GreyNoise Research

It’s well known that the window between CVE disclosure and active exploitation has narrowed. But what happens before a CVE is even disclosed? 

In our latest research “Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities,” GreyNoise analyzed hundreds of spikes in malicious activity — scanning, brute forcing, exploit attempts, and more — targeting edge technologies. We discovered a consistent and actionable trend: in the vast majority of cases, these spikes were followed by the disclosure of a new CVE affecting the same technology within six weeks. 

This recurring behavior led us to ask: 

‍Could attacker activity offer defenders an early warning signal for vulnerabilities that don’t exist yet — but soon will? 

‍

The Six-Week Critical Window

Across 216 spikes observed across our Global Observation Grid (GOG) since September 2024, we found: 

• 80 percent of spikes were followed by a new CVE within six weeks.
• 50 percent were followed by a CVE disclosure within three weeks. 
• These patterns were exclusive to enterprise edge technologies like VPNs, firewalls, and remote access tools — the same kinds of systems increasingly targeted by advanced threat actors. 

‍

Why This Matters

Exploit activity may be more than what it seems. Some spikes appear to reflect reconnaissance or exploit-based inventorying. Others may represent probing that ultimately results in new CVE discovery. Either way, defenders can take action. 

Blocking attacker infrastructure involved in these spikes may reduce the chances of being inventoried — and ultimately targeted — when a new CVE emerges. Just as importantly, these trends give CISOs and security leaders a credible reason to harden defenses, request additional resources, or prepare strategic responses based on observable signals — not just after a CVE drops, but weeks before. 

‍

What’s Inside the Report

The full report includes: 

• A breakdown of the vendors, products, and GreyNoise tags where these patterns were observed.
• Analysis of attacker behavior leading up to CVE disclosure. 
• The methodology used to identify spikes and establish spike-to-CVE relationships. 
• Clear takeaways for analysts and CISOs on how to operationalize this intelligence. 

This research builds on our earlier work on resurgent vulnerabilities, offering a new lens for defenders to track vulnerability risk based on what attackers do — not just what’s been disclosed. 

‍

‍

One of our engineers was reviewing our telemetry dashboard when he came across something unusual: 

A tight cluster of red dots — each one representing a malicious IP — lighting up a rural patch of New Mexico: 

‍

‍

Nothing unusual about botnet traffic. But this time, dozens of malicious IPs were all coming from a single region with a population of just over 3,000 people. 

It didn’t fit the pattern. So we dug in. 

‍

Starting with a Single IP

We zoomed into the map and picked up the first IP: 137.118.82.76. 

It had a troubling combination of GreyNoise tags: 

• Telnet Bruteforcer
• Generic IoT Default Password Attempt
• Mirai 
• D-Link Hardcoded Telnet Attempt

This wasn’t just a misconfigured device — it looked like a system actively participating in a botnet. 

So we pulled the thread. 

‍

A Utility at the Center — and AI in the Loop

Zooming out, we found ~90 IPs in the same New Mexico region, all tied to a single provider: Pueblo of Laguna Utility Authority. 

100% of this traffic was Telnet-based. 

To dig deeper, we used our internal tooling — including the GreyNoise Model Context Protocol (MCP) server (an AI-powered analysis environment) — to iterate quickly on investigation paths. 

We fed IP metadata and network behavior into Claude, exploring ideas in real time. We then used Censys infrastructure data and tshark packet captures to enrich the dataset. 

This AI-powered analysis helped confirm that many of the systems were VOIP-enabled devices.

While we did not identify exact device models for each system, enrichment suggested hardware from Cambium Networks was likely involved in a portion of the activity. 

It wasn’t a one-off misconfiguration — it appeared to be a coordinated cluster of similar systems likely running comparable stacks. 

‍

Tracing it Globally

After confirming the localized activity, we widened the investigation. 

Using GreyNoise tags, behavioral similarity, and Telnet traffic patterns, we identified about 500 IPs globally exhibiting similar traits: 

• A unique JA4t signature — 5840_2-4-8-1-3_1460_1 — representing 90% of the traffic from this ISP, indicating the hardware is similar across compromised hosts. 
• Telnet login attempts using weak or default credentials 
• High session volumes
• Scanning behavior aligned with known Mirai variants 

Some of these IPs were linked to VOIP-capable devices and shared similar infrastructure characteristics — suggesting a wider class of exposed systems is being targeted for botnet activity. 

‍

Why VOIP? Why Now?

VOIP devices often run on older Linux-based firmware, sometimes with Telnet exposed by default. They’re also frequently:

• Internet-facing
• Lightly monitored 
• Infrequently patched

Some Cambium routers, for example, may still be running firmware versions impacted by a known remote code execution (RCE) vulnerability from 2017. 

While we did not confirm exploitation of that CVE in this case, the activity reinforces a broader point: Vulnerabilities remain part of the attack surface long after disclosure. 

We recently explored this dynamic in our latest report on resurgent vulnerabilities, where we highlight how long-patched flaws in edge devices are repeatedly targeted. 

‍

Then It Stopped

Shortly after a member of our team posted a brief mention of the activity on social media, the traffic from the New Mexico utility dropped off — completely. 

Whether coincidence or evidence that attackers monitor visibility, it was a sharp cutoff. 

And shortly after that, activity spiked yet again and the global behavior continued. 

‍

Why This Matters

• VOIP systems are often overlooked in security monitoring. 
• Small utilities and ISPs may unknowingly contribute infrastructure to global botnets. 
• Mirai-style botnets remain opportunistic, leveraging systems wherever available. 

What started as a spike from a single utility in a rural part of the United States became a lens into an ongoing global pattern — one defenders should track closely. 

‍

Defender Recommendations

• Block IPs involved in this activity. 
• Use GreyNoise to identify if your infrastructure is being conscripted into a botnet.
• Audit Telnet exposure, especially on VOIP-enabled systems.  
• Rotate or disable default credentials on edge and SOHO devices. 

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

---

‍

^{This investigation was sparked by GreyNoise’s keen-eyed Lead Software Engineer Jeff Golden, with contributions from the broader GreyNoise research team.} 

21 July 2025 Update

GreyNoise has received a statement from TeleMessage, stating:

‍CVE-2025-48927 was fully remediated in the TeleMessage environment in early May. That remediation has been independently verified by our third-party cybersecurity partner. As a cloud-native SaaS platform, all fixes were applied centrally, and no action was required by customers. As such, any attempts to exploit CVE-2025-48927 since that time have been unsuccessful.

‍

‍

A vulnerability disclosed in May 2025, CVE-2025-48927, affects certain deployments of TeleMessage^TM SGNL, an enterprise messaging system modeled after Signal, used by government agencies and enterprises alike to archive secure communications. The issue stems from the platform’s continued use of a legacy confirmation in Spring Boot Actuator, where a diagnostic /heapdump endpoint is publicly accessible without authentication. 

If exposed, this endpoint can return a full snapshot of heap memory — roughly 150MB — which may include plaintext usernames, passwords, and other sensitive data. While newer versions of Spring Boot no longer expose this endpoint by default, public reporting indicates that TeleMessage instances continued using the older, insecure configuration through at least May 5, 2025. 

On July 14th, CVE-2025-48927 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

See GreyNoise’s technical writeup here. 

‍

What GreyNoise is Seeing 

As of July 16, GreyNoise has observed 11 IPs attempting to exploit CVE-2025-48927 (tag created July 10). 

Related reconnaissance behavior is ongoing. Our telemetry shows active scanning for Spring Boot Actuator endpoints — a potential precursor to identifying systems affected by CVE-2025-48927. 

• 2,009 IPs have scanned for Spring Boot Actuator endpoints in the past 90 days. 
• 1,582 IPs specifically targeted the /health endpoints — commonly used to detect internet-exposed Spring Boot deployments. 
• GreyNoise has launched a dedicated tag to track scanning tied to this CVE: TeleMessage^TM SGNL Spring Boot Actuator /heapdump Disclosure. 

‍

What to Do

Organizations using Spring Boot — particularly in internal tools or secure messaging environments — should verify whether the /heapdump endpoint is exposed to the internet. 

Recommended actions:

• Block malicious IPs using GreyNoise:
  
  • SPRING BOOT ACTUATOR CRAWLER
  • SPRING BOOT ACTUATOR HEALTH SCANNER
  • TELEMESSAGE TM SGNL SPRING BOOT ACTUATOR /HEAPDUMP DISCLOSURE CVE-2025-48927 ATTEMPT

• Disable or restrict access to the /heapdump endpoint.
• Limit exposure of all Actuator endpoints unless explicitly required. 
• Review deployment configurations and upgrade to a supported version of Spring Boot where secure defaults are enforced. 
• Update TeleMessage^TM SGNL if using that specific application.

‍

GreyNoise will continue monitoring for shifts in scanning behavior and provide updates if exploitation begins. 

‍

‍GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

---

‍

^{This analysis was led by GreyNoise Researcher Howdy Fisher.} 

‍

GreyNoise has identified a previously untracked variant of a scraper botnet, detectable through a globally unique network fingerprint. While the botnet uses a simple and easily spoofed user-agent string — Hello-World/1.0 — its real signature lies in the behavior of the devices sending the traffic. 

To detect it, GreyNoise analysts created a signature using JA4+, the suite of JA4 signatures used to fingerprint network traffic. This approach allows analysts to detect traffic based not on what it claims to be, but how it behaves — making it difficult to evade or spoof. 

The signature includes: 

• JA4H (HTTP fingerprint): Captures how HTTP headers are ordered and formatted.
• JA4T (TCP fingerprint): Encodes how a device establishes network connections.

These behavioral fingerprints form a meta-signature that is globally unique to this botnet variant. 

‍

Key Characteristics

• First observed: April 19, 2025.
• Traffic pattern: Repeated GET requests over ports 80-85, evenly distributed. 
• User-agent: Hello-World/1.0

GreyNoise has detected over 3,600 unique IPs matching this signature, geolocated around the world: 

‍

‍

Of these IPs: 

• 1,359 (38%) are classified as malicious.
• 122 (3%) are suspicious.
• 2,114 (59%) are not associated with other known activity. 
• Only 1 benign IP was observed.

Targeted systems are predominantly located in the United States and United Kingdom. 

‍

Concentration in Taiwan

Geographic analysis shows a clear concentration of this botnet’s infrastructure in Taiwan, with:

• 1,934 IPs (54%) originating from Taiwanese networks.
• Followed by Japan (315 IPs, 9%), Bulgaria (265 IPs, 7%), and France (111 IPs, 3%).

The dominance of Taiwanese IP space could suggest:

• A common technology or service deployed widely in Taiwan has been compromised.
• Or that local exposure to a shared vulnerability is driving the clustering. 

‍

What Defenders Should Do

GreyNoise users can track this botnet variant in the Visualizer or via API. We recommend defenders: 

• Block all IPs participating in this botnet variant to prevent automated scraping activity.
• Monitor internal traffic for devices reaching out to or from these IPs.
• Track similar JA4+ signatures (more info here), which may indicate related variants or campaigns. 

‍

‍GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

^{This analysis was led by GreyNoise Deception Engineer Towne Besel, who developed the detection signature and conducted the underlying research.}

This activity was first discovered by GreyNoise on March 18, 2025. Public disclosure was deferred as we coordinated the findings with government and industry partners.   

‍GreyNoise has identified an ongoing exploitation campaign in which attackers have gained unauthorized, persistent access to thousands of ASUS routers exposed to the internet. This appears to be part of a stealth operation to assemble a distributed network of backdoor devices — potentially laying the groundwork for a future botnet. 

The tactics used in this campaign — stealthy initial access, use of built-in system features for persistence, and careful avoidance of detection — are consistent with those seen in advanced, long-term operations, including activity associated with advanced persistent threat (APT) actors and operational relay box (ORB) networks. While GreyNoise has made no attribution, the level of tradecraft suggests a well-resourced and highly capable adversary. 

‍The attacker’s access survives both reboots and firmware updates, giving them durable control over affected devices. The attacker maintains long-term access without dropping malware or leaving obvious traces by chaining authentication bypasses, exploiting a known vulnerability, and abusing legitimate configuration features. 

‍The activity was uncovered by Sift — GreyNoise’s proprietary AI-powered network payload analysis tool — in combination with fully emulated ASUS router profiles running in the GreyNoise Global Observation Grid. These tools enabled us to detect subtle exploitation attempts buried in global traffic and reconstruct the full attack sequence. 

‍Read the full technical analysis. 

‍

Timeline of Events

March 17, 2025: GreyNoise’s proprietary AI technology, Sift, observes anomalous traffic.  

March 18, 2025: GreyNoise researchers become aware of Sift report and begin investigating.

March 23, 2025: Disclosure deferred as we coordinated the findings with government and industry partners.   

May 22, 2025: Sekoia announces compromise of ASUS routers as part of ‘ViciousTrap.’

May 28, 2025: GreyNoise publishes this blog. 

‍

Summary of Findings

• Thousands of ASUS routers are confirmed compromised, with the number steadily increasing. 
• Attackers gain access using brute-force login attempts and authentication bypasses, including techniques not assigned CVEs. 
• Attackers exploit CVE-2023-39780, a command injection flaw, to execute system commands.
• They use legitimate ASUS features to: 
  
  • Enable SSH access on a custom port (TCP/53282).
  • Insert attacker-controlled public key for remote access.
• The backdoor is stored in non-volatile memory (NVRAM) and is therefore not removed during firmware upgrades or reboots. 
• No malware is installed, and router logging is disabled to evade detection. 
• The techniques used reflect long-term access planning and a high level of system knowledge. 

‍

How GreyNoise Found It

The campaign was surfaced by Sift, GreyNoise’s AI-powered analysis tool for detecting novel and anomalous network activity. Sift flagged just three HTTP POST requests — targeting ASUS router endpoints — for deeper inspection. 

These payloads were only observed on our fully emulated ASUS profiles running factory firmware. This infrastructure allowed GreyNoise to:

• Capture full PCAP of the requests and router behavior. 
• Reproduce the attack in a controlled environment.
• Confirm how the backdoor is installed and how it persists.  

Without emulated profiles and deep inspection, this attack would likely have remained invisible. The attacker disables logging and uses official router features, leaving few traces. 

‍

Confirmed Exploitation Chain

1. Initial Access

• Brute-force login attempts. 
• Two authentication bypass techniques (no CVEs assigned).

‍

2. Command Execution 

• Exploitation of CVE-2023-39780 to run arbitrary commands.

‍

3. Persistence 

• SSH access is enabled via official ASUS settings.
• Attacker inserts a custom public SSH key.
• Configuration is stored in NVRAM, not on disk.

‍

4. Stealth

• Logging is disabled before persistence is established. 
• No malware is left behind.

‍

Scope and Visibility 

• As of May 27, nearly 9,000 ASUS routers are confirmed compromised, based on scans from Censys — a platform that continuously maps and monitors internet-facing assets across the global internet. Censys reveals what’s exposed; GreyNoise shows which of those assets are being actively targeted. 
• The number of affected hosts is growing. 
• GreyNoise sensors saw just 30 related requests across three months, demonstrating how quietly this campaign is operating. 

‍

Indicators of Compromise

‍

IP addresses involved in this activity: 

101.99.91.151
101.99.94.173 
79.141.163.179   
111.90.146.237

‍

‍

Backdoor port: 

TCP/53282

‍

Attacker SSH public key (truncated):

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ... 

‍

Has ASUS Released a Patch?

• ASUS patched CVE-2023-39780 in a recent firmware update. 
• The initial login bypass techniques are patched but do not have assigned CVEs.
• The attacker’s SSH configuration changes are not removed by firmware upgrades. 

If a router was compromised before updating, the backdoor will still be present unless SSH access is explicitly reviewed and removed. 

‍

Recommendations 

• Check ASUS routers for SSH access on TCP/53282. 
• Review the authorized_keys file for unauthorized entries.
• Block the four IPs listed above.
• If compromise is suspected, perform a full factory reset and reconfigure manually.

‍

Block IPs & Read the Full Analysis

For payload details, firmware analysis, and attack reconstruction: 

Read the full technical analysis.

‍

‍

‍

‍GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

Key Insight: Why This Matters

The 2025 DBIR highlights a critical area of importance for vulnerability management teams: edge vulnerabilities. 

Exploitation of edge vulnerabilities in breaches has surged eightfold. Yet, nearly one in three edge KEVs remain fully unpatched — despite being widely recognized as critical risks.

This isn’t a matter of awareness (they’re on CISA’s KEV). It’s about action and prioritization. Real-time intelligence is a must in this situation, giving insight into what attackers are targeting now — ensuring the most pressing threats are identified and resolved quickly. 

This year’s DBIR findings necessitate swift action on the part of defenders, particularly as it relates to edge exploitation. 

‍

Executive Summary 

New findings from the 2025 Verizon Data Breach Investigations Report (DBIR) reveal a critical shift in how attackers breach organizations — and how defenders are simultaneously making strides and falling short:  

‍

Speed and Awareness:

• Exploitation of edge KEVs begins immediately — the median time from disclosure to mass exploitation for edge KEVs is zero days, compared to five days for all KEVs. 
• Defenders are prioritizing edge vulnerabilities more than others:
  
  • 54% of edge KEVs were remediated, compared to 38% of all KEVs.
  • Median time to remediate edge KEVs was 32 days, faster than the 38-day median for all KEVs. 
• ‍This presents a concerning duality — on one hand, time-to-exploit for edge vulnerabilities is zero days; meanwhile, it takes defenders an average of 32 days to remediate these flaws. This significant window of exposure represents a critical risk for most organizations on their edge.

‍

Scale: 

• Vulnerability exploitation is second only to credential theft as a means of breaching organizations.  
• Edge vulnerabilities were used in 22% of breaches involving vulnerability exploitation — an eightfold increase from 3% last year. 

‍

Action Gap: 

• Despite this prioritization, nearly one in three edge KEVs remain fully unremediated — the highest rate of full non-remediation among CVEs and KEVs tracked in the DBIR. 

‍

GreyNoise research reveals a deeper complication: Old edge vulnerabilities are resurging, magnifying the risks defenders face. 

‍

Vulnerability Exploitation Is a Growing Breach Method — and Edge Vulnerabilities Are Central

Vulnerability exploitation is rising as a breach method — and edge vulnerabilities, in particular, are being exploited far more often to break into organizations. 

The Verizon DBIR shows: 

• One in five breaches involved vulnerability exploitation, a 34% rise from last year — second only to credential theft. 
• Among those breaches, exploitation of edge vulnerabilities surged eightfold. 

Despite heightened attention, edge KEVs remain the most likely vulnerabilities to be left unpatched — even though they are already recognized as critical risks. 

This points to a widening gap between risk awareness and defensive action. 

‍

GreyNoise Research Reveals the Growing Risk of Vulnerability Resurgence

The DBIR highlights how quickly attackers exploit vulnerabilities — especially those in edge technologies. 

GreyNoise research reveals a deeper problem: attackers also return to older edge vulnerabilities defenders may have deprioritized. 

• Edge vulnerabilities are already slipping through defenders’ patching efforts. 
• GreyNoise observes attackers opportunistically reviving overlooked vulnerabilities — creating unexpected exposure long after the initial disclosure fades from focus. 

Our research uncovered that resurgent vulnerabilities follow three main attack patterns, visualized as follows (read the full report here): 

‍

Static patching models, focused on CISA KEV, CVSS, and EPSS alone, can miss these shifts. 

Dynamic, exploitation-driven intelligence can reveal when old vulnerabilities become active risks again — cutting through the complex attack patterns above by relying on near real-time alerts of heightened activity. 

‍

Resurgence Disproportionately Affects the Edge 

Our analysis revealed that half of the top exploited resurgent vulnerabilities affect edge assets — with 70% of Black Swans, the most unpredictable class of resurgent flaws, affecting the edge. 

‍

The DBIR and GreyNoise research indicate that edge assets are becoming one of the most attractive targets for attackers. 

‍

What Defenders Must Do

Today’s edge threat environment demands a new approach: 

• Prioritize vulnerabilities based on observed, active exploitation, not just severity ratings. 
• Continuously monitor for resurgence — because old threats can quietly reemerge.
• Adopt dynamic, real-time intelligence models that evolve with attacker behavior. 
• Dynamically block threats with real-time intelligence. Attackers are pivoting infrastructure, utilizing trusted IPs to engage in reconnaissance and launch attacks at scale — limiting the effectiveness of static defenses. 

‍

Read the full report: A Blindspot in Cyber Defense: How Resurgent Vulnerabilities Jeopardize Organizational Security.

‍

— — — 

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

Attackers from every corner of the internet are exploiting a uniquely dangerous class of cyber flaws: resurgent vulnerabilities. 

These aren’t being exploited as zero-days — and spikes in activity rarely make headlines. They’re older flaws that quietly return to relevance as attacker interest reignites. Some were deprioritized years ago. Others were never seen as serious. But today, they’re being opportunistically exploited at scale, often in edge technologies like firewalls, routers, and VPNs — the very internet-facing assets attackers use for initial access and persistence. 

GreyNoise’s latest research breaks down these vulnerabilities — how they behave, why they’re dangerous, and what defenders and policymakers need to know to stay ahead. 

‍

‍

Key Takeaways:  

• Resurgent vulnerabilities fall into three distinct behavioral categories: Utility, Periodic, and Black Swan. Each category has unique exploitation patterns, with Black Swan being the most unpredictable. 
• Over half of the top exploited resurgent CVEs and nearly 70% of Black Swan vulnerabilities affect edge technologies, such as routers and VPNs — the very technologies attackers use for initial access and persistence. 
• Some CVEs are first exploited years after disclosure, creating long-standing blind spots in many patching programs. 
• Resurgent exploitation often arrives without warning, underscoring the need for adaptive patch management and dynamic blocking strategies that account for dormant but dangerous vulnerabilities. 
• Government and private threat intelligence providers have reported state-sponsored exploitation of old vulnerabilities. GreyNoise Intelligence continues to observe widespread opportunistic activity against many of the same flaws. 

‍

Inside the report: 

• A new framework for understanding how vulnerabilities resurface.
• Behavioral patterns of resurgence — and what they mean for defenders. 
• Visuals and examples of resurgent CVEs exploited at scale. 
• Tactical insights for security professionals and policymakers to improve patch prioritization, dynamic blocking, and risk mitigation.

‍

Download the full report and prepare before the next wave hits. 

‍

‍

— — —

‍

^{Noah Stone contributed to this writeup in collaboration with GreyNoise Research. Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

Mass Internet Exploitation in 2024: A Rapidly Escalating Threat

In 2024, attackers didn’t just exploit vulnerabilities — they automated them at scale, turning the internet into a playground for mass exploitation. 

• Attackers exploited vulnerabilities within hours of disclosure. 
• 40% of exploited CVEs were at least four years old — some dating back to the 1990s. 
• Ransomware groups leveraged nearly 30% of KEV-listed vulnerabilities that GreyNoise tracked. 

GreyNoise observed widespread internet scanning and exploitation attempts across thousands of IPs, showing how attackers are scaling operations faster than defenders can respond. 

‍

‍

The GreyNoise 2025 Mass Internet Exploitation Report provides a detailed breakdown of how mass exploitation evolved in 2024, which vulnerabilities were most targeted, and how CISOs and security professionals can stay ahead in 2025. 

‍

Key Findings from the 2025 Mass Internet Exploitation Report

• The most exploited vulnerability of 2024 targeted home internet routers, fueling massive botnets used in cyberattacks. 
• Legacy vulnerabilities remain among the most widely exploited, with attackers continuing to target publicly known flaws, sometimes dating back to the 1990s. 
• GreyNoise observed multiple CVEs showing signs of exploitation before being added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, reinforcing the need for real-time intelligence. 
• Ransomware groups leveraged 28% of KEV-listed vulnerabilities tracked by GreyNoise, showing mass exploitation is a key enabler of financially motivated attacks. 
• A surge in May 2024 was traced to 12,000+ unique IPs involved in an exploitation event targeting Android devices. 

‍

The Speed and Surprise of Mass Exploitation: New and Old CVEs Under Attack

This report confirms that mass exploitation is not just a zero-day problem — it’s a persistent issue across both new and old vulnerabilities. 

“Mass exploitation isn’t just about zero-days — it’s about attackers industrializing vulnerability exploitation at scale,” said Andrew Morris, Founder and Chief Architect at GreyNoise. "They care less about CVSS scores or KEV lists. They scan the entire internet — it’s quick and cheap to do — they find what’s exposed, and go after it immediately. This report shows just how fast and unpredictable mass exploitation really is — and why security teams need real-time intelligence to keep up.” 

‍‍

Why This Matters Now

• Most patching strategies can’t keep up — attackers automate exploits faster than teams can assess, prioritize, and deploy fixes. 
• Mass exploitation is moving faster than traditional security workflows — organizations need real-time intelligence, not just alerts. 
• Ransomware groups are automating attacks. Exploitation of known vulnerabilities remains a primary initial access method. 
• Home routers and IoT devices are increasingly being exploited at scale. Many organizations fail to account for these attack surfaces. 

‍

The Most Observed Exploitation Activity in 2024

Attackers aren’t just targeting newly disclosed vulnerabilities — many of the most exploited CVEs in 2024 are years old, proving that security teams must rethink patching priorities. 

GreyNoise tracked the most frequently observed vulnerability exploitation attempts across the internet in 2024. Some of the most targeted vulnerabilities included:

• CVE-2018-10561 (GPON Router Worm) – 96,042 unique IPs
• CVE-2014-8361 (Realtek Miniigd UPnP Worm) – 41,522 unique IPs
• CVE-2016-6277 (NETGEAR Command Injection) – 40,597 unique IPs
• CVE-2023-30891 (Tenda AC8 Router Exploit) – 29,620 unique IPs
• CVE-2016-20016 (MVPower CCTV DVR RCE) – 17,496 unique IPs

These vulnerabilities were frequently targeted throughout 2024, often in large-scale scanning campaigns, botnet-building operations, or ransomware-driven attacks. 

‍

‍

Defensive Takeaways for 2025

The 2025 Mass Internet Exploitation Report confirms that:

• Mass exploitation begins rapidly after disclosure, making real-time intelligence critical for prioritization. 
• Legacy vulnerabilities remain prime targets, often exploited alongside newer flaws. 
• Security teams need real-time exploitation intelligence to make informed decisions. 

‍

‍

— — —

‍

Noah Stone contributed to this writeup in collaboration with GreyNoise Research. Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.

‍

Cybersecurity professionals face mounting pressure to stay ahead of attackers. From zero-days to targeted campaigns, the need for actionable intelligence is clear — but not every team requires a dedicated threat intelligence feed. That’s why GreyNoise created this unbiased, vendor-neutral white paper: to help security professionals navigate the complexity, assess their true needs, and make informed decisions about the type of threat intelligence feed that’s right for them. 

‍

Before investing, it’s essential to ask: 

• Do we actually need a threat intelligence feed?
• If we do, what kind of feed will provide the most value? 

‍

This vendor-neutral, practical white paper offers clear, unbiased guidance to help you:

• Assess your team’s goals and risk profile to determine if a threat intel feed aligns with your needs. 
• Identify gaps in your current capabilities, including blind spots in threat detection or response.
• Learn how to evaluate and compare different threat intelligence options — from embedded feeds to dedicated providers — based on timeliness, context, integration, and scalability.  

‍

Key Insights from the Guide

1. Understand the limitations of embedded feeds and when they’re enough.
2. Spot critical gaps that could leave your organization exposed. 
3. Evaluate providers with confidence to ensure ROI on your security investments. 

‍

Why It Matters

Not every organization requires a dedicated threat intelligence feed. For some, embedded feeds integrated into firewalls or SIEMs are sufficient. For others, targeted adversaries, complex environments, or sector-specific threats demand a more tailored approach. 

This guide cuts through the noise to help you make an informed decision, whether you’re enhancing an existing setup or exploring new options. 

‍

Equip Your Team with Unbiased Advice

This isn’t a sales pitch. It’s a strategic resource to help you assess your needs, evaluate options, and build a proactive cyber defense strategy tailored to your organization. 

Download the guide now to get clarity on whether a threat intelligence feed is the right move for your team

‍

A newly released report by Sophos reveals a sophisticated multi-year APT (Advanced Persistent Threat) campaign that exploited network perimeter devices, using both new and older vulnerabilities to infiltrate high-value targets. Beginning in 2018, the campaign’s actors leveraged advanced tactics, techniques, and procedures to target internet-facing devices belonging to government and critical infrastructure entities, and other high-value targets. The campaign demonstrates that APT actors are increasingly focusing on network perimeters — especially unpatched, internet-facing devices like VPNs, routers, and other edge infrastructure — as prime entry points for further compromise. 

“This campaign is a wake-up call about just how serious the threat to edge devices really is,” said Andrew Morris, Founder and Chief Architect at GreyNoise Intelligence. “Attackers are getting in through overlooked devices, deploying rootkits at the firmware level, and persisting on everything from routers to security cameras to HVAC systems and digital signage. And here’s the thing: detecting this kind of persistence today is incredibly tough. Major device platform vendors have entire teams dedicated to rooting out these threats on PCs, and it’s still a struggle. So, imagine trying to detect and defend against this level of sophistication on an embedded device like a router or a modem — almost no chance.”

At GreyNoise, we observe perimeter-focused attacker behavior across a range of vulnerabilities, both new and resurgent, providing us with a unique view of these threats as they unfold. This blog unpacks key strategic insights from the campaign, explains why network perimeter exploitation should be a top security focus, and provides actionable steps to help security teams stay one step ahead. We’ll explore some of the actively probed CVEs associated with this campaign, the ongoing risks of unpatched devices, and practical ways to mitigate exposure using real-time intelligence. 

GreyNoise is proud to have contributed to Sophos’ research and we encourage you to read the full report. In an effort to aid in exposure mitigation efforts, GreyNoise is providing the following information to defenders:

• View exploit activity and actively block exploitation of the CVEs related to Pacific Rim. 
• Get 14 days of free access to GreyNoise Vulnerability Prioritization Intelligence to enable active blocking against exploitation of Pacific Rim-related vulnerabilities 

The APT Campaign: A Sophisticated and Stealthy Multi-Year Assault 

The Sophos report details a sophisticated campaign beginning in 2018, where attackers initially targeted Cyberoam, an India-based Sophos subsidiary. Using intelligence gathered from Cyberoam, along with additional development, the attackers attempted mass exploitation to build a network of operational relay boxes (ORBs). However, after largely failing in this due to detection, they shifted tactics to remain under the radar, focusing exclusively on a small number of high-value targets. This more targeted approach enabled them to infiltrate select government agencies, critical infrastructure, and influential organizations such as embassies. This campaign underscores how APTs adapt and leverage both collected intelligence and advanced tradecraft to achieve their strategic goals. 

The attackers exhibited patience and adaptability, evolving their approach from broad, indiscriminate scanning to targeted reconnaissance and exploitation. Their tactics included custom rootkits, firmware-based persistence, and sophisticated command-and-control channels, like ICMP tunneling and proxy chains, enabling long-term, stealthy access to compromised networks. This combination of large-scale scanning followed by focused exploitation demonstrates how attackers systematically identify and prioritize vulnerabilities on perimeter devices to achieve their objectives.  

The Network Perimeter: An Overlooked but Critical Attack Vector

This campaign highlights how perimeter devices — including VPNs, routers, and other internet-facing systems — serve as critical points of entry for attackers. Although these devices are essential to network operations, ensuring timely patching can be challenging due to the business impact of taking these systems offline, making them attractive targets for attackers seeking to exploit this operational challenge. 

GreyNoise’s data consistently shows that perimeter devices draw significant reconnaissance and scanning activity from malicious IPs probing weak points. Our real-time intelligence captures how attackers conduct broad scans across these devices, identifying which ones might be vulnerable to exploitation.

‍

This heatmap highlights the volume of malicious IPs actively targeting high-profile systems leveraging CVEs related to the campaign, illustrating the intensity of reconnaissance and exploitation and offering critical insights for prioritizing defenses around these devices. 

Security professionals should regularly audit and patch all high-profile systems that are internet-facing, especially those with widely known vulnerabilities. Leveraging IP blocklists allows security teams to intercept and block scanning activity on these endpoints, helping to prevent initial access and reduce perimeter risks. 

Resurgent Vulnerabilities: The Persistent Threat of Unpatched CVEs

While newer vulnerabilities often dominate security headlines, this campaign underscores that attackers frequently exploit older vulnerabilities as well. Over 35% of the CVEs in Sophos' Database of Network Device CVEs were released before 2020, with 95% of them included in CISA’s Known Exploited Vulnerabilities (KEV) catalog — a vital resource for tracking high-risk vulnerabilities. Despite available patches, these CVEs often remain unpatched on many perimeter devices, making them easy targets for attackers.

‍

Re-evaluate patching priorities to include older vulnerabilities that impact perimeter devices. GreyNoise’s CVE tracking provides insights into which resurgent vulnerabilities see active targeting, allowing teams to focus on high-risk vulnerabilities that are exploited repeatedly. Older vulnerabilities continue to present significant risk if left unpatched, particularly on perimeter devices.  

The Role of Real-Time Reconnaissance in Understanding Exploitation Trends

According to the Sophos report, the attackers initially began their campaign with broad, indiscriminate scanning to locate vulnerable devices before refining their focus to specific, high-value targets. This phased approach demonstrates how attackers leverage large-scale reconnaissance to identify weak entry points and then shift to targeted exploitation. 

GreyNoise’s real-time data on reconnaissance trends offers visibility into this broader phase, capturing which high-profile CVEs attackers are actively probing across devices. This data reveals where attackers focus their scanning efforts on the network perimeter, providing early indicators of which vulnerabilities are most at risk. 

APTs Are Evolving, and the Network Perimeter Remains a Key Target

The precision and patience of this APT campaign send a clear message: perimeter devices remain prime targets, and unpatched vulnerabilities continue to offer attackers a simple path to network entry. The campaign reinforces the need for security professionals to maintain real-time visibility into these threats — both legacy CVEs and active reconnaissance of network devices. 

By monitoring attacker behavior and focusing on high-risk vulnerabilities, teams can take concrete steps to strengthen their defenses against persistent, sophisticated attacks. 

Supporting Your Exposure Management Efforts

We know that many organizations are working diligently to assess their exposure, analyze logs, and manage vulnerabilities following this APT campaign. To aid in this effort, GreyNoise is providing all users — both paying and free — 14 days of access to real-time exploitation data for the CVEs associated with this threat. Our goal is to help security teams stay informed and make it easier to track active exploitation. 

Access the Data:

• View exploit activity and actively block exploitation of the CVEs related to Pacific Rim. 
• Get 14 days of free access to GreyNoise Vulnerability Prioritization Intelligence to enable active blocking against exploitation of Pacific Rim-related vulnerabilities 
• Read the documentation detailing how this feature works and how it can help you. 

----

Noah Stone contributed to this writeup in collaboration with GreyNoise Research. Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations. 

‍

GreyNoise has discovered previously undisclosed zero-day vulnerabilities in IoT-connected live streaming cameras, leveraging AI to catch an attack before it could escalate. These cameras are reportedly used in sectors such as industrial operations, healthcare, and other sensitive environments like houses of worship, highlighting the urgent need for stronger cybersecurity defenses as the threat landscape continues to evolve.

This discovery was made possible after a GreyNoise honeypot detected an attempt to execute an exploit against it. An attacker had developed and automated a zero-day vulnerability exploit, using a broad-spectrum reconnaissance and targeting strategy to run it across the internet. However, the exploit hit GreyNoise’s global sensor network, where GreyNoise’s proprietary internal AI technology flagged the unusual activity. Upon further investigation, GreyNoise researchers discovered the zero-day vulnerabilities. Once exploited, attackers could potentially seize complete control of the cameras, view and/or manipulate video feeds, disable camera operations, and enlist the devices into a botnet to launch denial-of-service attacks. 

This marks one of the first instances where threat detection has been augmented by AI to discover zero-day vulnerabilities. By surfacing malicious traffic that traditional tools would have missed, GreyNoise successfully intercepted the attack, identified the vulnerabilities, and reported them before they could be widely exploited. The company’s proactive approach, combining AI-powered detection with expert human analysis, proves that AI can dramatically accelerate the discovery of vulnerabilities — making the internet safer, one discovery at a time. 

GreyNoise partnered with VulnCheck to responsibly disclose the flaws, tracked as CVE-2024-8956 and CVE-2024-8957.   

View the full technical analysis and register now for GreyNoise’s expert panel webinar to learn more about the broader implications of these findings for security professionals. 

Affected Devices and Common Use-Cases

The vulnerabilities impact NDI-enabled pan-tilt-zoom (PTZ) cameras from multiple manufacturers. Affected devices use VHD PTZ camera firmware < 6.3.40 used in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63. These cameras, which feature an embedded web server allowing for direct access by web browser, are reportedly deployed in environments where reliability and privacy are crucial, including:

• Industrial and manufacturing plants for machinery surveillance and quality control.

‍

• Business conferences for high-definition video streaming and remote presentations. 

‍

• Healthcare settings for telehealth consultations and surgical live streams.

‍

• State and local government environments, including courtrooms. 

‍

• Houses of worship for live streaming of religious services. 

‍

Affected devices are typically high-cost live streaming cameras, sometimes exceeding several thousand dollars. 

Vulnerabilities Discovered

CVSS 9.1 (Critical)

Insufficient Authentication: CVE-2024-8956 

• Inadequate authentication mechanisms could allow an attacker to access sensitive information like usernames, MD5 password hashes, and configuration data. MD5 hashes have long been considered insecure, meaning attackers could potentially crack them and gain administrative access. 

CVSS 7.2 (High)

OS Command Injection: CVE-2024-8957

• Chained with CVE-2024-8956, an attacker can execute arbitrary OS commands on the affected cameras, potentially allowing an attacker to seize full control of the system. 

Full Camera Takeover, Unauthorized Surveillance, Data Breach, Broader Attacks, and More

GreyNoise found the affected cameras to be vulnerable to a range of potentially dangerous attacks. These vulnerabilities, if exploited, could potentially expose sensitive business meetings, compromise telehealth sessions, and disrupt cameras deployed in industrial settings, leaving organizations potentially exposed to data and privacy breaches.

Full Camera Takeover and Unauthorized Surveillance

• By exploiting both CVE-2024-8956 and CVE-2024-8957, an attacker could potentially seize full control of the camera, view and/or manipulate the video feeds, and gain unauthorized access to sensitive information. Devices could also be potentially enlisted into a botnet and used for denial-of-service attacks. 

Attacks like this are not new — in 2021, live feeds of 150,000 cameras inside schools, hospitals, and more were exposed. Vulnerable IoT devices are prime targets for attackers looking to add compromised devices to a botnet, like the infamous Mirai botnet. 

Broader Network Attacks and Data Breach

• An attacker could extract network details, including IP addresses, MAC addresses, and gateway configurations, potentially leveraging this information to pivot and move laterally into the device’s local network. This could potentially compromise other systems on the same network, which could lead to broader data breaches or even the spread of ransomware. 

Disablement of Camera Operations

• CVE-2024-8956 allows for configuration files to be updated or entirely overwritten. An attacker could exploit this vulnerability to intentionally misconfigure or disable the camera, potentially disrupting camera operations. 

How GreyNoise Discovered These Vulnerabilities Using AI

Security teams today face an overwhelming number of alerts, many of which result from harmless internet activity like routine scans and benign traffic. With countless alerts pouring in daily, identifying threats becomes incredibly difficult, and many serious vulnerabilities can go unnoticed amid the noise. 

This is where AI steps in. GreyNoise’s Sift, powered by large language models (LLMs) trained on vast amounts of internet traffic — including traffic targeting IoT devices — identifies anomalies that traditional systems may miss. Instead of just reacting to known threats, Sift excels at spotting new anomalies, threats that haven't been identified yet or don’t fit any known signatures. 

What Makes Sift Different 

Sift analyzes real-time internet traffic and enriches that data with GreyNoise’s proprietary datasets. It then runs the data through advanced AI systems, which help separate routine activity from potential threats. This process allows researchers to focus on truly meaningful threats without getting lost in the noise. 

In this case, Sift flagged unrecognized traffic that had not been tagged as a known threat. This caught the attention of GreyNoise researchers, who further investigated the unusual traffic. Their investigation led to the discovery of two previously unknown zero-day vulnerabilities in live streaming cameras — highlighting how AI can transform the speed and accuracy of cybersecurity research. 

“This isn’t about the specific software or how many people use it — it’s about how AI helped us catch a zero-day exploit we might have missed otherwise,” said Andrew Morris, Founder and Chief Architect at GreyNoise Intelligence. “We caught it before it could be widely exploited, reported it, and got it patched. The attacker put a lot of effort into developing and automating this exploit, and they hit our sensors. Today it’s a camera, but tomorrow it could be a zero-day in critical enterprise software. This discovery proves that AI is becoming essential for detecting and stopping sophisticated threats at scale.” 

Human Researchers + AI: A Powerful Combination 

By rapidly filtering out irrelevant traffic, Sift gives human researchers a clear head start. Capable of sifting through millions of data points, it enables researchers to focus on critical threats in real-time. This combination of AI-driven anomaly detection and human-led investigation is essential in today’s fast-paced cybersecurity landscape, where attackers are constantly evolving their tactics. Without Sift’s machine learning capabilities, these vulnerabilities might have remained hidden. 

The Broader IoT Challenge: Proliferation and Internet Noise 

GreyNoise’s discoveries shed light on a larger issue facing the rapidly growing IoT landscape. With nearly 19 billion IoT devices in operation globally, industrial and critical infrastructure sectors rely on these devices for operational efficiency and real-time monitoring. However, the sheer volume of data generated makes it challenging for traditional tools to discern genuine threats from routine network traffic, leaving systems vulnerable to sophisticated attacks. Last month, U.S. authorities dismantled a botnet that leveraged a variety of IoT devices, including IP cameras. IoT devices remain a prime target for attackers looking to exploit insecure design and functionality. 

‍

‍

Recommendations to Protect Your Organization

Organizations using VHD PTZ camera firmware < 6.3.40 used in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63 should take immediate action to patch the discovered vulnerabilities and secure their systems. 

VulnCheck alerted affected manufacturers to the flaws, only receiving a response from PTZOptics. The manufacturer released firmware updates addressing these flaws.

Read the GreyNoise Labs blog for technical analysis and deeper insight into how Sift helped discover these zero-day vulnerabilities.

Check out our webinar!

Watch our expert panel take a deep dive into the technical details and strategic implications of this discovery to provide the context you need to better protect your organization. 

Register now  and learn how AI-driven cybersecurity is changing the status quo and how it can transform your security strategy. 

‍

(This is the conclusion of our four-part series on "Understanding the Election Cybersecurity Landscape".)

‍

Thanks to the emergence of powerful new AI-infused tools, a new battleground for democracy has emerged — one that does not rely on physical conflict but on the manipulation of information. Deepfakes and disinformation campaigns have become potent weapons, threatening the integrity of democratic processes. These sophisticated techniques not only mislead the public but also sow discord, making it increasingly difficult to distinguish truth from falsehood.

‍

The Rise of Deepfakes and Disinformation

Deepfakes — a.k.a., hyper-realistic, artificially generated or manipulated videos or audio recordings — have advanced to a level where even seasoned experts struggle to differentiate them from authentic media. Combined with disinformation campaigns, these tools can spread false narratives at alarming speed and scale.

The January 2024 New Hampshire primary was a wake-up call. Voters received robocalls featuring an AI-generated voice impersonating President Joe Biden, urging them to abstain from voting in the primary. Instead, the message encouraged them to save their vote for the general election. This incident is a single, yet stark, example of how domestic actors are utilizing advanced technologies to manipulate voters and disrupt electoral processes.

‍

How Disinformation Campaigns Work

Disinformation campaigns thrive in online platforms, from social media to fake news websites. Both domestic and foreign actors — including Russia, China, and Iran — are involved in these efforts, as highlighted by the Intelligence Community's 2024 Annual Threat Assessment. Their goal is simple but destructive: to exacerbate societal divisions and influence voter perceptions.

In a recent case, the Department of Justice foiled a Russian-sponsored operation that aimed to sway voters by creating fake news sites that closely mimicked legitimate media outlets. Such tactics demonstrate the lengths to which bad actors will go to infiltrate and corrupt the information ecosystem.

‍

The Damage to Democracy

Disinformation and deepfake technologies threaten to destabilize democratic institutions in several ways:

• Voter Suppression and Intimidation: Disinformation can mislead voters about polling locations, voting procedures, or even potential legal consequences for voting, as seen in past elections. False claims that Immigration and Customs Enforcement (ICE) would be patrolling polling places caused anxiety and lower voter turnout in certain communities.

• Erosion of Trust: When voters are repeatedly exposed to manipulated content, they begin to question the credibility of even legitimate sources of information, undermining the trust necessary for a healthy democracy.

• Increased Polarization: By amplifying controversial issues and stoking social discord, disinformation campaigns deepen divisions within society. This polarization makes it harder for communities to come together on critical issues, further fragmenting the electorate.

‍

Senator Warner’s Call to Action

In response to these escalating threats, Senator Mark R. Warner has called for decisive action. In a letter to the Cybersecurity and Infrastructure Security Agency (CISA), Warner outlined the critical need for state and local election officials to be equipped with the tools to counter disinformation and deepfakes. These officials are often voters' most trusted sources of election information, but they operate with limited resources and staff.

Warner urged CISA to strengthen its support for local election administrators and advocated for collaboration across government agencies, technology companies, academic institutions, and international allies to combat the spread of disinformation. Only through coordinated efforts can we build the resilience necessary to defend democratic processes.

‍

What Can Be Done?

As technology continues to evolve, so too does the potential for its misuse. Deepfakes and disinformation campaigns are not just technological novelties; they are deliberate attempts to distort reality and undermine the public’s trust in elections. To safeguard democracy, proactive measures must be taken:

• Awareness: The first line of defense is public awareness. Voters need to be alert to the reality that not everything they encounter — especially online — is trustworthy.

• Media Literacy: Education is essential. By equipping people with the skills to critically evaluate the information they consume, we can reduce the impact of false narratives. Schools, community organizations, and media outlets all have a role to play in promoting media literacy.

• Collaboration: A united front is essential to combat these sophisticated threats. Government agencies like CISA must work hand-in-hand with state and local election officials, private technology firms, and global allies to share intelligence, develop strategies, and respond swiftly to emerging threats.

‍

Conclusion: Defending Democracy in the Digital Era

The threat posed by deepfakes and disinformation campaigns is real and growing. As technology advances, so does the potential for misuse by those seeking to disrupt democratic processes. By raising awareness, promoting media literacy, and fostering collaboration between government, private sectors, and international allies, we can protect the integrity of our elections and ensure that democracy endures in the digital age.

Now is the time to act. The future of democracy depends on our collective ability to respond to these new challenges. Let's safeguard the truth and uphold the trust that is the foundation of democratic society.

We're excited to share a groundbreaking new blog post from our Labs team that dives deep into the world of Bluetooth Low Energy (BTLE) device identification and vulnerability research. In "BLUUID: Firewallas, Diabetics, And... Bluetooth," our very own Remy explores the fascinating and often overlooked realm of BTLE security.

This comprehensive analysis covers everything from building a BTLE Generic Attribute (GATT) Universally Unique Identifiers (UUIDs) database to remotely identifying Bluetooth devices for vulnerability research. Remy doesn't just stop at theory – he demonstrates real-world implications by uncovering and responsibly disclosing vulnerabilities in Firewalla firewall products.

But why should you care about BTLE security? As Remy points out, the impact extends far beyond just privacy concerns. Recent incidents involving BTLE-enabled insulin pumps highlight the potential for physical harm when these systems are compromised or malfunction.

In this blog, you'll learn:

• How to build a database of BTLE UUIDs for remote device identification
• Techniques for extracting identifying attributes from Android APKs
• Real-world application of these methods in vulnerability research
• Insights into the current state of BTLE security in healthcare devices

Whether you're a cybersecurity professional, IoT enthusiast, or simply curious about the hidden world of Bluetooth, this blog post offers valuable insights and practical techniques you won't want to miss.

Ready to dive in? Head over to the GreyNoise Labs blog to read the full article and expand your understanding of BTLE security and its far-reaching implications.

‍

On June 5, 2024, SolarWinds published an advisory detailing CVE-2024-28995 - a path-traversal vulnerability in Serv-U, discovered by Hussein Daher. Our Labs team - with our brand new deception engineer - seized this opportunity to deploy a new honeypot they've been working on. It's supposed to look more real - and vulnerable! - than past honeypots.

What did they discover?

They show off all kinds of information gleaned from their honeypot - who's attacking it, what files they're trying to steal, how often they come back, and more.

But, that's not all!

They actually managed to capture a live attacker making several copy/paste mistakes, and attempting to correct the exploit only to foul it up again! They track the attacker's progress over the course of 4 hours, including one instance where they sent the completely wrong exploit (which happens to be for an unpatched vulnerability!).

Check out the full blog on GreyNoise Labs to learn more about this vulnerability and our observations.

‍

‍

The 2024 edition of the Verizon Data Breach Investigations Report (DBIR) has finally been released! The team did their usual bang-up job pulling key knowledge threads from the massive volume of data submitted by their ever-increasing number of contributors (of which GreyNoise is one!). Our researchers have pored over this tome to identify critical themes that should be of great import to GreyNoise customers and community.

The Year Of The Vuln

Identifying when attackers attempt to exploit vulnerabilities on internet-facing endpoints is at the heart of what we do at GreyNoise. So, it comes as no surprise that the DBIR team “witnessed a substantial growth of attacks involving the exploitation of vulnerabilities as the critical path to initiate a breach when compared to previous years.” The 180% increase was felt — almost daily — by all who keep track of headlines in the cybersecurity press. Our GreyNoise sensor fleet caught an extra 200K unique IPv4 addresses slinging malicious tagged activity our way (4.2 million malicious IPv4s in 2022 vs. 4.4 million in 2023), and the volume from those adversarial sources went from just over 10 million malicious tagged events to 13+ million.

One thing we did not expect was vulnerability exploitation chipping away at the volume of both credential-based attacks and phishing as the critical path action to initiate a breach, as seen in Figure 6 from the report:

‍

Historically, phishing has been one of the most successful attack paths for our adversaries, and the volume of lost and stolen credentials is stunningly huge. However, organizations have been steadily investing in both more advanced phishing protection (including awareness training); and, credential blasts are both noisy and increasingly thwarted as organizations rely more heavily on elevated protections provided by identify and authentication providers like Okta.

Conversely, using internet infrastructure to find and exploit vulnerable, exposed services can be a risk-free activity for attackers, and there is an almost endless supply of both new vulnerabilities and unpatched hosts. GreyNoise excels at identifying this activity, and we provide the timeliest and most comprehensive information on those attack types and sources, bar none.

It was also a bit distressing, but not unsurprising (given Figure 6) seeing that vulnerability exploitation was at the heart of third-party-related breaches.

‍

You Don’t Have Time To Patch

Every defender should print out page 21 of the 2024 DBIR and tape it to their wall (or, cubicle, if you’re in the 50% of IT folks still commuting to offices).

‍

Most cybersecurity folks are not familiar with the “survival analysis” shown in Figure 19. It’s just a fancy way of estimating the time until some event occurs. This analysis focuses on vulnerability remediation data (i.e., “patching”), with an emphasis on how long it takes organizations to patch vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog.

GreyNoise researchers are huge fans of CISA KEV. We even benchmark ourselves against it! We meet or beat CISA over 62% of the time when it comes to having a tag ready for defenders to use. How do our customers use these tags? Well, the primary way is to block activity from IP addresses associated with these tags. While this may not prevent pinpoint targeted attacks, it absolutely buys them time to keep safe from opportunistic attacks, and helps them identify those targeted attacks much faster, and with greater precision.

Our own data clearly shows that once a proof-of-concept (PoC) is available, attackers waste zero time going after vulnerable systems. And, there is increasingly little daylight between when a CVE is published and when a PoC becomes available.

Seeing that 85% of CISA KEV entries remain unpatched after 30 days clearly shows that most organizations have no time to patch. This means protecting these assets from harm during that 30-day exposure is paramount.

Closing The Door On Attackers

The DBIR team used the “open door” metaphor for how attackers made their way into organizations in 2023. At GreyNoise, we’re highly focused on helping organizations safeguard every single entry point in their internet-facing infrastructure, while also laying out some of our own trapdoors to help confuse and ensnare them.

With GreyNoise, organizations can gain an edge over their adversaries, using our advanced sensors to identify targeted attacks quicker than ever before. Combined with the proven, battle-tested intelligence in our existing Noise dataset, defenders now have the tools to both make it extremely difficult for attackers to be successful, and slow them down long enough to finish asset remediation efforts. Join us as we work to chip away at the million-incident record the DBIR set this year, and turn the tide against our combined foes! You can get started with our data here, or connect with our team to talk about advanced features.

Curious about decrypting Fortinet's FortiOS 7.0.x firmware? In the latest Grimoire post, we delve into the technical details of doing just that, revealing a hardcoded key used in the ChaCha20 encryption algorithm and the steps required to extract the decrypted rootfs.gz file. With this information, researchers can investigate the relevant vulnerabilities and help users address potential security risks.

Check it out over here.

‍

Yesterday, GreyNoise reached a fun and significant milestone after publishing our 1,337th tag. 1337 is a cherished number in hacker culture, as it is a numerical shorthand for "leet", which itself stands for "elite". This term has deep roots, going all the way back to the 80's when one had to make modems scream to access bulletin board systems (now, we humans are the ones screaming whenever we go online to see what fresh hades awaits us each day).

What makes this milestone even more significant is how it was achieved.

The chart, below, shows the cumulative sum of tag counts by year. While there was a modest improvement in intra-year tag creation from 2022 to 2023, we're just into the first few weeks of Q2 in 2024 and are almost at the total tag count for 2023.

We will almost certainly blow past 2023's tag count well-before the end of Q2, and this has all been made possible by our focused and practical use of AI. This system helps our incredible detection engineers quickly triage the millions of events our sensor fleet absorbs every day. With it, they discover and tag novel payloads to help inform and protect our customers, community, and the internet as a whole. The application that fuels this work is called Sift, and we've waxed poetic about it quite a bit over the past few months.

This boost to the tag inventory has also meant an increase in CVE coverage.

(Since it most likely drew your attention, the jumps in 2022 were due numerous factors, including the increase in Russian hostilities towards Ukraine.)

60% of 2024 tags are based on CVEs, and — along with plenty of "modern" vulnerabilities — Sift has helped us catch exploitation attempts of some very old CVEs, too:

I'm incredibly proud of our team of data scientists, security researchers, and detection engineers. Their leet expertise powers the detections that folks rely on every day, and we hope you'll join in our celebration of achieving this epic milestone!

To learn more about GreyNoise tags and how they differ from "traditional" detections, check out our Tags Webinar Series.

‍

A remote code execution vulnerability in D-Link NAS devices is actively being exploited and is tracked under CVE-2024-3273. The vulnerability is believed to affect as many as 92,000 devices and further information can be found on D-Link’s support announcement.

(04/11/2024): Clarification on CVE-2024-3273 & CVE-2024-3272

Exploitation of the CVE-2024-3273 command injection vulnerability requires the two valid `user=` and `passwd=` parameters. There is a companion vulnerability tracked as CVE-2024-3272 and describes the issue as "manipulation of the argument user with the input messagebus leads to hard-coded credentials". It is important to note that the "credentials" as described are only the username for the user "messagebus".

"messagebus" is not a backdoor account. It is one of many common pre-configured linux system users that functionally cannot "log in", and thus have no password. Other common example system users include avahi, syslog, nobody, ntp, rtkit, and whoopsie. D-Link correctly validates that the username exists and also correctly validates that the provided password is correct. The logic flaw exercised by CVE-2024-3273 is that the empty (correct) password for the "messagebus" user is never validated that the user should ever be able to log in using a password, if at all.

(04/09/2024): Update on number of vulnerable devices

Upon further analysis, it appears the number of vulnerable devices is much lower than initially reported.  According to our friends at Censys, the number is closer to 5,500 devices.

‍

GreyNoise quickly released a tag for tracking under D-Link NAS CVE-2024-3273 RCE Attempt, which was relatively easy for us because our Sift tooling surfaced the exploit to us automatically. Sift curates a report of new/interesting traffic observed by GreyNoise sensors daily after doing much of the analysis and triage work itself.

You can read more about Sift.

‍

‍

Sift’s analysis above is correct! Taking it a step further, the command the above IP is attempting to execute is a generic shell script pattern used by botnet operators to try to execute malware for every possible CPU architecture in the expectation that at least one will work. The malware is fetched from 38[.]6[.]224[.]248 over HTTP.

We have retrieved the sample skid.x86 and uploaded it to VirusTotal for sharing and further analysis:

• https://www.virustotal.com/gui/file/859e679f8e8be4a4c895139fb7fb1b177627bbe712e1ed4c316ec85008426db8

‍