In 2024, attackers didn’t just exploit vulnerabilities — they automated them at scale, turning the internet into a playground for mass exploitation.
GreyNoise observed widespread internet scanning and exploitation attempts across thousands of IPs, showing how attackers are scaling operations faster than defenders can respond.
The GreyNoise 2025 Mass Internet Exploitation Report provides a detailed breakdown of how mass exploitation evolved in 2024, which vulnerabilities were most targeted, and how CISOs and security professionals can stay ahead in 2025.
This report confirms that mass exploitation is not just a zero-day problem — it’s a persistent issue across both new and old vulnerabilities.
“Mass exploitation isn’t just about zero-days — it’s about attackers industrializing vulnerability exploitation at scale,” said Andrew Morris, Founder and Chief Architect at GreyNoise. "They care less about CVSS scores or KEV lists. They scan the entire internet — it’s quick and cheap to do — they find what’s exposed, and go after it immediately. This report shows just how fast and unpredictable mass exploitation really is — and why security teams need real-time intelligence to keep up.”
Attackers aren’t just targeting newly disclosed vulnerabilities — many of the most exploited CVEs in 2024 are years old, proving that security teams must rethink patching priorities.
GreyNoise tracked the most frequently observed vulnerability exploitation attempts across the internet in 2024. Some of the most targeted vulnerabilities included:
These vulnerabilities were frequently targeted throughout 2024, often in large-scale scanning campaigns, botnet-building operations, or ransomware-driven attacks.
The 2025 Mass Internet Exploitation Report confirms that:
— — —
Noah Stone contributed to this writeup in collaboration with GreyNoise Research. Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
A major leak of internal chat logs from the Black Basta ransomware group has revealed 62 CVEs discussed by the group — offering a glimpse into the vulnerabilities considered for exploitation by one of the most active ransomware operators. The list, first compiled by VulnCheck, underscores how attackers continue to target publicly known vulnerabilities long after disclosure.
To assess real-world impact, GreyNoise analyzed internet-wide exploitation activity for these vulnerabilities. Our data confirms that 23 of these CVEs are actively being exploited, including in enterprise software, security appliances, and widely used applications.
Below we see that 23 of the 62 CVEs mentioned in Black Basta’s leaked chat logs have been targeted within the past 30 days.
The CVEs are:
A subset of the CVEs targeted within the past 30 days have been targeted within the past 24 hours. These include:
Organizations should immediately assess their exposure to the actively exploited CVEs from this blog and take the following steps:
The following 62 CVEs were identified in Black Basta’s leaked chat logs by VulnCheck. Organizations can use this list to assess their exposure.
GreyNoise will continue monitoring exploitation trends in real time. Stay updated by following GreyNoise’s threat intelligence reports, platform updates, and by visiting the GreyNoise visualizer.
GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.
— — —
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
.png)
Recent analyses have highlighted that Salt Typhoon, a Chinese state-sponsored cyber espionage group, has been actively targeting Cisco devices. The group employs various tactics, including the use of legitimate login credentials and, in some instances, exploiting known vulnerabilities such as CVE-2018-0171.
Between December 2024 and January 2025, Salt Typhoon reportedly leveraged CVE-2023-20198 and CVE-2023-20273 to compromise five additional telecom networks, including entities in the United States.
GreyNoise’s global observation grid (GOG) has detected malicious exploitation attempts against two Cisco vulnerabilities linked to these attacks:
GreyNoise will continue monitoring for changes in exploitation patterns and provide updates as new intelligence emerges. Stay ahead of exploitation attempts by leveraging GreyNoise’s real-time intelligence.
Important: These CVEs were referenced in recent Salt Typhoon reports, but we are NOT attributing this activity to Salt Typhoon — only confirming that exploitation is occurring.
GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.
---
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
CISA added CVE-2025-0108 to its Known Exploited Vulnerabilities (KEV) catalog.
GreyNoise has observed active exploitation attempts targeting a newly disclosed authentication bypass vulnerability, CVE-2025-0108, affecting Palo Alto Networks PAN-OS. This high-severity flaw allows unauthenticated attackers to execute specific PHP scripts, potentially leading to unauthorized access to vulnerable systems.
GreyNoise can confirm active exploitation of CVE-2025-0108.
Organizations relying on PAN-OS firewalls should assume that unpatched devices are being targeted and take immediate steps to secure them.
Defenders should take the following steps immediately:
GreyNoise will continue tracking this threat as it evolves. Stay ahead of exploitation attempts by leveraging GreyNoise’s real-time intelligence.
GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.
---
GreyNoise has identified a significant spike in exploitation activity targeting two vulnerabilities — one already flagged by government agencies as a top target, and another flying under the radar despite real-world attacks increasing.
Both vulnerabilities highlight a growing concern in how organizations prioritize patching:
GreyNoise has observed a rapid increase in exploit attempts for both vulnerabilities over the past 10 days.
Observed Exploitation Attempts for CVE-2022-47945 (ThinkPHP LFI)
Observed Exploitation Attempts for CVE-2023-49103 (ownCloud GraphAPI)
Attackers are actively scanning and targeting these vulnerabilities yet only one is included in KEV, raising questions about how security teams are prioritizing threats.
Block Known Malicious IPs Now: CVE-2023-49103, CVE-2022-47945
The difference in how these two CVEs are being treated highlights a broader challenge in vulnerability management.
Attackers are making their priorities clear. See live exploitation trends now for CVE-2023-49103 and CVE-2022-47945.
GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.
GreyNoise is observing active exploitation attempts targeting a zero-day critical command injection vulnerability in Zyxel CPE Series devices tracked as CVE-2024-40891. At this time, the vulnerability is not patched, nor has it been publicly disclosed. Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration. At publication, Censys is reporting over 1,500 vulnerable devices online.
CVE-2024-40891 is very similar to CVE-2024-40890 (observed authentication attempts, observed command injection attempts), with the main difference being that the former is telnet-based while the latter is HTTP-based. Both vulnerabilities allow unauthenticated attackers to execute arbitrary commands using service accounts (supervisor and/or zyuser).
VulnCheck disclosed CVE-2024-40891 to their partners as "Zyxel CPE Telnet Command Injection" on August 1, 2024, but as of this writing, the CVE has not yet been officially published by the vendor, nor have they published an advisory. Last week, researchers from GreyNoise collaborated with VulnCheck to verify the accuracy of the detection, ensuring that the traffic is linked to this CVE specifically. GreyNoise researchers created a tag for this issue on January 21, 2025, and worked with VulnCheck to coordinate this disclosure. Ordinarily, disclosure would be coordinated with the vendor, but due to the large number of attacks, we decided to publish this immediately.
GreyNoise users can track live exploitation patterns, including attacker IP addresses, for this CVE here.
GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.
.png)
Over 15,000 Fortinet FortiGate firewalls have been exposed in a breach, leaving thousands with exposed login interfaces vulnerable to exploitation. GreyNoise has identified hundreds of these devices actively being weaponized by attackers for malicious purposes, providing defenders with a real-time view into their behavior and intent.
This breach, tied to CVE-2022-40684 — an authentication bypass vulnerability disclosed in late 2022 — has created new opportunities for attackers to exploit these devices. While patches have been available since October 2022, thousands of firewalls remain exposed as of January 2025, continuing to pose a serious risk.
But this breach isn’t just about exposure — it's about the active exploitation happening right now. In this blog, GreyNoise reveals how attackers are leveraging these devices in real time and provides critical insights to help defenders respond effectively.
GreyNoise specializes in observing and classifying internet activity in real time. Our global observation grid tracks attacker behaviors by monitoring interactions with thousands of our sensors worldwide. Unlike sources that focus on theoretical risks or exposure, GreyNoise reveals the actual behaviors of these compromised devices as they interact with our sensors.
Of the 15,000+ affected IPs, according to Censys around 4,600 are still exposing their FortiGate web login interfaces, down from over 5,000 at the time of a Censys blog detailing the figures. The below chart illustrates the steady decline.
1. In this Case, Interaction with GreyNoise’s Sensors = Harmful Intent
Firewalls hitting GreyNoise’s sensors are behaving abnormally.
2. Behavioral Breakdown and List of Compromised IPs
GreyNoise classifies observed activity into three categories. Here’s the breakdown for the 366 Fortinet IPs:
This activity is not new. GreyNoise has observed compromised Fortinet devices exhibiting harmful behaviors over several years, as shown below. The timeline highlights both the first and most recent sightings of these devices interacting with our sensor network.
To help defenders — particularly firewall administrators — take immediate action, we’re sharing a list of the 366 Fortinet IPs interacting with our sensor network, updated as of January 28:
Download the full list of observed IPs here. This information may change; to view a dynamic list of all IPs interacting with our network, navigate to the GreyNoise Analysis Tab:
Paste the 15,000+ affected IPs:
Click “ANALYZE,” and explore the results:
3. Threat Trends: What Attackers are Doing
Tags assigned to these devices reveal active reconnaissance or exploitation activity originating from compromised Fortinet systems:
4. Geographic Distribution
These compromised devices originate from multiple regions worldwide. The top 10 hotspots are:
This global spread underscores how widely Fortinet firewalls are deployed and how attackers are leveraging them for malicious purposes.
1. Audit Your IPs and CIDRs
2. Monitor Your Infrastructure for Compromise
1. Patch and Secure Your Devices
2. Block Compromised Fortinet IPs
With GreyNoise, organizations can monitor their external-facing IPs, reduce noise in their threat landscape, and focus their defenses on the most immediate and significant risks. In the case of Fortinet firewalls, if it’s hitting GreyNoise sensors, it’s already up to no good.
Take control of your external threat landscape today. Use GreyNoise to monitor malicious activity, track behaviors in real time, and protect your organization. Add your IPs or CIDRs to GreyNoise’s alerts now.
GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.
Cybersecurity professionals face mounting pressure to stay ahead of attackers. From zero-days to targeted campaigns, the need for actionable intelligence is clear — but not every team requires a dedicated threat intelligence feed. That’s why GreyNoise created this unbiased, vendor-neutral white paper: to help security professionals navigate the complexity, assess their true needs, and make informed decisions about the type of threat intelligence feed that’s right for them.
Before investing, it’s essential to ask:
This vendor-neutral, practical white paper offers clear, unbiased guidance to help you:
Not every organization requires a dedicated threat intelligence feed. For some, embedded feeds integrated into firewalls or SIEMs are sufficient. For others, targeted adversaries, complex environments, or sector-specific threats demand a more tailored approach.
This guide cuts through the noise to help you make an informed decision, whether you’re enhancing an existing setup or exploring new options.
This isn’t a sales pitch. It’s a strategic resource to help you assess your needs, evaluate options, and build a proactive cyber defense strategy tailored to your organization.
Download the guide now to get clarity on whether a threat intelligence feed is the right move for your team
This is a follow-up from our October, 2022 post — Sensors and Benign Scanner Activity
Throughout the year, GreyNoise tends to focus quite a bit on the “naughty” connections coming our way. After all, that’s how we classify IP addresses as malicious so organizations can perform incident triage at light speed, avoid alert fatigue, and get a leg up on opportunistic attackers by using our IP-based block-lists.
At this time of year, we usually take some time to don our Santa hats and review the activities of the “nice” (a.k.a., “benign”) sources that make contact with our fleet.
Scanning the entire internet now drives both cybersecurity attack strategies and defense tactics. Every day, multiple legitimate organizations perform mass scanning of IPv4 space to gather data about exposed services, vulnerabilities, and general internet health. In November 2024, we deployed 24 new GreyNoise sensors across diverse network locations to study the behavior and patterns of these benign scanners.
When organizations deploy new internet-facing assets, they typically experience a flood of inbound connection attempts within minutes. While many security teams focus on malicious actors, understanding benign scanning activity is equally crucial for several reasons:
We positioned 24 freshly baked sensors across five separate autonomous systems and eight distinct geographies and began collecting data on connection attempts from known benign scanning services. We narrowed the focus down to the top ten actors with the most tags in November. The analyzed services included major players in the internet scanning space, such as Shodan, Censys, and BinaryEdge, along with newer entrants like CriminalIP and Alpha Strike Labs.
Today, we’ll examine these services' scanning patterns, protocols, and behaviors when they encounter new internet-facing assets. Understanding these patterns helps security teams better differentiate between routine internet background noise and potentially malicious reconnaissance activity. There’s a “Methodology” section at the tail end of this post if you want the gory details of how the sausage was made.
We’ll first take a look at the fleet size of the in-scope benign scanners.
The chart below plots the number of observed IP addresses from each organization for the entire month of November vs. the total tagged interactions from those sources (as explained in the Methodology section). Take note of the tiny presence of both Academy for Internet Research and BLEXBot, as you won’t see them again in any chart. While they made the cut for the month, they also made no effort to scan the sensors used in this study.
As we’ll see, scanner fleet size does not necessarily guarantee nimbleness or completeness when it comes to surveying services on the internet.
The internet scanner/attack surface management (ASM) space is pretty competitive. One area where speed makes a difference is how quickly new nodes are added to the various inventories. All benign scanners save for ONYPHE (~9 minutes) and CriminalIP (~17 minutes) hit at least one of the target sensors within five minutes of the sensor coming online.
BinaryEdge and ONYPHE display similar dense clustering patterns, with significant activity bursts occurring around the 1-week mark. Their sensor networks appear to capture a high volume of unique IP contacts, forming distinctive cone-shaped distributions that suggest systematic scanning behavior.
Censys and Bitsight exhibit comparable behavioral patterns, though Bitsight’s first contacts appear more concentrated in recent timeframes. This could indicate a more aggressive or efficient scanning methodology for discovering new hosts.
ShadowServer shows a more dispersed pattern of first contacts, with clusters forming across multiple time intervals rather than concentrated bursts. This suggests a different approach to host discovery, possibly employing more selective or targeted scanning strategies.
Alpha Strike Labs and Shodan.io demonstrate sparser contact patterns, indicating either more selective scanning criteria or potentially smaller sensor networks. Their distributions show periodic clusters rather than continuous streams of new contacts.
CriminalIP presents the most minimal contact pattern, with occasional first contacts spread across the timeline. This could reflect a highly selective approach to host identification or a more focused scanning methodology.
The above graph also shows just how extensive some of the scanner fleets are (each dot is a single IP address making contact with one of the sensors; dot colors distinguish one sensor node from another).
If we take all that distinct data and whittle it down to count which benign scanners hit the most sensors first, we see that ONYPHE is the clear winner, followed by Censys — demonstrating strong but more focused scanning capabilities — with BinaryEdge coming in third.
The chart below digs a bit deeper into the first contact scenarios. We identified the very first contacts to each of the 24 sensor nodes from each benign scanner. ONYPHE shows a concentrated burst of activity in the 6-12 hour window, while Bitsight’s contacts are more evenly distributed throughout the observation period. Censys demonstrates a mixed pattern, with clusters in the early hours followed by sporadic contacts. ShadowServer exhibits a notably consistent spread of first contacts across multiple time windows.
BinaryEdge’s pattern suggests coordinated scanning activity, with tight groupings of contacts that could indicate automated discovery processes. Alpha Strike Labs shows a selective, possibly more targeted approach to first contact, while CriminalIP has minimal but distinct touchpoints. Shodan rounds out the observation set with periodic contacts that suggest a methodical scanning approach.
While speed is a critical competitive edge, coverage may be an even more important one. It’s fine to be the first to discover, but if you’re not making a comprehensive inventory, are you even scanning?
We counted up all the ports these benign scanners probed over the course of a week. Censys leads the pack with an impressive 36,056 ports scanned, followed by ShadowServer scanning 19,166 ports, and Alpha Strike Labs covering 14,876 ports.
ONYPHE, Shodan, and even both BinaryEdge and Bitsight seem to take similar approaches when it comes to probing for services on midrange and higher ports. All of them, save for CriminalIP, definitely know when you’ve been naughty and tried to hide some service outside traditional port ranges.
Before moving on to our last section, it is important to remind readers that we are only showing a 7-day view of activity. Some scanners, notably Censys, have much broader port coverage than a mere 55% of port space. The internet is a very tough environment to perform measurements in. Routes break, cables are cut, and even one small connection hiccup could mean a missed port hit. Plus, it’s not very nice to rapidly clobber a remote node that one is not responsible for.
The vast majority of benign contacts have no real payloads. Some of them do make checks for specific services or for the presence of certain weaknesses. When they do, the GreyNoise Global Observation Grid records a tag for that event. We wanted to see just how many tags these benign scanners sling our way.
Given ShadowServer’s mission, it makes sense that they’d be looking for far more weaknesses than the other benign scanners. The benign scanner organizations that also have an attack surface management (ASM) practice will also usually perform targeted secondary scans for customers who have signed up for such inspections.
We hope folks enjoyed this second look at what benign scanners are up to and what their strategies seem to be when it comes to measuring the state of the internet.
If you have specific questions about the data or would like to see different views, please do not hesitate to contact us in our community Slack or via email at research@greynoise.io.
Sensors were deployed between 2024-11-19 and 2024-11-26 (UTC) across five autonomous systems and in the IP space of the following countries:
The in-scope benign actors (based on total tag hits across all of November):
Both Palo Alto’s Cortex Expanse and ByteSpider were in the original top ten, but were removed as candidates. Each of those services are prolific/noisy (one might even say “rude”), would have skewed the results, and made it impossible to compare the performance of these more traditional scanners. Furthermore, while ByteSpider may be (arguably) benign, it has more of a web crawling mission that differs from the intents of the services on the rest of the actor list.
We measured the inbound traffic from the in-scope benign actors for a 7-day period.
Unfortunately, neither Academy for Internet Research and BLEXBot reached out and touched these 24 new sensor nodes, therefore have no presence in the results.
Attackers are increasingly capitalizing on newly disclosed vulnerabilities within hours of proof-of-concept (PoC) code becoming public. This shrinking timeline leaves defenders with little time to react. A recent example is the rapid response to two Mitel MiCollab vulnerabilities — CVE-2024-41713 (authentication bypass) and CVE-2024-35286 (SQL injection). On December 5, GreyNoise was ready. The same day the PoC went public, GreyNoise began observing attacker activity, demonstrating the speed at which threat actors exploit new information.
The following screenshots from GreyNoise’s Visualizer show unique IP addresses associated with attacker activity following the PoC release. These spikes coincide with the deployment of detection tags, providing a clear picture of how quickly attackers respond to new exploit information.
Leveraging our IP blocklists, GreyNoise customers can immediately block IPs targeting these vulnerabilities.
The chart below shows unique IP addresses probing for CVE-2024-41713 on December 5, immediately after the PoC release. This activity demonstrates attacker interest, highlighting how quickly attackers act on new exploit opportunities. For defenders, this means prioritizing visibility and mitigation immediately after public disclosures.
While the SQL injection vulnerability showed limited activity, it’s important to monitor for potential escalation. Even low activity levels can indicate attackers testing the waters, making proactive mitigation essential.
Both vulnerabilities have been addressed by Mitel:
By applying these patches, organizations can reduce their exposure to attacker activity.
The divergence between predicted exploit likelihood and real-world attacker behavior highlights the necessity for real-time threat intelligence. Predictive models like EPSS currently list both CVEs at 0% likelihood of exploitation, yet GreyNoise’s data provides concrete evidence of attacker activity. This underscores a critical reality: attackers act on opportunities as soon as they arise, often outpacing static predictions.
With GreyNoise, defenders can:
Organizations leveraging Mitel MiCollab should act quickly:
The Mitel MiCollab vulnerabilities demonstrate the importance of rapid response in cybersecurity. While defenders cannot always predict when attackers will act, real-time visibility ensures they can respond effectively to reconnaissance or exploitation efforts as they emerge. GreyNoise’s ability to deploy detection tags on the same day as the PoC release exemplifies its commitment to staying ahead of attackers. This readiness is crucial in a world where the window between disclosure and active attacker activity continues to shrink. By detecting reconnaissance or exploitation efforts within hours, GreyNoise gives defenders the critical lead time needed to respond effectively.
The insights in this blog were made possible by GreyNoise’s Global Observation Grid, a network of internet-facing, primary sensors that passively observe and analyze global attack traffic. GreyNoise recently announced significant enhancements to its sensor and data pipeline technology that deliver deeper insights and broader coverage into cyber threats, equipping security teams with actionable intelligence to better detect, prioritize, and respond to emerging and resurgent threats.
Stay ahead of emerging threats with GreyNoise’s real-time intelligence. Contact us today to learn how we can help protect your organization from evolving vulnerabilities.
Over 220 cybersecurity professionals recently shared what they believe to be the most undervalued skill in our industry: the ability to communicate effectively. This revelation came from a Storm⚡️Watch podcast poll and the ensuing discussion highlighted just how critical this "soft skill" truly is.
The crew shared stories that will resonate with anyone who's had to bridge the gap between technical complexity and business reality. Emily, coming from incident response, learned the hard way that executives care less about IOCs and more about how security issues translate to lost deals and damaged relationships. Himaja developed her communication approach by studying how reporters digested her technical reports, using their follow-up questions as a compass for future messaging.
The help desk trenches proved to be an excellent training ground for Kimber, who discovered that success often meant quickly determining whether someone needed visual aids or step-by-step instructions. This adaptability served her well in product management, where she learned that sometimes you need to let people vent before any productive conversation can occur.
Glenn's journey from academia to a customer-facing vendor role emphasized that becoming an effective communicator isn't accidental. It requires intentional effort and constant refinement, especially when dealing with audiences ranging from fresh-faced students to grant-wielding researchers.
The shift to remote work has only amplified the importance of clear communication. Text-heavy platforms like Slack have introduced new challenges in conveying nuance and managing generational differences in communication styles. The solution isn't just about choosing the right words — it's about knowing when to escalate from text to voice, how to distill complex reports into actionable insights, and finding the right balance between professional and personable.
In an industry stereotypically populated by technical "lone wolves", the reality is that cybersecurity's effectiveness hinges on collaboration and relationship building. Whether you're convincing executives to fund critical defenses or helping colleagues understand emerging threats, the ability to connect, explain, and persuade is as crucial as any technical skill.
The path to improved communication isn't about memorizing presentation techniques or mastering email templates. It's about developing emotional intelligence, learning to read your audience, and adapting your message while maintaining its essential truth. In the end, cybersecurity professionals may wield sophisticated tools, but our most powerful asset is the ability to make complex ideas accessible and actionable.
There are many more insights from the full discussion. It’s well-worth a listen.
Critical infrastructure powers the systems we rely on every day — electricity, clean water, transportation. But what happens when these systems are exposed to the internet, left vulnerable to remote attacks? As a new Censys report reveals, this is the growing reality, with 145,000 industrial control systems (ICS) exposed, including thousands of unsecured human-machine interfaces (HMIs).
These findings highlight a growing problem: internet-exposed HMIs, designed to make critical systems manageable, are becoming prime targets for attackers. Often unprotected, these interfaces give malicious actors direct access to operations making the implications profound — not just for cybersecurity professionals, but for society at large.
The Censys report uncovers significant exposure:
Real-world examples in the report, such as attacks in Pennsylvania and Texas, illustrate how attackers used exposed HMIs to manipulate water systems. These cases didn’t require advanced ICS expertise — just access to an insecure HMI.
For years, ICS security has focused on protecting specialized protocols like Modbus and DNP3. But the Censys report highlights the growing risk posed by low-hanging fruit like HMIs and remote access points, which attackers can exploit to bypass more complex systems entirely.
During the Summer of 2024, GreyNoise set up sensors emulating internet-connected HMIs to understand the attack traffic they receive. The results reinforce the urgency of securing these systems:
These findings align with the Censys report, demonstrating that HMIs and remote access points are critical insecurities that need immediate attention.
The Censys report and GreyNoise findings are clear: defending ICS environments requires a shift in focus. Here are key steps to take:
The exposures highlighted in the Censys report aren’t a technical problem — they’re societal. Critical infrastructure is the backbone of our modern world, and the risks posed by exposed systems are too great to ignore. The time to act is now: secure the basics, monitor for threats with real-time intelligence, and close the gaps attackers are exploiting.
GreyNoise is dedicated to expanding our visibility into ICS/OT environments by growing our fleet of sensors and profiles. As we enhance our coverage in 2025, we aim to provide even deeper insights to help defenders stay ahead of emerging threats. Contact us to learn more.
A newly released report by Sophos reveals a sophisticated multi-year APT (Advanced Persistent Threat) campaign that exploited network perimeter devices, using both new and older vulnerabilities to infiltrate high-value targets. Beginning in 2018, the campaign’s actors leveraged advanced tactics, techniques, and procedures to target internet-facing devices belonging to government and critical infrastructure entities, and other high-value targets. The campaign demonstrates that APT actors are increasingly focusing on network perimeters — especially unpatched, internet-facing devices like VPNs, routers, and other edge infrastructure — as prime entry points for further compromise.
“This campaign is a wake-up call about just how serious the threat to edge devices really is,” said Andrew Morris, Founder and Chief Architect at GreyNoise Intelligence. “Attackers are getting in through overlooked devices, deploying rootkits at the firmware level, and persisting on everything from routers to security cameras to HVAC systems and digital signage. And here’s the thing: detecting this kind of persistence today is incredibly tough. Major device platform vendors have entire teams dedicated to rooting out these threats on PCs, and it’s still a struggle. So, imagine trying to detect and defend against this level of sophistication on an embedded device like a router or a modem — almost no chance.”
At GreyNoise, we observe perimeter-focused attacker behavior across a range of vulnerabilities, both new and resurgent, providing us with a unique view of these threats as they unfold. This blog unpacks key strategic insights from the campaign, explains why network perimeter exploitation should be a top security focus, and provides actionable steps to help security teams stay one step ahead. We’ll explore some of the actively probed CVEs associated with this campaign, the ongoing risks of unpatched devices, and practical ways to mitigate exposure using real-time intelligence.
GreyNoise is proud to have contributed to Sophos’ research and we encourage you to read the full report. In an effort to aid in exposure mitigation efforts, GreyNoise is providing the following information to defenders:
The Sophos report details a sophisticated campaign beginning in 2018, where attackers initially targeted Cyberoam, an India-based Sophos subsidiary. Using intelligence gathered from Cyberoam, along with additional development, the attackers attempted mass exploitation to build a network of operational relay boxes (ORBs). However, after largely failing in this due to detection, they shifted tactics to remain under the radar, focusing exclusively on a small number of high-value targets. This more targeted approach enabled them to infiltrate select government agencies, critical infrastructure, and influential organizations such as embassies. This campaign underscores how APTs adapt and leverage both collected intelligence and advanced tradecraft to achieve their strategic goals.
The attackers exhibited patience and adaptability, evolving their approach from broad, indiscriminate scanning to targeted reconnaissance and exploitation. Their tactics included custom rootkits, firmware-based persistence, and sophisticated command-and-control channels, like ICMP tunneling and proxy chains, enabling long-term, stealthy access to compromised networks. This combination of large-scale scanning followed by focused exploitation demonstrates how attackers systematically identify and prioritize vulnerabilities on perimeter devices to achieve their objectives.
This campaign highlights how perimeter devices — including VPNs, routers, and other internet-facing systems — serve as critical points of entry for attackers. Although these devices are essential to network operations, ensuring timely patching can be challenging due to the business impact of taking these systems offline, making them attractive targets for attackers seeking to exploit this operational challenge.
GreyNoise’s data consistently shows that perimeter devices draw significant reconnaissance and scanning activity from malicious IPs probing weak points. Our real-time intelligence captures how attackers conduct broad scans across these devices, identifying which ones might be vulnerable to exploitation.
This heatmap highlights the volume of malicious IPs actively targeting high-profile systems leveraging CVEs related to the campaign, illustrating the intensity of reconnaissance and exploitation and offering critical insights for prioritizing defenses around these devices.
Security professionals should regularly audit and patch all high-profile systems that are internet-facing, especially those with widely known vulnerabilities. Leveraging IP blocklists allows security teams to intercept and block scanning activity on these endpoints, helping to prevent initial access and reduce perimeter risks.
While newer vulnerabilities often dominate security headlines, this campaign underscores that attackers frequently exploit older vulnerabilities as well. Over 35% of the CVEs in Sophos' Database of Network Device CVEs were released before 2020, with 95% of them included in CISA’s Known Exploited Vulnerabilities (KEV) catalog — a vital resource for tracking high-risk vulnerabilities. Despite available patches, these CVEs often remain unpatched on many perimeter devices, making them easy targets for attackers.
Re-evaluate patching priorities to include older vulnerabilities that impact perimeter devices. GreyNoise’s CVE tracking provides insights into which resurgent vulnerabilities see active targeting, allowing teams to focus on high-risk vulnerabilities that are exploited repeatedly. Older vulnerabilities continue to present significant risk if left unpatched, particularly on perimeter devices.
According to the Sophos report, the attackers initially began their campaign with broad, indiscriminate scanning to locate vulnerable devices before refining their focus to specific, high-value targets. This phased approach demonstrates how attackers leverage large-scale reconnaissance to identify weak entry points and then shift to targeted exploitation.
GreyNoise’s real-time data on reconnaissance trends offers visibility into this broader phase, capturing which high-profile CVEs attackers are actively probing across devices. This data reveals where attackers focus their scanning efforts on the network perimeter, providing early indicators of which vulnerabilities are most at risk.
The precision and patience of this APT campaign send a clear message: perimeter devices remain prime targets, and unpatched vulnerabilities continue to offer attackers a simple path to network entry. The campaign reinforces the need for security professionals to maintain real-time visibility into these threats — both legacy CVEs and active reconnaissance of network devices.
By monitoring attacker behavior and focusing on high-risk vulnerabilities, teams can take concrete steps to strengthen their defenses against persistent, sophisticated attacks.
We know that many organizations are working diligently to assess their exposure, analyze logs, and manage vulnerabilities following this APT campaign. To aid in this effort, GreyNoise is providing all users — both paying and free — 14 days of access to real-time exploitation data for the CVEs associated with this threat. Our goal is to help security teams stay informed and make it easier to track active exploitation.
----
Noah Stone contributed to this writeup in collaboration with GreyNoise Research. Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
.png)
GreyNoise has discovered previously undisclosed zero-day vulnerabilities in IoT-connected live streaming cameras, leveraging AI to catch an attack before it could escalate. These cameras are reportedly used in sectors such as industrial operations, healthcare, and other sensitive environments like houses of worship, highlighting the urgent need for stronger cybersecurity defenses as the threat landscape continues to evolve.
This discovery was made possible after a GreyNoise honeypot detected an attempt to execute an exploit against it. An attacker had developed and automated a zero-day vulnerability exploit, using a broad-spectrum reconnaissance and targeting strategy to run it across the internet. However, the exploit hit GreyNoise’s global sensor network, where GreyNoise’s proprietary internal AI technology flagged the unusual activity. Upon further investigation, GreyNoise researchers discovered the zero-day vulnerabilities. Once exploited, attackers could potentially seize complete control of the cameras, view and/or manipulate video feeds, disable camera operations, and enlist the devices into a botnet to launch denial-of-service attacks.
This marks one of the first instances where threat detection has been augmented by AI to discover zero-day vulnerabilities. By surfacing malicious traffic that traditional tools would have missed, GreyNoise successfully intercepted the attack, identified the vulnerabilities, and reported them before they could be widely exploited. The company’s proactive approach, combining AI-powered detection with expert human analysis, proves that AI can dramatically accelerate the discovery of vulnerabilities — making the internet safer, one discovery at a time.
GreyNoise partnered with VulnCheck to responsibly disclose the flaws, tracked as CVE-2024-8956 and CVE-2024-8957.
View the full technical analysis and register now for GreyNoise’s expert panel webinar to learn more about the broader implications of these findings for security professionals.
The vulnerabilities impact NDI-enabled pan-tilt-zoom (PTZ) cameras from multiple manufacturers. Affected devices use VHD PTZ camera firmware < 6.3.40 used in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63. These cameras, which feature an embedded web server allowing for direct access by web browser, are reportedly deployed in environments where reliability and privacy are crucial, including:
Affected devices are typically high-cost live streaming cameras, sometimes exceeding several thousand dollars.
GreyNoise found the affected cameras to be vulnerable to a range of potentially dangerous attacks. These vulnerabilities, if exploited, could potentially expose sensitive business meetings, compromise telehealth sessions, and disrupt cameras deployed in industrial settings, leaving organizations potentially exposed to data and privacy breaches.
Attacks like this are not new — in 2021, live feeds of 150,000 cameras inside schools, hospitals, and more were exposed. Vulnerable IoT devices are prime targets for attackers looking to add compromised devices to a botnet, like the infamous Mirai botnet.
Security teams today face an overwhelming number of alerts, many of which result from harmless internet activity like routine scans and benign traffic. With countless alerts pouring in daily, identifying threats becomes incredibly difficult, and many serious vulnerabilities can go unnoticed amid the noise.
This is where AI steps in. GreyNoise’s Sift, powered by large language models (LLMs) trained on vast amounts of internet traffic — including traffic targeting IoT devices — identifies anomalies that traditional systems may miss. Instead of just reacting to known threats, Sift excels at spotting new anomalies, threats that haven't been identified yet or don’t fit any known signatures.
Sift analyzes real-time internet traffic and enriches that data with GreyNoise’s proprietary datasets. It then runs the data through advanced AI systems, which help separate routine activity from potential threats. This process allows researchers to focus on truly meaningful threats without getting lost in the noise.
In this case, Sift flagged unrecognized traffic that had not been tagged as a known threat. This caught the attention of GreyNoise researchers, who further investigated the unusual traffic. Their investigation led to the discovery of two previously unknown zero-day vulnerabilities in live streaming cameras — highlighting how AI can transform the speed and accuracy of cybersecurity research.
“This isn’t about the specific software or how many people use it — it’s about how AI helped us catch a zero-day exploit we might have missed otherwise,” said Andrew Morris, Founder and Chief Architect at GreyNoise Intelligence. “We caught it before it could be widely exploited, reported it, and got it patched. The attacker put a lot of effort into developing and automating this exploit, and they hit our sensors. Today it’s a camera, but tomorrow it could be a zero-day in critical enterprise software. This discovery proves that AI is becoming essential for detecting and stopping sophisticated threats at scale.”
By rapidly filtering out irrelevant traffic, Sift gives human researchers a clear head start. Capable of sifting through millions of data points, it enables researchers to focus on critical threats in real-time. This combination of AI-driven anomaly detection and human-led investigation is essential in today’s fast-paced cybersecurity landscape, where attackers are constantly evolving their tactics. Without Sift’s machine learning capabilities, these vulnerabilities might have remained hidden.
GreyNoise’s discoveries shed light on a larger issue facing the rapidly growing IoT landscape. With nearly 19 billion IoT devices in operation globally, industrial and critical infrastructure sectors rely on these devices for operational efficiency and real-time monitoring. However, the sheer volume of data generated makes it challenging for traditional tools to discern genuine threats from routine network traffic, leaving systems vulnerable to sophisticated attacks. Last month, U.S. authorities dismantled a botnet that leveraged a variety of IoT devices, including IP cameras. IoT devices remain a prime target for attackers looking to exploit insecure design and functionality.
Organizations using VHD PTZ camera firmware < 6.3.40 used in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63 should take immediate action to patch the discovered vulnerabilities and secure their systems.
VulnCheck alerted affected manufacturers to the flaws, only receiving a response from PTZOptics. The manufacturer released firmware updates addressing these flaws.
Read the GreyNoise Labs blog for technical analysis and deeper insight into how Sift helped discover these zero-day vulnerabilities.
Watch our expert panel take a deep dive into the technical details and strategic implications of this discovery to provide the context you need to better protect your organization.
Register now and learn how AI-driven cybersecurity is changing the status quo and how it can transform your security strategy.
.png)
A joint U.S. and UK advisory has identified 25 vulnerabilities tied to an exploitation campaign by Russia state-sponsored threat actors, specifically APT 29 — the group behind the infamous SolarWinds hack. GreyNoise actively tracks 12 of the 25 vulnerabilities mentioned in the advisory. To provide real-time, actionable context, GreyNoise has detected that nine of these vulnerabilities are being actively probed by attackers, offering critical insights for organizations to prioritize their defenses.
Given the real-time nature of GreyNoise’s observations, the set of actively targeted vulnerabilities is likely to change over time. Please check the GreyNoise Visualizer for the latest information.
GreyNoise observes internet traffic via its global network of sensors and honeypots, allowing it to track and classify behavior as malicious or benign.
While the advisory outlines 25 vulnerabilities, GreyNoise is uniquely positioned to provide real-time insights, identifying the nine CVEs currently being probed. These active scans are part of mass, opportunistic efforts, a tactic commonly used by threats actors like APT 29 (Cozy Bear), although GreyNoise does not attribute malicious activity directly.
Of the 12 GreyNoise-tracked CVEs mentioned in the joint advisory, GreyNoise observes exploitation or reconnaissance activity across the following:
These vulnerabilities cover a wide range of products critical to business operations and infrastructure, making this real-time data invaluable for defenders to prioritize patching.
In the joint advisory, the agencies highlighted the threat of mass opportunistic scans and the focus thereof by Russian intelligence:
“This mass scanning and opportunistic exploitation of vulnerable systems, as opposed to more targeted operations, increase the threat surface to include virtually any organization with vulnerable systems.
The SVR [Russian Foreign Intelligence] takes advantage of opportunistic victims to host malicious infrastructure, conduct follow-on operations from compromised accounts, or to attempt to pivot to other networks.”
The advisory comes at a time when attackers are increasingly relying on mass opportunistic scanning to compromise organizations, making it critical that organizations leverage real-time intelligence showing when and where attackers are engaged in reconnaissance and exploitation activity.
For more details, read the full U.S. and UK report here.
(This is the conclusion of our four-part series on "Understanding the Election Cybersecurity Landscape".)
Thanks to the emergence of powerful new AI-infused tools, a new battleground for democracy has emerged — one that does not rely on physical conflict but on the manipulation of information. Deepfakes and disinformation campaigns have become potent weapons, threatening the integrity of democratic processes. These sophisticated techniques not only mislead the public but also sow discord, making it increasingly difficult to distinguish truth from falsehood.
Deepfakes — a.k.a., hyper-realistic, artificially generated or manipulated videos or audio recordings — have advanced to a level where even seasoned experts struggle to differentiate them from authentic media. Combined with disinformation campaigns, these tools can spread false narratives at alarming speed and scale.
The January 2024 New Hampshire primary was a wake-up call. Voters received robocalls featuring an AI-generated voice impersonating President Joe Biden, urging them to abstain from voting in the primary. Instead, the message encouraged them to save their vote for the general election. This incident is a single, yet stark, example of how domestic actors are utilizing advanced technologies to manipulate voters and disrupt electoral processes.
Disinformation campaigns thrive in online platforms, from social media to fake news websites. Both domestic and foreign actors — including Russia, China, and Iran — are involved in these efforts, as highlighted by the Intelligence Community's 2024 Annual Threat Assessment. Their goal is simple but destructive: to exacerbate societal divisions and influence voter perceptions.
In a recent case, the Department of Justice foiled a Russian-sponsored operation that aimed to sway voters by creating fake news sites that closely mimicked legitimate media outlets. Such tactics demonstrate the lengths to which bad actors will go to infiltrate and corrupt the information ecosystem.
Disinformation and deepfake technologies threaten to destabilize democratic institutions in several ways:
In response to these escalating threats, Senator Mark R. Warner has called for decisive action. In a letter to the Cybersecurity and Infrastructure Security Agency (CISA), Warner outlined the critical need for state and local election officials to be equipped with the tools to counter disinformation and deepfakes. These officials are often voters' most trusted sources of election information, but they operate with limited resources and staff.
Warner urged CISA to strengthen its support for local election administrators and advocated for collaboration across government agencies, technology companies, academic institutions, and international allies to combat the spread of disinformation. Only through coordinated efforts can we build the resilience necessary to defend democratic processes.
As technology continues to evolve, so too does the potential for its misuse. Deepfakes and disinformation campaigns are not just technological novelties; they are deliberate attempts to distort reality and undermine the public’s trust in elections. To safeguard democracy, proactive measures must be taken:
The threat posed by deepfakes and disinformation campaigns is real and growing. As technology advances, so does the potential for misuse by those seeking to disrupt democratic processes. By raising awareness, promoting media literacy, and fostering collaboration between government, private sectors, and international allies, we can protect the integrity of our elections and ensure that democracy endures in the digital age.
Now is the time to act. The future of democracy depends on our collective ability to respond to these new challenges. Let's safeguard the truth and uphold the trust that is the foundation of democratic society.
.png)
GreyNoise’s honeypots have been actively monitoring exploit attempts targeting the SolarWinds Serv-U vulnerability (CVE-2024-28995), revealing exactly what files attackers are after. From key system files to credential-containing configuration files, our data shows how attackers are scanning for vulnerable systems in real time.
GreyNoise interacts directly with attackers through its honeypots, providing verifiable, firsthand data. This gives security teams a clearer, more accurate picture of real-time threats, allowing them to cut through the noise and focus on what's truly malicious.
(This is part three in our "Understanding the Election Cybersecurity Landscape" series.)
As we rapidly approach the 2024 U.S. elections, the human element remains one of the most vulnerable aspects of our electoral system. While technological defenses continue to evolve, state actors and cybercriminals in general are increasingly turning to phishing and social engineering tactics to exploit human psychology and gain unauthorized access to sensitive information or systems. These attacks pose a significant threat to election integrity by targeting election officials, campaign staff, and voters alike.
Phishing attacks during election seasons often exploit the heightened emotions and time pressures associated with political campaigns. Attackers craft convincing emails, text messages, or social media posts that appear to come from trusted sources such as election boards, political parties, or candidates themselves. These messages typically create a sense of urgency or importance to prompt quick, unthinking responses from targets.
For example, an election official might receive an email that appears to be from a voting machine vendor, claiming there's a critical security update that needs immediate attention. The email could contain a malicious link or attachment that, when clicked, installs malware or captures login credentials. Similarly, voters might receive text messages with false information about polling place changes or registration requirements, containing links to fraudulent websites designed to steal personal information.
Social engineering attacks go beyond simple phishing by leveraging more complex psychological manipulation. These attacks often involve multiple touchpoints and can unfold over extended periods, making them particularly insidious.
In the context of elections, a social engineering attack might involve an attacker posing as an IT support technician, contacting county election workers with offers of assistance. Over time, the attacker builds trust and may eventually request remote access to systems or sensitive information under the guise of providing support. This type of attack exploits the often-overworked and under-resourced nature of many local election offices.
Another common tactic is impersonating authority figures. An attacker might pose as a high-ranking election official or party leader, using this perceived authority to pressure lower-level staff into bypassing security protocols or divulging confidential information.
The consequences of successful phishing and social engineering attacks can be far-reaching. A single compromised account or system can serve as an entry point for broader network infiltration, potentially leading to:
Moreover, even unsuccessful attacks can erode public confidence in the electoral process. The mere perception that election systems or officials might be compromised can fuel doubts about election integrity, which could be especially problematic this year.
Mitigating the risks posed by phishing and social engineering requires a multi-faceted approach that combines technological solutions with robust human training and awareness programs.
As we move ever closer to the 2024 elections, the sophistication of phishing and social engineering attacks is likely to increase. The rise of AI-generated content, including deepfakes, will make it even more challenging to distinguish legitimate communications from fraudulent ones (something we will cover in the final installment).
However, by focusing on the human element – both in terms of vulnerabilities and strengths – we can build a more resilient election security ecosystem. Empowering election officials and voters with knowledge and critical thinking skills is our best defense against these evolving threats.
The integrity of our elections depends not just on secure technology, but on a vigilant and informed populace. By recognizing the central role of human factors in election security, we can work towards elections that are not only technologically sound but also trusted and resilient in the face of increasingly sophisticated attacks.
Please update your search term or select a different category and try again.
