposed to the internet, left vulnerable to remote attacks? As a new Censys report reveals, this is the growing reality, with 145,000 industrial control systems (ICS) exposed, including thousands of unsecured human-machine interfaces (HMIs).

These findings highlight a growing problem: internet-exposed HMIs, designed to make critical systems manageable, are becoming prime targets for attackers. Often unprotected, these interfaces give malicious actors direct access to operations making the implications profound — not just for cybersecurity professionals, but for society at large. 

‍

What the Censys Report Tells Us

The Censys report uncovers significant exposure: 

• Thousands of HMIs exposed online: These systems are often accessible without authentication, making them easy entry points for attackers.
• Direct access to ICS environments: By exploiting HMIs, attackers can bypass ICS protocols entirely and potentially manipulate critical systems. 
• Concentration of exposure: North America accounts for 38% of global ICS exposures, with the U.S. hosting over one-third of these systems. 

Real-world examples in the report, such as attacks in Pennsylvania and Texas, illustrate how attackers used exposed HMIs to manipulate water systems. These cases didn’t require advanced ICS expertise — just access to an insecure HMI. 

‍

Why This Matters

For years, ICS security has focused on protecting specialized protocols like Modbus and DNP3. But the Censys report highlights the growing risk posed by low-hanging fruit like HMIs and remote access points, which attackers can exploit to bypass more complex systems entirely. 

‍

What Makes HMIs So Risky? 

1. Ease of Access: HMIs are often misconfigured, left exposed, and lack even basic authentication.

2. Direct Operational Control: Unlike protocols that require expertise to exploit, HMIs provide a user-friendly interface to manage critical systems — making them an ideal target. 

3. Rapid Targeting by Attackers: Exposed HMIs are frequently scanned and probed within moments of discovery, potentially making them highly vulnerable. 

‍

GreyNoise’s Findings on HMI Exposure

During the Summer of 2024, GreyNoise set up sensors emulating internet-connected HMIs to understand the attack traffic they receive. The results reinforce the urgency of securing these systems: 

• Rapid Targeting: Internet-connected HMIs were probed and scanned more quickly than baseline control sensors. Over 30% of IPs that touched the HMIs before a typical GreyNoise sensor were later identified as malicious. 
• Focus on Remote Access: Contrary to expectations, attackers primarily targeted common Remote Access Service (RAS) protocols rather than ICS-specific communication protocols. Virtual Network Computing (VNC) was of particular interest to threat actors. 

These findings align with the Censys report, demonstrating that HMIs and remote access points are critical insecurities that need immediate attention. 

‍

What Defenders Can Do Now

The Censys report and GreyNoise findings are clear: defending ICS environments requires a shift in focus. Here are key steps to take:

1. Identify and Secure Exposed Systems: Conduct a thorough inventory of all internet-facing systems, especially HMIs, and remove unnecessary exposure. 

2. Strengthen Access Controls: Implement strong authentication, network segmentation, and VPNs to prevent unauthorized access to HMIs and remote access points. 

3. Monitor for Reconnaissance: Attackers often scan systems before exploitation. Monitoring this activity can provide early warning signs and help prioritize defenses. 

4. Focus on Practical Solutions: While protecting ICS protocols is still important, prioritize low-complexity entry points like HMIs and RAS that attackers are actively targeting. 

‍

Acting on the Wake-Up Call

The exposures highlighted in the Censys report aren’t a technical problem — they’re societal. Critical infrastructure is the backbone of our modern world, and the risks posed by exposed systems are too great to ignore. The time to act is now: secure the basics, monitor for threats with real-time intelligence, and close the gaps attackers are exploiting.

‍

GreyNoise’s Commitment to ICS/OT

GreyNoise is dedicated to expanding our visibility into ICS/OT environments by growing our fleet of sensors and profiles. As we enhance our coverage in 2025, we aim to provide even deeper insights to help defenders stay ahead of emerging threats. Contact us to learn more.

‍

GreyNoise has discovered previously undisclosed zero-day vulnerabilities in IoT-connected live streaming cameras, leveraging AI to catch an attack before it could escalate. These cameras are reportedly used in sectors such as industrial operations, healthcare, and other sensitive environments like houses of worship, highlighting the urgent need for stronger cybersecurity defenses as the threat landscape continues to evolve.

This discovery was made possible after a GreyNoise honeypot detected an attempt to execute an exploit against it. An attacker had developed and automated a zero-day vulnerability exploit, using a broad-spectrum reconnaissance and targeting strategy to run it across the internet. However, the exploit hit GreyNoise’s global sensor network, where GreyNoise’s proprietary internal AI technology flagged the unusual activity. Upon further investigation, GreyNoise researchers discovered the zero-day vulnerabilities. Once exploited, attackers could potentially seize complete control of the cameras, view and/or manipulate video feeds, disable camera operations, and enlist the devices into a botnet to launch denial-of-service attacks. 

This marks one of the first instances where threat detection has been augmented by AI to discover zero-day vulnerabilities. By surfacing malicious traffic that traditional tools would have missed, GreyNoise successfully intercepted the attack, identified the vulnerabilities, and reported them before they could be widely exploited. The company’s proactive approach, combining AI-powered detection with expert human analysis, proves that AI can dramatically accelerate the discovery of vulnerabilities — making the internet safer, one discovery at a time. 

GreyNoise partnered with VulnCheck to responsibly disclose the flaws, tracked as CVE-2024-8956 and CVE-2024-8957.   

View the full technical analysis and register now for GreyNoise’s expert panel webinar to learn more about the broader implications of these findings for security professionals. 

Affected Devices and Common Use-Cases

The vulnerabilities impact NDI-enabled pan-tilt-zoom (PTZ) cameras from multiple manufacturers. Affected devices use VHD PTZ camera firmware < 6.3.40 used in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63. These cameras, which feature an embedded web server allowing for direct access by web browser, are reportedly deployed in environments where reliability and privacy are crucial, including:

• Industrial and manufacturing plants for machinery surveillance and quality control.

‍

• Business conferences for high-definition video streaming and remote presentations. 

‍

• Healthcare settings for telehealth consultations and surgical live streams.

‍

• State and local government environments, including courtrooms. 

‍

• Houses of worship for live streaming of religious services. 

‍

Affected devices are typically high-cost live streaming cameras, sometimes exceeding several thousand dollars. 

Vulnerabilities Discovered

CVSS 9.1 (Critical)

Insufficient Authentication: CVE-2024-8956 

• Inadequate authentication mechanisms could allow an attacker to access sensitive information like usernames, MD5 password hashes, and configuration data. MD5 hashes have long been considered insecure, meaning attackers could potentially crack them and gain administrative access. 

CVSS 7.2 (High)

OS Command Injection: CVE-2024-8957

• Chained with CVE-2024-8956, an attacker can execute arbitrary OS commands on the affected cameras, potentially allowing an attacker to seize full control of the system. 

Full Camera Takeover, Unauthorized Surveillance, Data Breach, Broader Attacks, and More

GreyNoise found the affected cameras to be vulnerable to a range of potentially dangerous attacks. These vulnerabilities, if exploited, could potentially expose sensitive business meetings, compromise telehealth sessions, and disrupt cameras deployed in industrial settings, leaving organizations potentially exposed to data and privacy breaches.

Full Camera Takeover and Unauthorized Surveillance

• By exploiting both CVE-2024-8956 and CVE-2024-8957, an attacker could potentially seize full control of the camera, view and/or manipulate the video feeds, and gain unauthorized access to sensitive information. Devices could also be potentially enlisted into a botnet and used for denial-of-service attacks. 

Attacks like this are not new — in 2021, live feeds of 150,000 cameras inside schools, hospitals, and more were exposed. Vulnerable IoT devices are prime targets for attackers looking to add compromised devices to a botnet, like the infamous Mirai botnet. 

Broader Network Attacks and Data Breach

• An attacker could extract network details, including IP addresses, MAC addresses, and gateway configurations, potentially leveraging this information to pivot and move laterally into the device’s local network. This could potentially compromise other systems on the same network, which could lead to broader data breaches or even the spread of ransomware. 

Disablement of Camera Operations

• CVE-2024-8956 allows for configuration files to be updated or entirely overwritten. An attacker could exploit this vulnerability to intentionally misconfigure or disable the camera, potentially disrupting camera operations. 

How GreyNoise Discovered These Vulnerabilities Using AI

Security teams today face an overwhelming number of alerts, many of which result from harmless internet activity like routine scans and benign traffic. With countless alerts pouring in daily, identifying threats becomes incredibly difficult, and many serious vulnerabilities can go unnoticed amid the noise. 

This is where AI steps in. GreyNoise’s Sift, powered by large language models (LLMs) trained on vast amounts of internet traffic — including traffic targeting IoT devices — identifies anomalies that traditional systems may miss. Instead of just reacting to known threats, Sift excels at spotting new anomalies, threats that haven't been identified yet or don’t fit any known signatures. 

What Makes Sift Different 

Sift analyzes real-time internet traffic and enriches that data with GreyNoise’s proprietary datasets. It then runs the data through advanced AI systems, which help separate routine activity from potential threats. This process allows researchers to focus on truly meaningful threats without getting lost in the noise. 

In this case, Sift flagged unrecognized traffic that had not been tagged as a known threat. This caught the attention of GreyNoise researchers, who further investigated the unusual traffic. Their investigation led to the discovery of two previously unknown zero-day vulnerabilities in live streaming cameras — highlighting how AI can transform the speed and accuracy of cybersecurity research. 

“This isn’t about the specific software or how many people use it — it’s about how AI helped us catch a zero-day exploit we might have missed otherwise,” said Andrew Morris, Founder and Chief Architect at GreyNoise Intelligence. “We caught it before it could be widely exploited, reported it, and got it patched. The attacker put a lot of effort into developing and automating this exploit, and they hit our sensors. Today it’s a camera, but tomorrow it could be a zero-day in critical enterprise software. This discovery proves that AI is becoming essential for detecting and stopping sophisticated threats at scale.” 

Human Researchers + AI: A Powerful Combination 

By rapidly filtering out irrelevant traffic, Sift gives human researchers a clear head start. Capable of sifting through millions of data points, it enables researchers to focus on critical threats in real-time. This combination of AI-driven anomaly detection and human-led investigation is essential in today’s fast-paced cybersecurity landscape, where attackers are constantly evolving their tactics. Without Sift’s machine learning capabilities, these vulnerabilities might have remained hidden. 

The Broader IoT Challenge: Proliferation and Internet Noise 

GreyNoise’s discoveries shed light on a larger issue facing the rapidly growing IoT landscape. With nearly 19 billion IoT devices in operation globally, industrial and critical infrastructure sectors rely on these devices for operational efficiency and real-time monitoring. However, the sheer volume of data generated makes it challenging for traditional tools to discern genuine threats from routine network traffic, leaving systems vulnerable to sophisticated attacks. Last month, U.S. authorities dismantled a botnet that leveraged a variety of IoT devices, including IP cameras. IoT devices remain a prime target for attackers looking to exploit insecure design and functionality. 

‍

‍

Recommendations to Protect Your Organization

Organizations using VHD PTZ camera firmware < 6.3.40 used in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63 should take immediate action to patch the discovered vulnerabilities and secure their systems. 

VulnCheck alerted affected manufacturers to the flaws, only receiving a response from PTZOptics. The manufacturer released firmware updates addressing these flaws.

Read the GreyNoise Labs blog for technical analysis and deeper insight into how Sift helped discover these zero-day vulnerabilities.

Check out our webinar!

Watch our expert panel take a deep dive into the technical details and strategic implications of this discovery to provide the context you need to better protect your organization. 

Register now  and learn how AI-driven cybersecurity is changing the status quo and how it can transform your security strategy. 

‍

A joint U.S. and UK advisory has identified 25 vulnerabilities tied to an exploitation campaign by Russia state-sponsored threat actors, specifically APT 29 — the group behind the infamous SolarWinds hack. GreyNoise actively tracks 12 of the 25 vulnerabilities mentioned in the advisory. To provide real-time, actionable context, GreyNoise has detected that nine of these vulnerabilities are being actively probed by attackers, offering critical insights for organizations to prioritize their defenses. 

‍

Executive Summary 

• The U.S. and UK governments issued a joint advisory warning of Russian state-sponsored cyber threats, specifically from APT 29, the group responsible for the SolarWinds hack.  
• The advisory identifies 25 CVEs across major platforms (Cisco, Citrix, Microsoft, etc.) that are being opportunistically scanned by attackers. 
• Tracking 12 of the 25 CVEs in the advisory, GreyNoise’s real-time intelligence shows nine of these vulnerabilities are currently experiencing active probing.
• The advisory urges organizations to patch vulnerabilities to mitigate the threat and prevent potential exploitation. 

‍

Given the real-time nature of GreyNoise’s observations, the set of actively targeted vulnerabilities is likely to change over time. Please check the GreyNoise Visualizer for the latest information. 

‍

What GreyNoise Is Seeing

GreyNoise observes internet traffic via its global network of sensors and honeypots, allowing it to track and classify behavior as malicious or benign. 

While the advisory outlines 25 vulnerabilities, GreyNoise is uniquely positioned to provide real-time insights, identifying the nine CVEs currently being probed. These active scans are part of mass, opportunistic efforts, a tactic commonly used by threats actors like APT 29 (Cozy Bear), although GreyNoise does not attribute malicious activity directly. 

‍

12 GreyNoise-Tracked CVEs in the Advisory — Nine Actively Probed Right Now 

Of the 12 GreyNoise-tracked CVEs mentioned in the joint advisory, GreyNoise observes exploitation or reconnaissance activity across the following: 

1. CVE-2023-20198 — Cisco IOS XE Web UI Privilege Escalation 
2. CVE-2023-4966 — Citrix NetScaler ADC Buffer Overflow
3. CVE-2021-27850 — Apache Tapestry Deserialization of Untrusted Data
4. CVE-2021-41773 — Apache HTTP Server Path Traversal
5. CVE-2021-42013 — Apache HTTP Server Path Traversal
6. CVE-2018-13379 — Fortinet FortiOS SSL VPN Path Traversal 
7. CVE-2023-42793 — JetBrains TeamCity Authentication Bypass
8. CVE-2023-29357 — Microsoft SharePoint Server Privilege Escalation
9. CVE-2023-35078 — Ivanti Endpoint Manager Mobile Authentication Bypass

These vulnerabilities cover a wide range of products critical to business operations and infrastructure, making this real-time data invaluable for defenders to prioritize patching. 

‍

Mass Opportunistic Scanning in the Spotlight

In the joint advisory, the agencies highlighted the threat of mass opportunistic scans and the focus thereof by Russian intelligence: 

“This mass scanning and opportunistic exploitation of vulnerable systems, as opposed to more targeted operations, increase the threat surface to include virtually any organization with vulnerable systems. 

The SVR [Russian Foreign Intelligence] takes advantage of opportunistic victims to host malicious infrastructure, conduct follow-on operations from compromised accounts, or to attempt to pivot to other networks.”

The advisory comes at a time when attackers are increasingly relying on mass opportunistic scanning to compromise organizations, making it critical that organizations leverage real-time intelligence showing when and where attackers are engaged in reconnaissance and exploitation activity. 

‍

Recommendations to Protect your Organization

1. Patch Immediately: Ensure the nine vulnerabilities identified by GreyNoise as being actively probed are patched as soon as possible.
2. Monitor Real-Time Activity: Stay vigilant by leveraging real-time intelligence, which can help organizations track shifts in attacker activity. 
3. Strengthen Defenses: Take steps to harden security controls, such as deploying firewall blocklists and reinforcing access control policies, to mitigate the risk of successful exploitation.

For more details, read the full U.S. and UK report here. 

(This is the conclusion of our four-part series on "Understanding the Election Cybersecurity Landscape".)

‍

Thanks to the emergence of powerful new AI-infused tools, a new battleground for democracy has emerged — one that does not rely on physical conflict but on the manipulation of information. Deepfakes and disinformation campaigns have become potent weapons, threatening the integrity of democratic processes. These sophisticated techniques not only mislead the public but also sow discord, making it increasingly difficult to distinguish truth from falsehood.

‍

The Rise of Deepfakes and Disinformation

Deepfakes — a.k.a., hyper-realistic, artificially generated or manipulated videos or audio recordings — have advanced to a level where even seasoned experts struggle to differentiate them from authentic media. Combined with disinformation campaigns, these tools can spread false narratives at alarming speed and scale.

The January 2024 New Hampshire primary was a wake-up call. Voters received robocalls featuring an AI-generated voice impersonating President Joe Biden, urging them to abstain from voting in the primary. Instead, the message encouraged them to save their vote for the general election. This incident is a single, yet stark, example of how domestic actors are utilizing advanced technologies to manipulate voters and disrupt electoral processes.

‍

How Disinformation Campaigns Work

Disinformation campaigns thrive in online platforms, from social media to fake news websites. Both domestic and foreign actors — including Russia, China, and Iran — are involved in these efforts, as highlighted by the Intelligence Community's 2024 Annual Threat Assessment. Their goal is simple but destructive: to exacerbate societal divisions and influence voter perceptions.

In a recent case, the Department of Justice foiled a Russian-sponsored operation that aimed to sway voters by creating fake news sites that closely mimicked legitimate media outlets. Such tactics demonstrate the lengths to which bad actors will go to infiltrate and corrupt the information ecosystem.

‍

The Damage to Democracy

Disinformation and deepfake technologies threaten to destabilize democratic institutions in several ways:

• Voter Suppression and Intimidation: Disinformation can mislead voters about polling locations, voting procedures, or even potential legal consequences for voting, as seen in past elections. False claims that Immigration and Customs Enforcement (ICE) would be patrolling polling places caused anxiety and lower voter turnout in certain communities.

• Erosion of Trust: When voters are repeatedly exposed to manipulated content, they begin to question the credibility of even legitimate sources of information, undermining the trust necessary for a healthy democracy.

• Increased Polarization: By amplifying controversial issues and stoking social discord, disinformation campaigns deepen divisions within society. This polarization makes it harder for communities to come together on critical issues, further fragmenting the electorate.

‍

Senator Warner’s Call to Action

In response to these escalating threats, Senator Mark R. Warner has called for decisive action. In a letter to the Cybersecurity and Infrastructure Security Agency (CISA), Warner outlined the critical need for state and local election officials to be equipped with the tools to counter disinformation and deepfakes. These officials are often voters' most trusted sources of election information, but they operate with limited resources and staff.

Warner urged CISA to strengthen its support for local election administrators and advocated for collaboration across government agencies, technology companies, academic institutions, and international allies to combat the spread of disinformation. Only through coordinated efforts can we build the resilience necessary to defend democratic processes.

‍

What Can Be Done?

As technology continues to evolve, so too does the potential for its misuse. Deepfakes and disinformation campaigns are not just technological novelties; they are deliberate attempts to distort reality and undermine the public’s trust in elections. To safeguard democracy, proactive measures must be taken:

• Awareness: The first line of defense is public awareness. Voters need to be alert to the reality that not everything they encounter — especially online — is trustworthy.

• Media Literacy: Education is essential. By equipping people with the skills to critically evaluate the information they consume, we can reduce the impact of false narratives. Schools, community organizations, and media outlets all have a role to play in promoting media literacy.

• Collaboration: A united front is essential to combat these sophisticated threats. Government agencies like CISA must work hand-in-hand with state and local election officials, private technology firms, and global allies to share intelligence, develop strategies, and respond swiftly to emerging threats.

‍

Conclusion: Defending Democracy in the Digital Era

The threat posed by deepfakes and disinformation campaigns is real and growing. As technology advances, so does the potential for misuse by those seeking to disrupt democratic processes. By raising awareness, promoting media literacy, and fostering collaboration between government, private sectors, and international allies, we can protect the integrity of our elections and ensure that democracy endures in the digital age.

Now is the time to act. The future of democracy depends on our collective ability to respond to these new challenges. Let's safeguard the truth and uphold the trust that is the foundation of democratic society.