Blog
>
GreyNoise Research

GreyNoise Research

In-depth analysis and trend reporting from the GreyNoise Research team. Includes detection engineering insights, reverse engineering work, and white papers that surface emerging threat trends based on our telemetry — helping defenders stay ahead of risks that are often overlooked or not yet widely known.
GreyNoise Research

GreyNoise Uncovers Early Warning Signals for Emerging Vulnerabilities

It’s well known that the window between CVE disclosure and active exploitation has narrowed. But what happens before a CVE is even disclosed? 

In our latest research “Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities,” GreyNoise analyzed hundreds of spikes in malicious activity — scanning, brute forcing, exploit attempts, and more — targeting edge technologies. We discovered a consistent and actionable trend: in the vast majority of cases, these spikes were followed by the disclosure of a new CVE affecting the same technology within six weeks. 

This recurring behavior led us to ask: 

Could attacker activity offer defenders an early warning signal for vulnerabilities that don’t exist yet — but soon will? 

The Six-Week Critical Window

Across 216 spikes observed across our Global Observation Grid (GOG) since September 2024, we found: 

  • 80 percent of spikes were followed by a new CVE within six weeks.
  • 50 percent were followed by a CVE disclosure within three weeks. 
  • These patterns were exclusive to enterprise edge technologies like VPNs, firewalls, and remote access tools — the same kinds of systems increasingly targeted by advanced threat actors. 

Why This Matters

Exploit activity may be more than what it seems. Some spikes appear to reflect reconnaissance or exploit-based inventorying. Others may represent probing that ultimately results in new CVE discovery. Either way, defenders can take action. 

Blocking attacker infrastructure involved in these spikes may reduce the chances of being inventoried — and ultimately targeted — when a new CVE emerges. Just as importantly, these trends give CISOs and security leaders a credible reason to harden defenses, request additional resources, or prepare strategic responses based on observable signals — not just after a CVE drops, but weeks before. 

What’s Inside the Report

The full report includes: 

  • A breakdown of the vendors, products, and GreyNoise tags where these patterns were observed.
  • Analysis of attacker behavior leading up to CVE disclosure. 
  • The methodology used to identify spikes and establish spike-to-CVE relationships. 
  • Clear takeaways for analysts and CISOs on how to operationalize this intelligence. 

This research builds on our earlier work on resurgent vulnerabilities, offering a new lens for defenders to track vulnerability risk based on what attackers do — not just what’s been disclosed. 

READ THE FULL REPORT

GreyNoise Research
Jul 31, 2025
All Posts
Threat Signals
Research
Insights
Product
Company
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Company
Product
GreyNoise Research
Threat Signals
Insights
GreyNoise Research

Cookies + Milk: Detecting Cookies, Headless Browsers, and CLI tools with GreyNoise

Our research team is always looking for ways to improve our tagging methodology to enable GreyNoise users to understand actor behavior and tooling. GreyNoise already identifies clients with JA3 and HASSH data.

To expand on this work, GreyNoise recently added 3 new tags to shed more light on how various internet background noise-makers using HTTP clients manage their internal state. The below tags improve client fingerprinting for HTTP-based protocols.

  • Carries HTTP Referer: This tag identifies HTTP clients that include a “Referer” header which indicates what page or site the HTTP request was referred from.
  • Stores HTTP Cookies - This tag identifies HTTP clients that allow “Cookies” to be set and stored in the client’s storage and are sent with subsequent requests.

On their own, each individual tag contributes a small indication of how the HTTP client manages its internal state. While that alone has value in helping to profile the actor behind the IP and possibly track them across IPs, the more interesting insights can be seen when these tags are viewed holistically.

Figure 1: Venn Diagram representing IP's that match each tag and their respective overlaps, data pulled on Aug. 25, 2021.
Figure 1: Venn Diagram representing IPs that match each tag and their respective overlaps, data pulled on Aug. 25, 2021.
Figure 2: Venn Diagram representing IP's that match each tag and their respective overlaps, data pulled on Sep. 10, 2021.
Figure 2: Venn Diagram representing IPs that match each tag and their respective overlaps, data pulled on Sep. 10, 2021.

As seen above, the tagged activity is not homogenous, allowing us a glimpse into the diversity of tooling or techniques used in scanning and opportunistic exploitation. While many actors may use the same exploit vector or payload, they may launch them from tools that support different HTTP features. These new tags may help the analyst determine if two IPs appear to be using the same tools.

Figure 3: IP Details page for 42.236.10.75. See it in the GreyNoise Viz.
Figure 3: IP Details page for 42.236.10.75. See it in the GreyNoise Viz.

For example, in Figure 3, we are able to determine with a high degree of confidence that the IP shown above is orchestrating a full-featured web browser (such as Puppeteer) to scan the internet. We see this because the IP exhibits browser-like behavior and attributes, including carrying a referer header, accepting cookies, and following redirects.

We hope these new tags offer our users greater insight into the tooling and libraries utilized by internet background noise-makers. Let us know what you think by sharing your feedback on the GreyNoise Community Slack channel (must have a GreyNoise account).

The GreyNoise Team
Sep 29, 2021
Threat Signals
GreyNoise Research

GreyNoise Tag Round Up | September 2 - 13

New Tags

MongoDB Crawler  [Intention: Unknown]

Apple iOS Lockdownd Crawler [Intention: Unknown]

HTTP Request Smuggling [Intention: Malicious]

  • This IP address has been observed attempting to smuggle HTTP requests, a method commonly used to bypass load balancer or proxy security restrictions.
  • Sources: PortSwigger, JFrog
  • See it on GreyNoise Viz

Gh0st RAT Crawler  [Intention: Malicious]

  • This IP address has been observed checking for the existence of hosts infected with Gh0st trojan.
  • Sources: RSA Community, norman.no
  • See it on GreyNoise Viz

nJRAT Crawler  [Intention: Malicious]

Supervisor XML-RCE Attempt  [Intention: Malicious]

  • This IP address has been observed attempting to exploit CVE-2017-11610, a remote command execution vulnerability in Supervisor client/server.
  • Sources: NIST, Supervisor
  • See it on GreyNoise Viz

New Actor Tag

BLEXbot [Intention: Benign]

Supriya Mazumdar
Sep 13, 2021
Threat Signals
GreyNoise Research

GreyNoise Tag Roundup | August 16 - September 1

New Tags

Atlassian Confluence Server OGNL Injection Attempt [Intention: Malicious]

  • CVE-2021-26084
  • This IP address has been observed attempting to exploit CVE-2021-26084, an OGNL injection vulnerability in Confluence Server and Data Center.
  • Sources: GitHub (1, 2), MITRE
  • See it on GreyNoise Viz

Atlassian Confluence Server OGNL Injection Vuln Check [Intention: Unknown]

  • CVE-2021-26084
  • This IP address has been observed checking for the existence of CVE-2021-26084, an OGNL injection vulnerability in Confluence Server and Data Center.
  • Sources: GitHub (1, 2), MITRE
  • See it on GreyNoise Viz

Oracle WebLogic RCE CVE-2021-2109 [Intention: Malicious]

Seagate BlackArmor RCE Attempt [Intention: Malicious]

ASUS GT-AC2900 Auth Bypass Attempt [Intention: Malicious]

  • CVE-2021-32030
  • This IP address has been observed attempting to exploit CVE-2021-32030, an authentication bypass in ASUS GT-AC2900 routers.
  • Sources: MITRE, Atredis
  • See it on GreyNoise Viz

Apache SkyWalking GraphQL SQL Injection  [Intention: Malicious]

  • CVE-2020-9483
  • This IP address has been observed attempting to exploit CVE-2020-9483, a SQL injection vulnerability in Apache SkyWalking via GraphQL.
  • Sources: GitHub, NVD
  • See it on GreyNoise Viz

Carries HTTP Referer [Intention: Unknown]

  • This IP address has been observed scanning the internet with an HTTP client that includes the Referer header in its requests.
  • Sources: Firefox
  • See it on GreyNoise Viz

Stores HTTP Cookies  [Intention: Unknown]

  • This IP address has been observed scanning the internet with an HTTP client that supports storing Cookies.
  • Sources: Firefox (1, 2)
  • See it on GreyNoise Viz

Follows HTTP Redirects  [Intention: Unknown]

  • This IP address has been observed scanning the internet with an HTTP client that follows redirects defined in a Location header.
  • Sources: Firefox
  • See it on GreyNoise Viz

RSYNC Crawler  [Intention: Unknown]

New Actor Tag

University of Michigan [Intention: Benign]

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

ADB Check [Intention: Unknown]

  • This IP address has been observed checking for the existence of the Android Debug Bridge protocol.
  • See it on GreyNoise Viz

ADB Attempt [Intention: Malicious]

  • This IP address has been observed checking for the existence of the Android Debug Bridge protocol and has requested interactivity.
  • See it on GreyNoise Viz

EDITORS NOTE: This blog post has been updated as of Sep. 2 to reflect edits to the Atlassian Confluence Server OGNL Injection tags.

The GreyNoise Team
Sep 2, 2021
Threat Signals
GreyNoise Research

GreyNoise Tag Roundup | August 2 - 16

New Tags

Tag: Exchange ProxyShell Vuln Attempt [Intention: Malicious]

Tag: Exchange ProxyShell Vuln Check [Intention: Unknown]

  • CVE-2021-34473, CVE-2021-34523, CVE-2021-31207
  • This IP address has been observed checking for the existence of the ProxyShell vulnerability in Microsoft Exchange, an activity which commonly leaks sensitive information.
  • Sources: Medium, BlackHat, y4y.space
  • See it on GreyNoise Viz

Tag: Javascript Enabled [Intention: Unknown]

  • This IP address has been observed scanning the internet with a client that supports javascript, such as a web browser controlled through automation.
  • See it on GreyNoise Viz

Tag: Aerospike RCE Attempt [Intention: Malicious]

  • CVE-2020-13151
  • This IP address has been observed attempting to exploit CVE-2020-13151, a remote command execution in Aerospike databases.
  • Sources: NIST, GitHub [1, 2]
  • See it on GreyNoise Viz

Tag: Docker API Container Creation Attempt [Intention: Malicious]

Tag: Buffalo Router RCE Check [Intention: Unknown]

  • CVE-2021-20091
  • This IP address has been observed attempting to discover Buffalo routers susceptible to remote command injection through path traversal.
  • Sources: Tenable, MITRE
  • See it on GreyNoise Viz

Tag: Buffalo Router RCE Attempt [Intention: Malicious]

  • CVE-2021-20091
  • This IP address has been observed attempting to exploit Buffalo routers susceptible to remote command injection through path traversal.
  • Sources: Tenable, MITRE
  • See it on GreyNoise Viz

Tag: FirebirdSQL Crawler [Intention: Unknown]

Tag: Ruijie EG Command Injection Attempt [Intention: Malicious]

  • This IP address has been observed attempting command injection on Ruijie network devices with Easy Gateway support.
  • Sources: peiqi.tech
  • See it on GreyNoise Viz

Recent Actor Tag

  • Cortex® Xpanse™ [Intention: Benign]

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: X Server Connection Attempt [Intention: Malicious]

  • This IP address has been observed scanning the Internet for X11 servers with access control disabled, which allows for unauthenticated connections.
  • See it on GreyNoise Viz

Tag: ADB Worm [Intention: Malicious]

Removed Tags

Supriya Mazumdar
Aug 16, 2021
Threat Signals
GreyNoise Research

GreyNoise Tag Roundup | July 19 - August 2

New Tags

CVE-2009-0545, CVE-2019-12725, CVE-2020-29390

Tag: Zeroshell RCE Attempt [Intention: Malicious]

  • This IP address has been observed attempting to exploit a remote command execution vulnerability in Zeroshell.
  • Sources: NIST [1, 2, 3]
  • See it on GreyNoise Viz

Tag: Cisco Smart Install RCE Attempt [Intention: Malicious]

CVE-2021-35464

Tag: ForgeRock OpenAM Pre-Auth RCE Vuln Check [Intention: Unknown]

  • This IP address has been observed checking for the existence of CVE-2021-35464, a path traversal vulnerability in ForgeRock OpenAM which can lead to RCE.
  • Sources: PortSwigger, NIST
  • See it on GreyNoise Viz

CVE-2021-35464

Tag: ForgeRock OpenAM Pre-Auth RCE Attempt [Intention: Malicious]

  • This IP address has been observed attempting to exploit CVE-2021-35464, a path traversal vulnerability in ForgeRock OpenAM that can lead to RCE.
  • Sources: PortSwigger, NIST
  • See it on GreyNoise Viz

CVE-2021-33544 to CVE-2021-33544 (11 CVEs)

Tag: UDP Technology IP Camera Attempt [Intention: Malicious]

CVE-2021-33544, CVE-2021-33548, CVE-2021-33550 to CVE-2021-33554

Tag: UDP Technology IP Camera Check [Intention: Unknown]

CVE-2017-12149

Tag: Jboss Application Server RCE Attempt [Intention: Malicious]

  • This IP address has been observed attempting to exploit CVE-2017-12149, a remote code execution vulnerability in JBoss Application Server.
  • Sources: NIST, GitHub
  • See it on GreyNoise Viz

CVE-2021-30497

Tag: Ivanti Avalanche Path Traversal [Intention: Malicious]

  • This IP address has been observed attempting to use CVE-2021-30497, a path traversal vulnerability in Ivanti Avalanche that could lead to arbitrary file retrieval.
  • Sources:  Ivanti, SSD Disclosure
  • See it on GreyNoise Viz

Tag: Double URL Encoding [Intention: Malicious]

  • This IP address has been observed requesting double encoded URLs, a method commonly used for bypassing defensive rules and directory traversal.
  • Sources:  OWASP, Imperva
  • See it on GreyNoise Viz

Tag: Apache OFBiz Deserialization RCE [Intention: Malicious]

  • This IP address has been observed attempting to exploit CVE-2021-29200, a deserialization vulnerability in Apache OFBiz 17.12.07 and earlier that can lead to unauthenticated RCE.
  • Sources:  NIST, xz.aliyun.com
  • See it on GreyNoise Viz

Removed Tags

These tags have been removed because they no longer exist, scan, and/or can no longer be accurately identified

  • RDP Bruteforcer
  • Windows RDP Cookie Hijacker
  • RDP Scanner

Multiple RDP tags have been deprecated in favor of RDP Crawler, which more accurately accounts for much of the behavior we see. We are currently working to create more accurate and narrowly scoped tags for RDP scanning and exploitation.

The RDP Bruteforcer tag was created around the same time as BlueKeep and aggressively assigned `malicious` intent to basic RDP connection attempts. After re-evaluating this, we feel this was incorrect and have taken actions to improve our RDP tags in general.

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: Cisco Smart Install Endpoint Scanner [Intention: Unknown]

Tag: Linksys E-Series TheMoon Worm [Intention: Malicious]

Integrations

Anomali: Now supports RIOT and the Community API.

Supriya Mazumdar
Aug 2, 2021
Threat Signals
GreyNoise Research

GreyNoise Tag Roundup | June 21 - July 16

New Tags

CVE-2020-36289

Tag: Jira User Enumeration Attempt [Intention: Unknown]

CVE-2021-1497, CVE-2021-1498

Tag: Cisco HyperFlex HX RCE Attempt [Intention: Malicious]

CVE-2021-1497, CVE-2021-1498

Tag: Cisco HyperFlex HX RCE Vuln Check [Intention: Unknown]

CVE-2020-35846, CVE-2020-35847, CVE-2020-35848

Cockpit CMS Command Injection [Intention: Malicious]

Recent Actor Tag

  • CISA [Intention: Benign]

Removed Tags

These tags have been removed because they no longer exist, scan, and/or can no longer be accurately identified

  • ZeroShell RCE CVE-2009-0545
Supriya Mazumdar
Jul 18, 2021
Threat Signals
GreyNoise Research

GreyNoise Tag Round Up | June 7 - 18

New Tags

CVE-2020-25494

Tag: SCO OpenServer RCE Attempt [Intention: Malicious]

CVE-2021-22911

Tag: Rocket.Chat server RCE Attempt [Intention: Malicious]

  • This IP address has been observed attempting to exploit CVE-2021-22911, a remote command execution vulnerability in Rocket.Chat server.
  • Sources: NIST, @CsEnox (GitHub )
  • See it on GreyNoise Viz

Tag: Vesta Control Panel RCE Attempt [Intention: Malicious]

CVE-2021-27144/46 | CVE-2021-27148/55 | CVE-2021-27158/59 | CVE-2021-27162/66 | CVE-2021-27168/69 | CVE-2021-27172

Tag: FiberHome Telnet Backdoor [Intention: Malicious]

  • This IP address has been observed attempting to authenticate via telnet using one of several known backdoor accounts in FiberHome routers.
  • Sources: Pierre Kim
  • See it on GreyNoise Viz

Tag: LokiBot C2 Crawler [Intention: Unknown]

  • This IP address has been observed crawling the Internet and attempting to discover LokiBot C2 nodes.
  • Sources: CISA
  • See it on GreyNoise Viz

Tag: Aerospike Crawler [Intention: Unknown]

Recent Actor Tag

  • ESET  [Intention: Benign]

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: Tomcat Manager Scanner [Intention: Unknown]

Supriya Mazumdar
Jun 20, 2021
Threat Signals
GreyNoise Research

GreyNoise Tag Round Up | May 24 - June 4

New Tags

CVE-2021-21985

Tag: Vmware vSphere Client RCE Attempt [Intention: Malicious]

Tag: VMware vSphere Client RCE Vuln Check [Intention: Unknown]

CVE-2021-28799

Tag: VMware ESXi OpenSLP RCE Attempt [Intention: Malicious]

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: Elasticsearch RCE Attempt [Intention: Malicious]

Recent Actor Tag

Removed Tags

These tags have been removed because they no longer exist, scan, and/or can no longer be accurately identified

  • Swedish Defense Research Agency (FOI)
  • Elasticsearch Worm
Supriya Mazumdar
Jun 4, 2021
Threat Signals
GreyNoise Research

GreyNoise Tag Round Up | May 10 - 21

New Tags

CVE-2021-26912 | CVE-2021-26913 | CVE-2021-26914 | CVE-2021-26915

Tag: NetMotion Mobility Server RCE Attempt [Intention: Malicious]

  • This IP address has been observed attempting to exploit a deserialization vulnerability in NetMotion Mobility Server that can lead to remote code execution.
  • Sources: NIST [1, 2 , 3, 4], SSD Disclosure
  • See it on GreyNoise Viz

CVE-2021-21402

Tag: Jellyfin File Disclosure [Intention: Malicious]

CVE-2021-28799

Tag: QNAP walter SSH Backdoor Attempt [Intention: Malicious]

  • This IP address has been observed attempting to connect using the username and password 'walter,' which are hardcoded backdoor SSH credentials that exist in some QNAP devices.
  • Source: QNAP, QNAP Forum
  • See it on GreyNoise Viz

CVE-2021-30461

Tag: VoIPmonitor Unauthenticated RCE Attempt  [Intention: Malicious]

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: RDP Bruteforcer [Intention: Malicious]

  • This IP address has been observed attempting to brute-force Microsoft Remote Desktop credentials.
  • Source: Microsoft [1, 2]
  • See it on GreyNoise Viz

Recent Integrations

Rapid 7 InsightConnect: Supports Enterprise API and Community API access.

CORTEX XSOAR: Supports Enterprise API and Community API access.

The GreyNoise Team
May 21, 2021

No blog articles found

Please update your search term or select a different category and try again.

Get started today

Get a demoSearch for free
Products
Partners
Resources
Company
© 2025 GreyNoise, Inc. All rights reserved.
YouTube logoJoin us on Slack!Discord logoTikTok logo
Cookie Settings
We use cookies to ensure you get the best experience on our website. Learn more
Got it