Security organizations have historically been hesitant to block IP addresses at their perimeter to stop the bad guys. There are two primary reasons for this - the short lifetime of malicious IP addresses, and the generally poor quality of IP block lists (i.e., way too many false positives). As David Bianco mentions in his Pyramid of Pain blog, “If you deny the adversary the use of one of their IPs, they can usually recover without even breaking stride.”
However, in the situation of an emerging “exploit storm” where the organization is exposed with unpatched vulnerable systems, we think that short-term blocking of mass exploitation attackers could be helpful and valuable. So we decided to run an experiment to test whether this strategy (which we started calling “whack-a-mole”) might help.
The whack-a-mole strategy temporarily blocks IP addresses that have been observed scanning for or actively exploiting a vulnerability over the past 24 hours. The intent is to provide breathing space for security teams to patch vulnerable systems and search for compromises that may have occurred before blocking was implemented.
In order to test whether this security strategy could work, GreyNoise Research conducted a study comparing the compromise rates between two weakly-credentialed servers - one using the whack-a-mole IP address blocking strategy, and the other that was wide open to the Internet.
“Whack-a-mole” shows a surprising amount of promise in blocking of mass exploitation attacks:
Read on for more details about the GreyNoise Research IP Blocking study.
Since early December, security teams have been scrambling to deal with the fallout from the Log4Shell vulnerability (CVE-2021-44228). This vulnerability was particularly serious given the broad deployment in internet-facing systems of the Log4j service. Because of the massive surge of exploit scanning we observed and requests from our Community, we created a publicly available set of IOCs to help security teams defend themselves from the massive barrage of vuln checking and remote code execution attempts. Within 24 hours, we were able to stand up data sets that included:
The consistent feedback we received was that this data was most helpful in the early (and most crucial) hours and days of this exploit storm.
After things calmed down, we asked ourselves a question - how were people using the data? When we reached out to ask folks, we found two general use cases:
These use cases were particularly interesting to us, given the traditional viewpoint that IP blocking is not useful.
Based on this feedback, we decided to run an experiment with our GreyNoise IP data to determine if there might be some value to the “whack-a-mole” strategy of blocking malicious mass scanner IPs during the early stages of an exploit storm.
According to a recent report by IBM, severe vulnerabilities in internet-facing enterprise software are being exploited and weaponized at an increasing rate and at massive scale. Opportunistic “scan-and-exploit” attacks are quickly approaching phishing as the most-used cyber attack vector, with 34% of attacks in 2021 using vulnerability exploitation, compared to 41% of attacks leveraging phishing.
So we are using the term “Mass Exploitation” to describe these large-scale, opportunistic attacks launched by attackers trying to take advantage of common or newly announced vulnerabilities. These attackers use mass scanning technology to cast a broad net across the entire 4.2 billion IP addresses on the internet, trying to locate, vuln check, and ultimately exploit vulnerable internet-facing devices. This type of attack is very different from a more traditional “targeted attack” that aims for a selected, focused target.
Mass exploitation attacks are conducted for a variety of reasons, including:
Our hypothesis for this experiment was that blocking opportunistic “scan and exploit” IP addresses would meaningfully increase the amount of time it takes for a vulnerable host on the Internet to be compromised.
We set up two identical vulnerable hosts, open to the Internet, with weak or default credentials, and then measured how quickly they would be compromised by credential stuffing/brute force attacks:
For one of these hosts (the BLOCKED host), we loaded up a list of all the scanner IPs from our GreyNoise NOISE data set into an iptables blocklist. This list came from an export of all IPs seen in GreyNoise in the past day using the filter “last_seen:1d”. For the other host (the UNBLOCKED host), we did not block any IPs.
Our goal was to measure the time to first compromise, as well as the total number of compromises seen over a similar time period. We used OpenCanary for our honeypots and ran the experiment from January 12-30, 2022.
Our preliminary results show that whack-a-mole blocking works. On average, the wide open (unblocked) server was compromised in 19 minutes, while the blocked host took 4 days, 6 hours, and 24 minutes to be popped. We also measured the average number of compromises per day, and the number of compromise attempts per hour - all of these statistics showed significant differences between the protected and unprotected servers.
.png)
One insight worth mentioning is the decay rate we saw with the IP address list we used. For our blocked server, we only sourced one set of IP addresses and did NOT update the list with fresh IPs every 24 hours. What we observed was that connection attempts increased exponentially each day over the 5 days of the experiment, indicating that the IP list “decayed” in terms of effectiveness over time as the IP list aged.
Tracking the total attempts made, the first day saw an average of six attempts, and the fifth day was over 2,500. By comparison, the unblocked hosts saw between 2100 and 7100 attempts in the first 24 hours compared to 5 - 8 attempts on the blocked host. The unblocked hosts ended up getting compromised so quickly that we never kept them up for longer than a day.
One conclusion we can draw from this is that “fresh” IP addresses are crucial. In order to remain effective, an IP blocklist must be updated at least every 24 hours.
We have launched a new capability as part of our service called GreyNoise Trends that provides visibility into trending internet-wide exploits, as well as the ability to download “fresh” IP lists of all the malicious IPs participating in the attacks over the past 24 hours. This service was initially created based on customer requests experienced during Log4j. But we think the experiment described above helps validate the value of IP block lists for malicious mass scanners, and their use as part of a whack-a-mole strategy. Of course, your mileage may vary, and your defense infrastructure will be different from ours.
If you’re interested in learning more about this blocking strategy or trying to replicate the experiment for yourself, please visit https://www.greynoise.io/ to create a free Community account, and join our Community Slack to join the discussion. Also, please come to our Open Forum webcast on March 17, 2022 at 11am ET. You can register to attend here.
While you will be able to find a comprehensive list of all the tags created since our last round up below, the GreyNoise Research team wanted to highlight some interesting tags.
Apache Log4j RCE Attempt [Intention: Malicious]
Self Explanatory.
Backdoor Connection Attempt via WinDivert [Intention: Malicious]
This tag was created this week as a result of the research done by the Avast team.
DNS Over HTTPS Scanner [Intention: Unknown]
Relatively new technology. It's interesting because “why would you scan the internet for that?” and there's no clear motive - that we can tell.
Microsoft HTTP.sys RCE Attempt [Intention: Malicious]
Critical vulnerability in MS Windows’ http.sys kernel module.
VMware vCenter SSRF Attempt [Intention: Malicious]
Widely popular server management software.
Zoho ManageEngine ServiceDesk Plus msiexec RCE Attempt [Intention: Malicious]
A critical vulnerability in a popular help desk platform.
It has been a while since we last published a Tag Round Up! If these are helpful to you, or you have suggestions on what you would like to see, please reach out to community@greynoise.io
Antiwork Port 9100 Print Request [Intention: Unknown]
This IP address has been observed sending distinct RAW TCP/IP requests to network printers. References:
Backdoor Connection Attempt via WinDivert [Intention: Malicious]
This IP address has been observed attempting to send a known activation secret "CB5766F7436E22509381CA605B98685C8966F16B" for a malicious backdoor utilizing WinDivert. References:
DNS Over HTTPS Scanner [Intention: Unknown]
This IP address has been observed attempting to scan for responses to DNS over HTTPS (DoH) requests. References:
Generic Unix Reverse Shell Attempt [Intention: Malicious]
This IP address has been observed attempting to spawn a generic Unix reverse shell via the web request. References:
iKettle Crawler [Intention: Unknown]
This IP address has been observed crawling the Internet and attempting to discover iKettle devices. References:
InfluxDB Crawler [Intention: Unknown]
This IP address has been observed crawling the Internet and attempting to discover InfluxDB instances. References:
IRC Crawler [Intention: Unknown]
This IP address has been observed sending NICK and USER commands used to register a connection with an IRC server. References:
iSCSI Crawler [Intention: Unknown]
This IP address has been observed crawling the Internet and attempting to discover hosts that respond to iSCSI login requests. References:
Jira REST API Crawler [Intention: Unknown]
This IP address has been observed attempting to enumerate Jira instances. References:
Apache Druid RCE Attempt [Intention: Malicious]
CVE-2021-25646
This IP address has been observed attempting to exploit CVE-2021-25646, a remote command execution in Apache Druid v0.20.0 and earlier References:
Apache Log4j RCE Attempt [Intention: Malicious]
CVE-2021-44228 | CVE-2021-45046
This IP address has been observed attempting to exploit CVE-2021-44228 and CVE-2021-45046, a remote code execution vulnerability in the popular Java logging library Apache Log4j. CVE-2021-44228 affects versions 2.14.1 and earlier, CVE-2021-45046 affects versions 2.15.0 and earlier. References:
CentOS Web Panel RCE Attempt [Intention: Malicious]
This IP address has been observed attempting to exploit a vulnerability in CentOS Web Panel, which can lead to elevated privileges and remote code execution. References:
FHEM LFI [Intention: Malicious]
CVE-2020-19360
This IP address has been observed attempting to exploit CVE-2020-19360, a local file inclusion vulnerability in FHEM perl server. References:
GLPI SQL Injection Attempt [Intention: Malicious]
CVE-2019-10232
This IP address has been observed attempting to exploit CVE-2019-10232, an SQL injection vulnerability in GLPI service management software. References:
Grafana Path Traversal Attempt [Intention: Malicious]
CVE-2021-43798
This IP address has been observed attempting to exploit CVE-2021-43798, a path traversal and arbitrary file read in Grafana. References:
Grafana Path Traversal Check [Intention: Unknown]
CVE-2021-43798
This IP address has been observed attempting to check for the presence of CVE-2021-43798, a path traversal and arbitrary file read in Grafana. References:
HRsale LFI [Intention: Malicious]
CVE-2020-27993
This IP address has been observed attempting to exploit CVE-2020-27993, a local file inclusion vulnerability in HRsale. References:
Metabase LFI Attempt [Intention: Malicious]
CVE-2021-41277
This IP address has been observed attempting to exploit CVE-2021-41277, a local file inclusion vulnerability in Metabase. References:
Microsoft HTTP.sys RCE Attempt [Intention: Malicious]
CVE-2021-31166
This IP address has been observed attempting to exploit CVE-2021-31166, a remote code execution vulnerability in the Windows HTTP protocol stack. References:
Motorola Baby Monitor RCE Attempt [Intention: Malicious]
CVE-2021-3577
This IP address has been observed attempting to exploit CVE-2021-3577, a remote command execution vulnerability in Motorola Halo+ baby monitors. References:
NodeBB API Token Bypass Attempt [Intention: Malicious]
CVE-2021-43786
This IP address has been observed attempting to exploit CVE-2021-43786, an unintentionally allowed master token access which can lead to remote code execution. References:
October CMS Password Reset Scanner [Intention: Malicious]
CVE-2021-32648
This IP address has been observed attempting to exploit CVE-2021-32648, a password reset vulnerability in October CMS. References:
TP-Link TL-WR840N RCE Attempt [Intention: Malicious]
CVE-2021-41653
This IP address has been observed attempting to exploit CVE-2021-41653, a remote command execution vulnerability in TP-Link TL-WR840N EU v5. References:
VMware vCenter Arbitrary File Read Attempt [Intention: Malicious]
CVE-2021-21980
This IP address has been observed attempting to exploit CVE-2021-21980, an unauthorized arbitrary file read vulnerability in vSphere Web Client. References:
VMware vCenter SSRF Attempt [Intention: Malicious]
CVE-2021-22049
This IP address has been observed attempting to exploit CVE-2021-22049, a server-side request forgery vulnerability in vSphere Web Client. References:
WebSVN 2.6.0 RCE CVE-2021-32305 [Intention: Malicious]
CVE-2021-32305
This IP address has been observed scanning the Internet for devices vulnerable to CVE-2021-32305, a remote code execution vulnerability in WebSVN which utilizes a shell metacharacter in the search parameter. References:
Zimbra Collaboration Suite XXE Attempt [Intention: Malicious]
CVE-2019-9670
This IP address has been observed attempting to exploit CVE-2019-9670, an XXE vulnerability in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10. References:
Zoho ManageEngine ServiceDesk Plus msiexec RCE Attempt [Intention: Malicious]
CVE-2021-44077
This IP address has been observed attempting to exploit CVE-2021-44077, a remote command execution vulnerability in Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014. References:
Over the past month, security teams have been scrambling to deal with the fallout from the Log4Shell vulnerability (CVE-2021-44228) announced in early December. Between blocking exploitation attempts and trying to determine vulnerable assets, it had already been a long winter for defenders. This vulnerability is particularly challenging as the Apache Log4j library has been used within so many different applications worldwide that it created an unusually large surface area for security teams to identify and defend. Now that the initial shock of the vulnerability is over, we wanted to answer some questions received during the exploit surge and identify a few preventative strategies that might help during future outbreaks.
As of January 2022, a month after initial CVE announcement, GreyNoise still observes a significant volume of traffic related to the Log4j vulnerability. This traffic is primarily composed of generic JNDI string exploit attempts with known obfuscations.
One of the interesting patterns we saw during the first few days of the Log4j “scan-and-exploit” outbreak was a huge surge in benign actors scanning for the vulnerability. The chart above shows Log4j-related activity broken down by scanners who provided attribution (generally benign scanning done by security firms, researchers, and academics) compared to non-attributed scanning (generally, malicious scanning by threat actors).
A huge part of the surge in scanning activity during the first days of the outbreak can be attributed to benign actors. Within the security community, there is significant discussion about the appropriateness of this scanning volume, as security teams further struggled with the alert volumes generated by this traffic during an emergent situation. It’s controversial enough that some in the security community are advocating blocking these types of scans.
That depends. GreyNoise tracks internet noise caused by IPs scanning the entire internet, and classifies them as malicious, unknown, or benign based on their behavior and identity. For example, security vendors that scan the internet to identify vulnerable systems who voluntarily provide self-attribution are generally classified as benign. Other IP addresses that do opportunistic or unsolicited scanning, vuln checking, or exploitation are generally classified as malicious.
Note that organizations are not obligated to allow scanning of their network perimeter, regardless of GreyNoise classification. The value added by allowing or not blocking any IP seen by GreyNoise will vary depending on an organization’s threat model and security posture. The intended purpose of most benign traffic observed by GreyNoise is often to provide context, awareness, and added value to the IT and InfoSec community. However, any significant volume of unsolicited traffic, even that classified as benign by GreyNoise, may result in SOC alert fatigue and dangerous distraction during an active attack.
Mostly. The GreyNoise Log4J tag utilizes the presence of a JNDI format string within a packet’s body to tag IPs. The tag focuses on the core cause of the Log4j vulnerability, common to all the CVEs related to Log4j (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832). As a result, the GreyNoise tag has no false positives and provides substantial coverage for relevant CVEs.
However, GreyNoise researchers have observed at least two examples of attempted Log4j exploits where the malicious string was base64 encoded in an application-specific parameter, allowing it to circumvent the GreyNoise tag.
See the following for more details: https://gist.github.com/nathanqthai/197b6084a05690fdebf96ed34ae84305#base64-encoded-into-parameter
Not usually. GreyNoise does not currently provide raw sensor data for operational security purposes, although we may do so in the future. The GreyNoise Visualizer and APIs do expose select User-agents and URI paths.
That said, due to the high variance of payloads observed at the peak of Log4j activity in December 2021, GreyNoise researchers elected to curate and publish a unified list of payload examples:
https://gist.github.com/nathanqthai/197b6084a05690fdebf96ed34ae84305#base64-encoded-into-parameter
Application-specific attacks leveraging Log4j vulnerabilities. This Apache Log4j vulnerability has been extremely challenging due to the ubiquity of the logging library's use. CVE-2021-44228 had an enormous impact and drew significant attention to how the Log4j library was used within applications worldwide. This attention resulted in several follow-on CVEs that bypassed the initial patch and used varied attack vectors (CVE-2021-45046, CVE-2021-45105, CVE-2021-44832). Log4j-related exploit activity may evolve as security researchers continue to scrutinize the library and its usage across various applications. For example, application-specific vulnerabilities like those discovered in H2 Database Console and VMware may become more prevalent. (https://portswigger.net/daily-swig/researchers-discover-log4j-like-flaw-in-h2-database-console, https://www.vmware.com/security/advisories/VMSA-2021-0028.html) At this time, GreyNoise has not observed any notable trends or upticks regarding application-specific Log4j payloads.
There are more servers on the internet than there is IPv4 space to assign each of these servers a unique address. In the case of the HTTP protocol, hundreds of servers may share a singular IP address and only be reachable when a specific host header is set as part of the connection request. Scoping out this much larger section of the internet in relation to Log4j is a non-trivial task that remains to be fully explored. It is also one of the reasons the cyber defense search engine “Onyphe” opted against scanning the entire internet for vulnerabilities related to Log4j and instead opted for a more targeted approach.
While things are not as bad as they were in December 2021, we do not envision Log4j scanners and attackers disappearing anytime soon. At GreyNoise, our goal is to help identify these kinds of outbreaks as fast as we possibly can in order to give security teams the time and breathing space they need to get their defenses in place.
You are always welcome to use the GreyNoise product to help you separate internet noise from threats as an unauthenticated user on our site. For additional functionality and IP search capacity, create your own GreyNoise Community (free) account today.
UPDATE 16-Dec-21, 4:00 PM ET: Tentative results for #Log4Shell activity by hour showing "Researcher" and "Non-Researcher" breakdown as observed by GreyNoise. It may not be 100% accurate, but it should give an idea of what we are observing. "Researcher" is defined by IPs that GreyNoise knows to be attributable scanners for commercial or research purposes, usually listed as "benign" in our data. "Non-Researcher" is defined as everything else. The researcher numbers seem to flatline, but we believe this is due to the scale of the plot, and new infrastructure spun up by various researchers that have not yet been accounted for. We will try to update this later for a better retroactive understanding.
UPDATE 16-Dec-21, 1:00 PM ET: GreyNoise Research has compiled a set of sample Log4Shell (CVE-2021-44228) payloads observed in the wild. These samples are intended to provide individuals with a clearer idea of some of the variation we're seeing, including esoteric protocols such as IIOP. https://gist.github.com/nathanqthai/197b6084a05690fdebf96ed34ae84305
UPDATE 15-Dec-21, 11:00 PM ET: As of 15-Dec-21, GreyNoise Research is seeing a decrease in the number of unique IP addresses scanning for the Apache Log4j vulnerability.
On December 5, 2021, Apache identified a vulnerability (later identified as CVE-2021-44228) in their widely used Log4j logging service. The vulnerability, also known as Log4shell, enables attackers to gain full control of affected servers by allowing unauthenticated remote code execution if the user is running an application utilizing the Java logging library. Log4j is heavily integrated into a broad set of DevOps frameworks, enterprise IT systems, and vendor software and cloud products.
GreyNoise first observed activity for this vulnerability on December 9, 2021, from 194.48.199[.]78 and 181.214.39[.]2.
To get a current list of all the IP addresses opportunistically scanning the internet to vuln check or exploit CVE-2021-44228, check out this tag summary in the GreyNoise Visualizer
“The reason this vulnerability matters is that Log4j is heavily integrated in enterprise IT and devops. There are a whole bunch of devops frameworks and a whole bunch of enterprise IT systems and vendor systems that use it. So if you pick basically any large vendor and stick Log4j in Google, you’ll find it kicking around in different products, which is going to become a problem. There’s clearly lots of systems out there that, in some way shape or form, rely on this.” – Kevin Beaumont (@GossiTheDog, via Twitter Spaces recording)
On December 5th, 2021, Apache filed a JIRA issue identifying the vulnerability that would become CVE-2021-44228. The following day, December 6th, Apache released a patch providing some details on the vulnerability and crediting Chen Zhaojun of Alibaba Cloud Security Team for the discovery.
On December 9th, weaponized proof-of-concept exploits (PoCs) began to appear, leading to a rapid increase of scanning and public exploitation on December 10th.
Between 1200 EST and 1400 EST on December 10, 2021, GreyNoise has observed a 5x increase in the number of hits per sensor related to the Log4shell event.
Due to ease of exploitation and prevalence of Log4J, GreyNoise researchers believe that this activity will continue to increase over the next few days. A wide variety of use cases for this exploit have already begun to appear, ranging from exploiting Minecraft servers
to more high-profile issues potentially affecting Apple iCloud
The vulnerability feels similar to ShellShock, a vulnerability GreyNoise still observes since it was first identified in 2014.
GreyNoise is providing IOCs for CVE-2021-44228 Apache Log4j RCE attempts on Github. You can access the C2/Callback domains here and the latest IPs here. You can get the most up-to-date information via GreyNoise for Log4shell here.
CVE-2021-44228 is still new, and its impact will likely be felt for a long time due to the pervasiveness of Log4j. Multiple recommendations for patching have been made (CISA), and detections have been made available. As the landscape develops, GreyNoise will be tweeting about new information and IoCs. Follow us there for the latest information.
.jpg)
On November 24, 2021, GreyNoise’s passive sensor network observed a single IP address mass transmitting a message in plaintext to port 9100, a common port for printer connections. The text is related to Reddit’s /r/antiwork, a subreddit dedicated to discussing and seeking an end to exploitative work. Since the initial observation, we’ve seen a significant increase in transmissions.
Printers, when exposed to the Internet over port 9100, will print any plaintext received. As seen in Figure 1, this message was formatted with the proper dimensions specifically for receipt printers. This appears to be corroborated by a dozen individuals posting printed receipts from their place of work with variations of the messages observed by GreyNoise, Figure 1. GreyNoise has seen 29 variations of the same few messages, which have been provided at the end of this blog.
The observed activity began with reconnaissance. GreyNoise saw several actors performing network scans using Nmap, ZMap, and masscan to verify that port 9100 is open before relaying r/antiwork messages. Figure 2 shows the timeline of activity, with activity coming from over 60+ unique IPs over the span of the week.
The bulk of activity originates from IPs belonging to “BL Networks," a hosting provider based out of the Netherlands (view it on GreyNoise). Figure 3 shows the geographical breakdown of IPs transmitting the messages.
While the messages are not specific to the United States, the majority of the traffic was largely directed at North American IPs.
The GreyNoise Research team was able to identify at least one concerted effort behind the recent activity. Figure 4 shows individual IP activity observed by GreyNoise sensors over time. IPs are colored by their numerical adjacency. For example, 192.168.1.1 and 192.168.1.2 would be colored similarly since they are numerically adjacent, but 10.0.0.1 and 192.168.1.1 are not.
Researchers observed a diverse set of uncoordinated IP addresses responsible for the activity around Thursday, November 25 (U.S. Thanksgiving) and Friday, November 26 (Black Friday). Prior to November 26, activity was scattered amongst different source IPs and ASN ranges. However, in the following week, we noted two additional sets of coordinated IPs on November 29th and December 2.
Researchers determined that, as of December 2nd, all servers used to transmit the messages had port 80 open and were running Python 3.9.2 SimpleHTTPServer. The servers exposed a directory with the text files, presumably the content being transmitted by the server:
Based on associated SSL Certificates and domain information, the team was able to make contact with the current owner of one of the IPs. The owner responded with the following:
GreyNoise researchers were unable to determine whether or not the current owner is responsible for the activity, though they did respond letting us know they took down one of the servers (which GreyNoise has corroborated).
This is not the first time printjacking has occurred. GreyNoise has previously observed coordinated activity on port 9100 in 2018 related to an incident involving YouTube superstar PewDiePie.
When asked for recommendations on best practices, GreyNoise IT & Security Director responded: “In order to avoid printjacking, we recommend ensuring port 9100 on your device remains closed to the Internet. If your printer vendor requires connection to an open port, it’s a good time to consider a different provider."
Learn more about GreyNoise and follow us on LinkedIn and Twitter.
GreyNoise has seen 29 variations of the same few messages, which you can read below or access via this Gist.
RIDDLE ME THIS
How can the McDonald's in Denmark manage
to pay their staff $22 an hour and still
sell a Big Mac for less than in America?
Answer: UNIONS!
Did you know that it is a rather
simple task to organize a UNION?
Learn More:
=====================
reddit.com/r/antiwork
=====================
----------------------------------------------------------
ARE YOU BEING UNDERPAID?
You have a legal, protected right to discuss your pay with your coworkers.
This should be done on a regular basis to ensure that everyone is being paid fairly.
It is ILLEGAL for your employer to punish you for doing this.
If you learn that you are being paid less than someone else who is doing the same job,
you should demand a raise or consider quitting and finding a different job.
SLAVE WAGES only exist because people are willing to work for them.
Learn More:
=====================
reddit.com/r/antiwork
=====================
----------------------------------------------------------
======================
NEW YEAR'S RESOLUTIONS
======================
1. Hit the Gym
2. Delete Facebook
3. ORGANIZE A UNION
Learn More:
=====================
reddit.com/r/antiwork
=====================
----------------------------------------------------------
=========================
WHAT TO DO ON BREAK TODAY
=========================
1. Talk about your PAY
2. Talk about your RIGHTS
3. Begin ORGANIZING A UNION
GOOD employers are not afraid
of these, but ABUSIVE ones are.
Learn More:
=====================
reddit.com/r/antiwork
=====================
----------------------------------------------------------
=====================
INFLATION WAGE NOTICE
=====================
Due to the 6.2% inflation rate,
all US workers are entitled to
at least a 6.2% pay adjustment.
We have received reports of
some ABUSIVE EMPLOYERS not
providing these adjustments.
If you have not received such a
raise, please ask your employer
why your PAY WAS CUT.
Learn More:
=====================
reddit.com/r/antiwork
=====================
----------------------------------------------------------
=========================
WHAT TO DO ON BREAK TODAY
=========================
1. Talk about your PAY
2. Talk about your RIGHTS
3. Begin ORGANIZING A UNION
GOOD employers are not afraid
of these, but ABUSIVE ones are.
Learn More:
=====================
reddit.com/r/antiwork
=====================
----------------------------------------------------------
TIME IS YOUR MOST VALUABLE ASSET.
Not only can you never obtain any
more of it, you do not even know
how much you have to begin with.
Why are you selling YOUR TIME
for SO LITTLE?
Join the "25 OR WALK" movement!
Tell your employer that YOUR TIME
is worth no less than $25 per hour,
and for them to call you when
they are ready to pay up.
But don't quit!
Make them fire you!
... and spend YOUR TIME with family
... and spend YOUR TIME with friends
... and rediscover YOUR favorite hobby
... and RECLAIM YOUR LIFE
SLAVE WAGES only existed because
people were willing to work for them.
BUT NOT ANYMORE.
THIS. ENDS. NOW.
Learn More:
=====================
reddit.com/r/antiwork
=====================
----------------------------------------------------------
HOW TO SCARE A SLAVE OWNER:
1. Talk about your PAY
2. Talk about your RIGHTS
3. Talk about FORMING A UNION
Employers are not scared of
these, but SLAVE OWNERS are.
Learn More:
=====================
reddit.com/r/antiwork
=====================
----------------------------------------------------------
==========================
ABUSIVE EMPLOYER CHECKLIST
==========================
[ ] Can't talk about PAY
[ ] Can't talk about RIGHTS
[ ] Can't talk about UNIONS
[ ] Punished for getting SICK
[ ] Punished for taking VACATION
If your employer checks ANY of
these, please contact support:
reddit.com/r/antiwork
----------------------------------------------------------
:::::::::::::::::::::::::::::::
::::: TIME IS :::::::::::::::::
::::::: YOUR MOST :::::::::::::
:::::::::: VALUABLE ASSET :::::
:::::::::::::::::::::::::::::::
Not only can you never
obtain any more of it,
you do not even know how
much you have to begin with.
LIFE IS SHORT!
Why are you selling YOUR TIME
for SO LITTLE?
Join the "25 OR WALK" movement!
Tell your employer that YOUR
TIME is worth no less than
$25 per hour, and for them
to call you when they are
ready to pay up.
But DON'T QUIT!
MAKE THEM FIRE YOU!
... and spend YOUR TIME
...... with FAMILY
... and spend YOUR TIME
...... with FRIENDS
... and rediscover YOUR
...... FAVORITE HOBBY
... AND RECLAIM YOUR LIFE
POVERTY WAGES only existed
because people were "willing"
to work for them.
BUT NOT ANYMORE.
THIS. ENDS. NOW.
Learn More:
=====================
reddit.com/r/antiwork
=====================
----------------------------------------------------------
ARE YOU BEING UNDERPAID?
You have a legal, protected right to
discuss your pay with your coworkers.
This should be done on a regular basis to
ensure that everyone is being paid fairly.
It is ILLEGAL for your employer to punish
you for doing this.
If you learn that you are being paid less
than someone else who is doing the same
job, you should demand a raise or consider
getting fired and finding a better job.
SLAVE WAGES only exist because people are
willing to work for them.
Learn More:
=====================
reddit.com/r/antiwork
=====================
----------------------------------------------------------
==============
RIDDLE ME THIS
==============
How can the McDonald's
in Denmark pay their staff
$22 an hour and still manage
to sell a Big Mac for
less than in America?
Answer: UNIONS!
A GOOD UNION can easily
align everyone's goals.
Did you know that it
is a rather simple task
to organize a UNION?
Learn More:
=====================
reddit.com/r/antiwork
=====================
----------------------------------------------------------
========================
ARE YOU BEING UNDERPAID?
========================
You have a protected LEGAL
RIGHT to discuss your pay
with your coworkers.
This should be done on a
regular basis to ensure that
everyone is being paid fairly.
It is ILLEGAL for your employer
to punish you for doing this.
If you learn that you are being
paid less than someone else who
is doing the same job, you
should demand a raise or
consider getting fired and
finding a better employer.
POVERTY WAGES only exist
because people are "willing"
to work for them.
Learn More:
=====================
reddit.com/r/antiwork
=====================
----------------------------------------------------------
RIDDLE ME THIS
How can the McDonald's in Denmark manage
to pay their staff $22 an hour and still
sell a Big Mac for less than in America?
Answer: UNIONS!
Did you know that it is a rather
simple task to organize a UNION?
Learn More:
=====================
reddit.com/r/antiwork
=====================
----------------------------------------------------------
=====================
INFLATION WAGE NOTICE
=====================
Due to the 6.2% inflation rate,
all US workers are entitled to
at least a 6.2% pay adjustment.
We have received reports of
some ABUSIVE EMPLOYERS not
providing these adjustments.
If you have not received such a
raise, please ask your employer
why your PAY WAS CUT.
Learn More:
=====================
reddit.com/r/antiwork
=====================
----------------------------------------------------------
RIDDLE ME THIS
How can the McDonald's in Denmark manage
to pay their staff $22 an hour and still
sell a Big Mac for less than in America?
Answer: UNIONS!
Did you know that it is a rather
simple task to organize a UNION?
Learn More:
=====================
reddit.com/r/antiwork
=====================
----------------------------------------------------------
========================
ARE YOU BEING UNDERPAID?
========================
You have a protected LEGAL
RIGHT to discuss your pay
with your coworkers.
This should be done on a
regular basis to ensure that
everyone is being paid fairly.
It is ILLEGAL for your employer
to punish you for doing this.
If you learn that you are being
paid less than someone else who
is doing the same job, you
should demand a raise or
consider getting fired and
finding a better employer.
POVERTY WAGES only exist
because people are "willing"
to work for them.
Learn More:
=====================
reddit.com/r/antiwork
=====================
----------------------------------------------------------
==========================
ABUSIVE EMPLOYER CHECKLIST
==========================
[ ] Can't talk about PAY
[ ] Can't talk about RIGHTS
[ ] Can't talk about UNIONS
[ ] Punished for getting SICK
[ ] Punished for taking VACATION
If your employer checks ANY of these,
please contact support at:
reddit.com/r/antiwork
----------------------------------------------------------
TIME IS YOUR MOST VALUABLE ASSET.
Not only can you never obtain any
more of it, you do not even know
how much you have to begin with.
Why are you selling YOUR TIME
for SO LITTLE?
Join the "25 OR WALK" movement!
Tell your employer that YOUR TIME
is worth no less than $25 per hour,
and for them to call you when
they are ready to pay up.
But don’t quit!
Make them fire you!
... and spend YOUR TIME with family
... and spend YOUR TIME with friends
... and rediscover YOUR favorite hobby
... and RECLAIM YOUR LIFE
SLAVE WAGES only existed because
people were willing to work for them.
BUT NOT ANYMORE.
THIS. ENDS. NOW.
Learn More:
=====================
reddit.com/r/antiwork
=====================
----------------------------------------------------------
TIME IS YOUR MOST VALUABLE ASSET.
Not only can you never obtain any
more of it, you do not even know
how much you have to begin with.
Why are you selling YOUR TIME
for SO LITTLE?
Join the "25 OR WALK" movement!
Tell your employer that YOUR TIME
is worth no less than $25 per hour,
and for them to call you when
they are ready to pay up.
But don’t quit!
Make them fire you!
... and spend YOUR TIME with family
... and spend YOUR TIME with friends
... and rediscover YOUR favorite hobby
... and RECLAIM YOUR LIFE
SLAVE WAGES only existed because
people were willing to work for them.
BUT NOT ANYMORE.
THIS. ENDS. NOW.
Learn More:
=====================
reddit.com/r/antiwork
=====================
----------------------------------------------------------
HOW TO SCARE A SLAVE OWNER:
1. Talk about your PAY
2. Talk about your RIGHTS
3. Talk about FORMING A UNION
Employers are not scared of
these, but SLAVE OWNERS are.
Learn More:
=====================
reddit.com/r/antiwork
=====================
----------------------------------------------------------
======================
NEW YEAR'S RESOLUTIONS
======================
1. Hit the Gym
2. Delete Facebook
3. ORGANIZE A UNION
Learn More:
=====================
reddit.com/r/antiwork
=====================
----------------------------------------------------------
HOW TO SCARE A SLAVE OWNER:
1. Talk about your PAY
2. Talk about your RIGHTS
3. Talk about FORMING A UNION
Employers are not scared of
these, but SLAVE OWNERS are.
Learn More:
=====================
reddit.com/r/antiwork
=====================
----------------------------------------------------------
ARE YOU BEING UNDERPAID?
You have a legal, protected right to
discuss your pay with your coworkers.
This should be done on a regular basis to
ensure that everyone is being paid fairly.
It is ILLEGAL for your employer to punish
you for doing this.
If you learn that you are being paid less
than someone else who is doing the same
job, you should demand a raise or consider
quitting and finding a different job.
SLAVE WAGES only exist because people are
willing to work for them.
Learn More:
=====================
reddit.com/r/antiwork
=====================
----------------------------------------------------------
:::::::::::::::::::::::::::::::
::::: TIME IS :::::::::::::::::
::::::: YOUR MOST :::::::::::::
:::::::::: VALUABLE ASSET :::::
:::::::::::::::::::::::::::::::
Not only can you never
obtain any more of it,
you do not even know how
much you have to begin with.
LIFE IS SHORT!
Why are you selling YOUR TIME
for SO LITTLE?
Join the "25 OR WALK" movement!
Tell your employer that YOUR
TIME is worth no less than
$25 per hour, and for them
to call you when they are
ready to pay up.
But DON'T QUIT!
MAKE THEM FIRE YOU!
... and spend YOUR TIME
...... with FAMILY
... and spend YOUR TIME
...... with FRIENDS
... and rediscover YOUR
...... FAVORITE HOBBY
... AND RECLAIM YOUR LIFE
POVERTY WAGES only existed
because people were "willing"
to work for them.
BUT NOT ANYMORE.
THIS. ENDS. NOW.
Learn More:
=====================
reddit.com/r/antiwork
=====================
----------------------------------------------------------
ARE YOU BEING UNDERPAID?
You have a legal, protected right to
discuss your pay with your coworkers.
This should be done on a regular basis to
ensure that everyone is being paid fairly.
It is ILLEGAL for your employer to punish
you for doing this.
If you learn that you are being paid less
than someone else who is doing the same
job, you should demand a raise or consider
getting fired and finding a better job.
SLAVE WAGES only exist because people are
willing to work for them.
Learn More:
=====================
reddit.com/r/antiwork
=====================
----------------------------------------------------------
==========================
ABUSIVE EMPLOYER CHECKLIST
==========================
[ ] Can't talk about PAY
[ ] Can't talk about RIGHTS
[ ] Can't talk about UNIONS
[ ] Punished for getting SICK
[ ] Punished for taking VACATION
If your employer checks ANY of
these, please contact support:
reddit.com/r/antiwork
----------------------------------------------------------
ARE YOU BEING UNDERPAID?
You have a legal, protected right to
discuss your pay with your coworkers.
This should be done on a regular basis to
ensure that everyone is being paid fairly.
It is ILLEGAL for your employer to punish
you for doing this.
If you learn that you are being paid less
than someone else who is doing the same
job, you should demand a raise or consider
getting fired and finding a better job.
SLAVE WAGES only exist because people are
willing to work for them.
Learn More:
=====================
reddit.com/r/antiwork
====================
----------------------------------------------------------
==============
RIDDLE ME THIS
==============
How can the McDonald's
in Denmark pay their staff
$22 an hour and still manage
to sell a Big Mac for
less than in America?
Answer: UNIONS!
A GOOD UNION can easily
align everyone's goals.
Did you know that it
is a rather simple task
to organize a UNION?
Learn More:
=====================
reddit.com/r/antiwork
=====================
GreyNoise is proud to announce a production contract with a $30M USD ceiling awarded to GreyNoise by the United States Department of Defense (U.S. DoD). This new contract stems from GreyNoise’s initial prototype with the U.S. DoD’s Defense Innovation Unit (DIU) announced earlier in 2021 to help the Department diagnose internet-wide scan-and-attack activity.
Our CEO and Founder, Andrew Morris, says it best: “We're deeply thrilled to be able to call the DoD a full customer, and honored to support their mission…we have become the ‘go-to’ authority on the scan-and-attack traffic that absolutely all internet-dependent organizations are subject to, because of our unique ability to monitor and analyze internet noise at global scale. This visibility has become more and more important as malicious actors leverage automation to scale their attacks. GreyNoise will enhance cyber threat detection and intelligence-gathering capabilities across the DoD and other branches of the U.S. government, and enable security analysts to focus their valuable time and energy on legitimate threats.”
Every machine connected to the internet is exposed to a barrage of unsolicited communications from tens of thousands of unique IP addresses per day—a phenomenon we call internet background noise. A percentage of these communications are malicious attacks and web crawls; some are non-malicious scans and pings; some are legitimate business services; and others still are unknown, but hitting everyone on the internet. GreyNoise solves the challenge of diagnosing and filtering this massive volume of traffic for security analysts and teams.
GreyNoise offers two value propositions for security analysts and SOC teams:
We help SOC teams recognize events not worth their attention. On average, prospects who trial GreyNoise see that 20-40% of their alert traffic is noise, and GreyNoise customers are seeing alert volume reductions of 25% or more.
Indicators in GreyNoise are likely associated with opportunistic internet scanning or common business services, not targeted threats. This context helps the SOC in a few ways:
GreyNoise helps organizations reduce the risk and costs of compromise by seeing emerging threats faster and more clearly, in three basic ways:
This production contract allows the GreyNoise platform to be purchased and utilized by all DoD organizations over a 5-year period. Resulting from our partnership with the Defense Innovation Unit (DIU), the collaboration helps the DoD focus on identifying and scaling commercial technology solutions while deploying them rapidly across the U.S. military to strengthen the nation’s security.
We’ve got an ordering guide that makes it easy for DoD organizations to scope and purchase the GreyNoise platform for their specific requirements. To access the ordering guide for GreyNoise products associated with this contract, please email sales@greynoise.io.
You’re in a dark room, and your screen is crawling with alerts from your IDS/IPS about an IP address trying an exploit on one of your internet-facing devices. You scramble to investigate the event, checking VirusTotal, IPinfo, Whois, and even Google to try to figure out how dangerous the IP might be, only to figure out after an hour that it's actually just Shodan… or Censys… or Pingdom… or a brain-dead bot script.
GreyNoise recently met with Robert*, Manager of Cybersecurity Incident Response & Operations at a large food service & hospitality company. Robert lives this reality every day as he and his Incident Response team respond to network events from their MSSP and internal detections. Recently Robert found a way to leverage GreyNoise Intelligence data integrated into Cortex XSOAR incident response to help his team answer these questions much more quickly and effectively. We caught up with Robert recently to learn how he had done it.
* Customer names have been changed to maintain anonymity
Robert: Sure — I lead the incident response and security operations team at my company. I've been here for about six years and was previously an individual contributor on a joint team that combined security engineering, incident response, and security operations.
A few years ago, we figured it probably doesn't make sense to keep this one giant team, and it would be nice to start developing some specialization. So we chunked the team into two groups — a security engineering team, and an incident response and security operations team. I was fortunate to be selected to run the new IR and Ops team, and I’ve been doing it for about two years now.
Robert: We work with several external partners that triage alerts for us, as well as conduct our own custom detections and investigations. We actually have four different alert classifications:
So basically, we use our MSSP partner as Tier 1 analysts, with my teams handling Tier 2 and above. We're not a 24x7 shop, so we push 24x7 monitoring of our assets to our partners, basically saying, “Here's your escalation plan during business hours; here's your escalation plan outside of business hours. Go get them.”
Once we get an alert through any of these sources, we'll do triage, and beyond the initial triage, we’ll do remediation, and then resilience. Any kind of gaps that we have in those tools, we supplement with our own detections, or if it's a use case that’s specific to the company, we'll do it internally as well.
Robert: I remember seeing Andrew [Morris, founder and CEO of GreyNoise] talking about it on Twitter, and I checked it out and thought, wow, this is really awesome. I think the biggest sort of “aha” for me was looking at the amount of time it could save me during an investigation.
What was happening quite often to us was that we would get these IDS/IPS alerts about an exploitation attempt. And we’d have to run the alerts to the ground, and it was taking forever.
I realized, looking at GreyNoise, that this tool would tell me if this is a targeted attack or if it’s a piece of automation that some attacker is using to try to build their botnet. Because if it's an automated attack, and the script fails even slightly, then the whole attack is probably a wash at that point. There's not an operator with hands-on-keyboard to make the adjustments needed, so the automation just fails and moves on to the next IP.
Having that kind of insight was a game-changer for us in how we analyzed those alerts and how we looked at that type of attack surface. So we started using the Community edition of GreyNoise with our old homegrown incident response tool to query things, and it was tremendously helpful.
For example, one of the things we were looking at was vulnerability scans. If we’re getting vulnerability scanned by somebody who’s scanning everybody else too, okay, welcome to the Internet. But if somebody’s scanning us that GreyNoise has never heard of, that's interesting — why are they just scanning us? Are we being targeted? GreyNoise majorly short-cycled a lot of investigations on these kinds of events.
Another example, we would see somebody slinging an Apache Struts exploit. Okay, are they doing this just to us, or are they doing this to everybody? And again, that kind of changed the dynamic of how we responded to that event.
Robert: A while back, we started to look at various SOAR platforms, and I ended up doing evaluations of what was then Demisto (it’s Cortex XSOAR now), Splunk Phantom, Swimlane, and Siemplify. I engaged with the vendors, downloaded the software, ran an evaluation environment, and actually kicked the tires on each of them. Ultimately we landed on XSOAR, and that started the clock of bringing things over from our existing incident response queue.
As we started to bring events into XSOAR, particularly the ones where we had been using GreyNoise, I realized there was a great opportunity to integrate GreyNoise into XSOAR to automate the process. I went to my director and made the case that we've been using this tool called GreyNoise, and it's super helpful. Now that we've got these events coming from our MSSP into XSOAR, we could start leveraging automation to query GreyNoise, instead of having to manually copy the IP, open up a new tab, paste it in and run a search.
I had been talking to Andrew a fair amount on Twitter, and he sent me over an integration between GreyNoise and XSOAR (there was no marketplace at the time), and it worked really well. So we signed up for a paid plan with GreyNoise to get more IP lookups and more context information. We now use GreyNoise on most of our network detection-based alerts to give context and alleviate a lot of strain from a research perspective on those events. So it's been great.
The way we’ve integrated GreyNoise into XSOAR is that any time we see an IP address, XSOAR invokes the IP enrichment command for every integration that supports it. This includes GreyNoise, Virus Total, IPinfo.io, whatever. It'll run them all, bring all that data back, and show it to the analyst. One of the areas where GreyNoise is really useful with this approach is inside of our playbook for the IDS/IPS alerts from our MSSP.
In addition to alerts coming from our MSSP, we do custom detections in our SIEM, Splunk Enterprise Security. So while we will write content in Splunk, and raise these as notable events in ES, all of the results get mirrored into XSOAR. We try to make XSOAR the “one-stop-shop” for every event that we’re working.
Robert: Just being able to tell the background noise of the Internet, that was huge for us and made us go “wow.” To see that this activity is just a consequence of being online, but that activity over there GreyNoise hadn't seen, so they're only paying attention to us, and it actually merits us looking into more deeply because they're not just slinging exploits or vulnerability scans at every IP address on the Internet. And we've also seen the opposite, where we see yes, they are a benign scanner, and it's Shodan, cool, we can ignore it.
Because GreyNoise is good at providing context around what IPs are doing in the broader Internet, it typically plays a lot with the IDS/IPS stuff that our MSSP handles — the primary data that we pivot off of for these events is the IP address. We also use GreyNoise on an ad hoc basis — for example, if I see a weird IP on a login to our identity provider, I’ll look it up in GreyNoise and see if it does anything funky on the Internet. And so it's often just helpful context.
Another use case that’s been really helpful is the new RIOT tagging, which identifies known legitimate traffic. For example, if I'm doing an investigation on a host that's been compromised and I've got a list of IPs it's talked to in the last 24 hours, I just want to rip out all the stuff that is legitimate, like Office 365 or Slack or cloud solutions that our users should be talking to. I can go to the analysis page on GreyNoise and just drop this big block of IPs in there, and it will tell me if any of these are ones that I should really be caring about, and help me eliminate the ones that I don’t. It gives me a good way to filter for a first pass — I can rule this stuff out for now and focus on what's left. Then if I still can't find anything, I can go back to the Office 365 IP and look for anomalies there. Because If there's an Eastern European IP address buried in amongst the Office 365 ones, I know which one I want to look at first.
Robert: Every time we find an IP that GreyNoise knows about, we ask ourselves, “Hey, is this IP trying to exploit CVE fill-in-the-blank here? Do we run that software? No? OK, done.” Because it's an opportunistic scanner, and GreyNoise is saying the IP is focused on this particular CVE, or it loves these six CVEs for this product suite. This allows us to conclude that, because we don't use that product suite, we're good, and we can ignore it.
Alternatively, the answer might be, “yes, we do use that product suite.” In that case, I’ll go read about the CVE and see what versions are vulnerable, and then look at our system and see if it’s something we need to dig into or whether we already patched for it.
As part of our triage, we also check in with our vulnerability management team. If we see a scanner out on the Internet scanning through our IPs, we’ll go dig up our internal scan results for the same IP and see what we found. Because we can pretty much know that anything we found, the bad guys just did too.
There’s some nice visibility we get with GreyNoise around vulnerability scans. For example, for events that we get, we can look at our firewall and easily see that this particular IP scans all of these public IPs. Then we can check in GreyNoise to see, what ports does this scanner like to scan? We obviously know they scan port 80 because that's why we're here. But do they scan 443 (SSL)? Recently Andrew tweeted about some new behavior GreyNoise tracks looking at whether scanners follow 301 or 302 redirects.
Say we determine that this IP only scans port 80 — cool. Now we can go into XSOAR and CURL all of the IPs that they scanned on port 80 and check to see if there’s a common vulnerability they might be looking for. Or do we get our load balancer telling them they need to go to 443? Because if we get that, and this IP doesn’t follow redirects, and this IP doesn't scan 443, then he's hitting a load balancer appliance, and I don't care. In XSOAR, that playbook will close the event if this is the condition that's met. And no analyst ever has to interact with this event.
Robert: I remember first seeing Andrew talking about GreyNoise on Twitter. When I checked it out, I thought, wow, this is really awesome. I think the biggest sort of “aha” for me was looking at the amount of time it could save me during an investigation.
We started using the GreyNoise Community edition with our old homegrown incident response tool, and it was tremendously helpful. That experience allowed me to go to my director and make a case for leveraging automation to query GreyNoise, instead of having to manually copy the IP, open up a new tab, paste it in and run a search. Today we use GreyNoise on most of our network detection-based alerts, and to enrich every event we get from our MSSP. I would estimate that GreyNoise is saving us probably an hour of work every time we get one of these vulnerability scan events — we’ve automated our approach completely, so an analyst doesn’t even have to touch it (and we see around 8-10 of these events every week). So long story short, GreyNoise really does shorten the cycle of some of these vulnerability scan investigations and is saving us about 40 hours per month that we can apply to other high-priority security problems.
I’m also getting some good value out of using GreyNoise for ad hoc investigation context help — for example, when I've got a bunch of IPs and I just want to filter out the ones that I don't need to care about. We use GreyNoise to give context and alleviate a lot of strain from a research perspective on those events. So it's been great.
Curious how GreyNoise can save your SOC time? Try the product for free.
GitLab CE RCE Attempt [Intention: Malicious]
Apache Storm Supervisor RCE Attempt [Intention: Malicious]
Hikvision IP Camera RCE Attempt [Intention: Malicious]
SonicWall SMA100 Factory Reset Attempt [Intention: Malicious]
SonicWall SSL-VPN RCE Attempt [Intention: Malicious]
Legacy Web Server RCE Attempt [Intention: Malicious]
D-Link DIR-825 R1 RCE Attempt [Intention: Malicious]
D-Link DNS-320 RCE Attempt [Intention: Malicious]
Micro Focus OBR RCE Attempt [Intention: Malicious]
Yealink Device Management RCE Attempt [Intention: Malicious]
Wednesday, October 20, 2021, is the first ever SOC Analyst Appreciation Day™ - and in our opinion, it couldn’t have come sooner! We’d like to acknowledge the hard work and dedication of all the SOC analysts who help defend institutions across the globe. Thank you.
A SOC analyst’s life can be frustrating and stressful, with the weight of your organization’s security on your shoulders. Our goal here at GreyNoise is to help make your life easier by increasing SOC analyst efficiency, and by telling teams what not to worry about. We do this by helping you filter out “noisy” alerts associated with opportunistic internet scanning or common business services, not targeted threats. SOC teams can use GreyNoise data by using our web-based Visualizer, accessing our API via REST, SDK, or CLI, or integrating directly with your security tech stack.
If you’re a SOC analyst or manager interested in learning more about how you can use GreyNoise
On October 4th, 2021, Apache disclosed a path traversal vulnerability CVE-2021-41773 that affects HTTP Server version 2.4.49. The vulnerability was introduced in this version (2.4.49) and is patched in version 2.4.50.
This path traversal vulnerability allows sensitive files outside of the expected document root to be accessed, such as configuration files and Common Gateway Interface (CGI) scripts. This allows for specially crafted requests to read arbitrary files as well as perform Remote Code Execution (RCE) on systems that have the Apache “mod_cgi” module enabled.
On October 3rd, 2021, at 08:44 UTC, GreyNoise observed the first scan for this vulnerability from 36.68.53.196. This predates the mailing list announcement from Apache on October 5th as well as the release of 2.4.50 on October 4th, but after the patch was committed on September 29th. [View 36.68.53.196 in GreyNoise]
As of October 5th, 2021, the first Proof of Concept (POC) code became available which demonstrated arbitrary file read. It was closely followed by a POC demonstrating RCE.
GreyNoise has released the following tag to enable monitoring of relevant activity:
As of 7-Oct-21, GreyNoise is seeing 47 unique IP addresses that have scanned for this vulnerability, 39 of which are “malicious” and 8 of which are “benign."
* Editor’s Note: If this tag returns “No results found’,' this means that GreyNoise has not observed any IP addresses scanning the internet for this CVE in the past 90 days. You can use GreyNoise to notify you if this changes by using our Alerts feature.
10/15/21: This blog has been updated with Figure 1 to depict the timeline of events.
Today at GreyNoise, we’re thrilled to announce our selection as the Most Innovative Security Solution of 2021, as recognized by the Tech Ascension Awards. The awards are starting to pile up at GreyNoise, and our team's excitement grows after repeated confirmation from analysts and customers. As the name of the award implies, this honor is granted to those proving themselves innovative in the tech community around specific criteria. GreyNoise was selected from a pool of more than 500 applicants for excellence in technology innovation, market research, and unique competitive differentiators.
Our CEO and Founder, Andrew Morris, welcomes the industry compliment: “…we are honored by all of this validation, as it shows that we are making progress toward our ultimate mission—to solve the problem of alert fatigue and information overload in the cybersecurity arena. Every day, we see a staggering number of internet scans barraging internet-facing computers and software, and generating massive volumes of security alerts. Some of this activity is malicious, but a significant amount is not, and it’s getting to the point where it’s tough for security analysts to discern real threats from background noise. GreyNoise enables security teams to focus on the threats that really matter, rather than wasting their time investigating insignificant alerts. This is the heart of what makes GreyNoise an innovative security solution: we sift the haystack so you can pay attention to the needles."
Because the Tech Ascension Awards are innovation-centered, best-in-class vendors that receive recognition solve critical industry challenges differently. “The proliferation of ransomware, nation-state threats, and an uptick in cybercriminal activity due to COVID-19 are just some of the factors that have made a strong cybersecurity defense paramount for every business that touches sensitive data,” said David Campbell, CEO of Tech Ascension Awards. “We’re honored to recognize these industry leaders that have demonstrated their ability to defend organizations with unique approaches, innovative technology, and world-class talent.”
Here are some of our most recent accolades:
Try GreyNoise for free, and find out for yourself why we are the "Most Innovative Security Solution."
Azure OMI RCE Attempt [Intention: Malicious]
Azure OMI RCE Check [Intention: Unknown]
VMWare VCSA File Upload Attempt [Intention: Malicious]
VMWare VCSA File Upload Check [Intention: Unknown]
LDAP Crawler [Intention: Unknown]
Veeder-Root ATGs Crawler [Intention: Unknown]
VMware vCenter File Disclosure [Intention: Malicious]
PJL Crawler [Intention: Unknown]
PowerShell Generic Shell Attempt [Intention: Malicious]
Cisco IMC Supervisor and UCS Director Backdoor [Intention: Malicious]
Our research team is always looking for ways to improve our tagging methodology to enable GreyNoise users to understand actor behavior and tooling. GreyNoise already identifies clients with JA3 and HASSH data.
To expand on this work, GreyNoise recently added 3 new tags to shed more light on how various internet background noise-makers using HTTP clients manage their internal state. The below tags improve client fingerprinting for HTTP-based protocols.
On their own, each individual tag contributes a small indication of how the HTTP client manages its internal state. While that alone has value in helping to profile the actor behind the IP and possibly track them across IPs, the more interesting insights can be seen when these tags are viewed holistically.
As seen above, the tagged activity is not homogenous, allowing us a glimpse into the diversity of tooling or techniques used in scanning and opportunistic exploitation. While many actors may use the same exploit vector or payload, they may launch them from tools that support different HTTP features. These new tags may help the analyst determine if two IPs appear to be using the same tools.
For example, in Figure 3, we are able to determine with a high degree of confidence that the IP shown above is orchestrating a full-featured web browser (such as Puppeteer) to scan the internet. We see this because the IP exhibits browser-like behavior and attributes, including carrying a referer header, accepting cookies, and following redirects.
We hope these new tags offer our users greater insight into the tooling and libraries utilized by internet background noise-makers. Let us know what you think by sharing your feedback on the GreyNoise Community Slack channel (must have a GreyNoise account).
Imagine this scenario: You’re running a security operations center, and your team is processing a bunch of alerts coming out of Splunk Enterprise Security. As you add new detections and log sources, the volume of alerts begins to rise, your analysts start to get overwhelmed, and that familiar alert fatigue starts to kick in. Your security engineering team jumps in with yet another cycle of tuning to get the alert volumes back down to manageable levels. Then the cycle starts all over again...
Hurricane Labs lives this reality every day as a managed services provider that is 100% focused on Splunk and Phantom. The company manages these platforms for customers, providing 24x7 monitoring services supported by a team of Splunk ninjas to handle the heavy lifting.
Recently the Hurricane team found a way to leverage GreyNoise Intelligence data to identify the noise in Splunk and Phantom alert traffic, reducing the load on their analysts by 25%.
We had the good fortune to chat with Hurricane Labs Director of Managed Services, Steve McMaster, to learn how the company had done it.
STEVE MCMASTER: Sure - to set the stage, we manage Splunk and Phantom deployments for our customers, running the gamut from infrastructure management, to search and SPL creation, to security analysis and alerting, to rapid incident response. As part of these services, we provide 24x7 security monitoring, and I oversee the two teams that deliver this service. I’ve been with Hurricane for almost 14 years at this point - it's actually the only job I've ever had. I started here at age 17, right out of high school, and along the way, I've done a little bit of everything.
STEVE MCMASTER: We process a high volume of alerts on behalf of our customers, and as part of this traffic, we often see a lot of noisy alerts. This includes everything from known benign scanners (such as Shodan) to what we call "internet background noise," scanners that are constantly scanning the internet as a whole, looking for things to poke at.
The alert volumes we see are a constant ebb and flow, and we spend a lot of time tuning our customer’s environments to turn down the noise to a manageable level. But then, as we add new customers and more detections, the alert volumes start to creep back up. That’s when we see our analysts getting overwhelmed and feeling alert fatigue. It’s a normal cycle for our business, alert volumes go up, and then we need to dig in and tune our implementations to bring the volumes back down.
STEVE MCMASTER: We were starting a new cycle of tuning to get alert volumes to come back down when I stumbled on Andrew [Morris, GreyNoise founder]. I saw my boss and Andrew exchanging views on Twitter, and I thought, “Who is this guy, and why does the stuff he’s saying make so much sense?” So I took a look at the GreyNoise product.
I have to say, I’ve always been a big skeptic of threat intelligence as an industry because once enough people know about a piece of intelligence to publish it for general consumption, it’s already burned infrastructure. Yes, you might find some threats with it, but it's not worth the $150K per year that they charge for it.
But GreyNoise was different. I always refer to GreyNoise now as “anti-threat intelligence.” It’s specifically the opposite of traditional threat intelligence. Instead of saying, “pay attention to this,” GreyNoise says, “STOP paying attention to this; go spend your time on other things.”
So this approach fit into an argument I was having with our customers a lot at the time - my point was that the things that you’re detecting are not actionable. They’re not targeted at you; they’re not somebody trying to exploit you; they’re JUST scanning the internet. So you shouldn’t worry about them or spend time on them.
Shodan makes a really good example of this, because Shodan is scanning everybody and showing up in a lot of alerts. But this is not something YOU need to care about, Mr. Customer; therefore, it's not something WE need to care about as part of our monitoring service. The problem is that this is really hard to quantify. You can show people that alerts from Shodan should be ignored — that's easy, but trying to identify broader Internet background noise was a lot harder to do. To be able to say, “Okay, we've seen this thing across our 40 customers, so let’s ignore it,” that's not really enough scale to be able to make this conclusion definitively.
And then along came this guy who had a product that did exactly that. So GreyNoise let us expand our service in a way that customers kind of already expected from us. Now we could say, “Look, this is opportunistic, this is generalized, this is global, this is not targeted.” And we could say this definitively because of the scale that GreyNoise operates.
And it really just happened to fit at a time when that was a problem we were trying to tackle with our customers.
STEVE MCMASTER: We’re using GreyNoise in two ways - we use the data inside Splunk to eliminate alerts before they ever get to us, and then we do enrichment of alerts in Phantom once they reach us. We integrate the GreyNoise data into these environments using pre-built integrations that we initially developed, although we have turned these over to GreyNoise to maintain and extend for all their customers.
Our goal with these integrations is that if the IP address is in GreyNoise, then we eliminate it from alerting. GreyNoise actually returns 3 basic categories of “noise:”
The reality is that some customers are not totally comfortable with the accuracy of these classifications (at least at first), so for some customers, we still raise a low-priority alert so they can have a human look at it. I think that this comes down to trust --and based on OUR experience-- if GreyNoise is confident the IP address is a scanner, then we are happy to ignore it. I would say about two-thirds of our customers are there today.
I’m also really excited about something Andrew mentioned at the last Open Forum conference GreyNoise held, the new RIOT service. Instead of identifying internet scanner “noise,” RIOT looks at the flip side of this by identifying the “known good,” common business services that everyone uses, like Slack or Office365, or Google IP addresses. So now we can easily tell the difference between a legitimate service like a Microsoft update and a "not legitimate" service like a malware download.
STEVE MCMASTER: Sure, so when we use GreyNoise to filter noisy alerts out of Splunk, we use the GreyNoise-Splunk integration. We install that in our customer’s Splunk environment and add it to the search language for various detections. The logic is straightforward: if something in the search results matches GreyNoise, it gets excluded.
More specifically, we apply GreyNoise to any correlation search or detection inside of Splunk that we think is relevant. The big ones are IDS events and Splunk’s vulnerability scanner detection rules; those are the main ones that we use it for.
For Phantom, on the other hand, we use GreyNoise as an enrichment. The way our monitoring service works, we bring all of our customers’ alerts into a single Phantom instance, and we have the GreyNoise-Phantom integration installed. For our analysts looking at the alerts, one of the first things they do is look at the GreyNoise data. If the verdict is “noise,” then we know we don't need to do a lot more digging beyond that. This ends up saving us a lot of time because rather than investigating whether this is a targeted attack and figuring out whether anything was exploited, we can just short circuit the process, note it as a scanner, and send it over. Today we’re doing this as a manual process, but it's on our list to automate this into our incoming Phantom playbooks.
STEVE MCMASTER: When I first told Andrew that we'd be interested in subscribing, I told him I had no concept of how much something like this would be worth. I didn’t know if we were going to turn this on and see matches with 10 alerts per day across our customers or 100. But the impact on alerts is really the only thing I had to help quantify the value of GreyNoise.
So Andrew gave us a two week trial, and I added it to our triage tool (this was before we stood up Phantom). And I just counted up how many alerts over a week would have been something we could totally ignore with GreyNoise versus what we would not have been able to. We were somewhere in the vicinity of saving the equivalent of one to one and a half analysts per day, out of 22 total analysts at the time, based on the alerts that we could safely eliminate with GreyNoise.
Today, after implementation and with more customers in hand, GreyNoise helps my teams eliminate background noise and focus on the most actionable and relevant alerts for our customers. Rather than presenting our analysts with even more data to investigate, GreyNoise has allowed us to reduce the volume of alerts that are triggered by 25%, which makes for a happier and more effective SOC team.
And for us as an MSSP, this is even more significant than it might be for an enterprise. When you’re in a normal enterprise business, you can make a decision to spend money on a person or spend money on a product that eliminates alerts--you kind of have to pick your poison. But for us, the calculus is a bit different. When we invest in a person, that analyst can do, say, 20 alerts per day. But if we invest in a product, that product can triage a certain number of alerts at every one of our customers. And for every new customer, it can repeat that work. So even if GreyNoise could only eliminate 8 alerts per day across 40 different customers, that’s 320 alerts. As we add more customers, GreyNoise scales in a way a person wouldn’t.
On September 21, 2021, VMWare published an advisory for several vulnerabilities. This included, most notably, CVE-2021-22005, which affects their vCenter Server product. This vulnerability is an arbitrary file upload vulnerability that can lead to remote code execution (RCE) via upload of a specially crafted file. This works regardless of the configuration settings of vCenter Server.
Due to the severity of this vulnerability, VMWare published workaround instructions detailing how to manually or automatically patch the affected products. The automated patching script (available in the right-hand panel in the link above) includes logic to validate if your product is vulnerable to CVE-2021-22005, as well as confirm the patch has worked as expected.
As of September 23, 2021, there is no known publicly available proof-of-concept (PoC) code for the CVE that enables arbitrary file upload or RCE. However, GreyNoise is observing a significant number of checks for vulnerable instances of vCenter Server based off of the automated patching script provided by VMWare, most of these egressing via Tor.
The following tags have been released to enable monitoring of relevant activity:
Editor's Note: If either of these tags return "no results," this means that we have not observed any recent activity. You can be notified if this changes by using our Alerts feature.
Atlassian Confluence Server OGNL Injection Attempt [Intention: Malicious]
Atlassian Confluence Server OGNL Injection Vuln Check [Intention: Unknown]
Oracle WebLogic RCE CVE-2021-2109 [Intention: Malicious]
Seagate BlackArmor RCE Attempt [Intention: Malicious]
ASUS GT-AC2900 Auth Bypass Attempt [Intention: Malicious]
Apache SkyWalking GraphQL SQL Injection [Intention: Malicious]
Carries HTTP Referer [Intention: Unknown]
Stores HTTP Cookies [Intention: Unknown]
Follows HTTP Redirects [Intention: Unknown]
RSYNC Crawler [Intention: Unknown]
University of Michigan [Intention: Benign]
As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.
ADB Check [Intention: Unknown]
ADB Attempt [Intention: Malicious]
EDITORS NOTE: This blog post has been updated as of Sep. 2 to reflect edits to the Atlassian Confluence Server OGNL Injection tags.
Tag: Exchange ProxyShell Vuln Attempt [Intention: Malicious]
Tag: Exchange ProxyShell Vuln Check [Intention: Unknown]
Tag: Javascript Enabled [Intention: Unknown]
Tag: Aerospike RCE Attempt [Intention: Malicious]
Tag: Docker API Container Creation Attempt [Intention: Malicious]
Tag: Buffalo Router RCE Check [Intention: Unknown]
Tag: Buffalo Router RCE Attempt [Intention: Malicious]
Tag: FirebirdSQL Crawler [Intention: Unknown]
Tag: Ruijie EG Command Injection Attempt [Intention: Malicious]
As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.
Tag: X Server Connection Attempt [Intention: Malicious]
Tag: ADB Worm [Intention: Malicious]
Please update your search term or select a different category and try again.
.png)