In-depth analysis and trend reporting from the GreyNoise Research team. Includes detection engineering insights, reverse engineering work, and white papers that surface emerging threat trends based on our telemetry — helping defenders stay ahead of risks that are often overlooked or not yet widely known.
Subscribe to GreyNoise
Get the latest blog articles delivered right to your inbox.
It’s well known that the window between CVE disclosure and active exploitation has narrowed. But what happens before a CVE is even disclosed?
In our latest research “Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities,” GreyNoise analyzed hundreds of spikes in malicious activity — scanning, brute forcing, exploit attempts, and more — targeting edge technologies. We discovered a consistent and actionable trend: in the vast majority of cases, these spikes were followed by the disclosure of a new CVE affecting the same technology within six weeks.
This recurring behavior led us to ask:
Could attacker activity offer defenders an early warning signal for vulnerabilities that don’t exist yet — but soon will?
The Six-Week Critical Window
Across 216 spikes observed across our Global Observation Grid (GOG) since September 2024, we found:
80 percent of spikes were followed by a new CVE within six weeks.
50 percent were followed by a CVE disclosure within three weeks.
These patterns were exclusive to enterprise edge technologies like VPNs, firewalls, and remote access tools — the same kinds of systems increasingly targeted by advanced threat actors.
Why This Matters
Exploit activity may be more than what it seems. Some spikes appear to reflect reconnaissance or exploit-based inventorying. Others may represent probing that ultimately results in new CVE discovery. Either way, defenders can take action.
Blocking attacker infrastructure involved in these spikes may reduce the chances of being inventoried — and ultimately targeted — when a new CVE emerges. Just as importantly, these trends give CISOs and security leaders a credible reason to harden defenses, request additional resources, or prepare strategic responses based on observable signals — not just after a CVE drops, but weeks before.
What’s Inside the Report
The full report includes:
A breakdown of the vendors, products, and GreyNoise tags where these patterns were observed.
Analysis of attacker behavior leading up to CVE disclosure.
The methodology used to identify spikes and establish spike-to-CVE relationships.
Clear takeaways for analysts and CISOs on how to operationalize this intelligence.
This research builds on our earlier work on resurgent vulnerabilities, offering a new lens for defenders to track vulnerability risk based on what attackers do — not just what’s been disclosed.
This year marks the fifteenth anniversary of the Verizon Data Breach and Investigations Report (DBIR). If you’re not familiar with this annual publication, it is a tome produced by the infamous cyber data science team over at Verizon. Their highly data-driven approach (referencing 914,547 incidents and 234,638 breaches plus 8.9 TB of cybersecurity data) helps practitioners understand malicious cyber activity across the industry. The Verizon DBIR shows how threats are trending and evolving, as well as the impacts these malicious actions have on organizations of every shape and size.
This year, as in years gone by, GreyNoise researchers contributed our insights-infused, planetary-scale, opportunistic attacker sensor fleet data to the Verizon DBIR. This is the same data that fuels our platform and helps defenders mitigate threats, understand adversaries, and focus on what matters.
Let’s take a look at the key findings from the report, what our data has to say about the current threat landscape, and how you can use insights from our data to help keep your organization safe and resilient.
What Say You, DBIR?
The DBIR team provided five key elements in their overall summary, and we’ll take a modest dive into each of them.
Barbarians At The Gates
First up is how attackers breach your defenses. It will come as no shock to most readers that the use of credentials, phishing attacks, vulnerability exploitation, and botnets are all initial techniques that attackers use to breach the defenses of organizations.
Given the propensity of credential use in initial access, you may wonder why attackers even bother using other means of gaining a foothold. While there will always be services deployed on the internet with default credentials left intact, user credentials do not age very well and need to be re-upped regularly (usually by breaching an organization to steal them en masse). Make no mistake, they work far too often, especially for juicy services such as Microsoft’s Remote Desktop Protocol, which is why they are used in the first place.
Creds are noisy, and phishing does take some effort to do it well, even when using phishing kits or attacker phishing-as-a-service providers. Scouring the internet for vulnerable services is almost risk-free, relatively cheap, and can lead to remote code execution on a decent percentage of nodes, as Figure 43 of the DBIR shows (GreyNoise provided the data behind the chart for the DBIR team to work their magic on):
If you ensure you have safe and resilient configurations on your internet-exposed assets and mission-critical internal systems, plus have empowered your workforce to be co-defenders of your organization, you may avoid becoming a statistic, at least in this category.
Always Be enCrypting
Ransomware also plagued more organizations than ever this past year, with a 13% increase from 2020, as shown in our reimagining of Figure 6 in the DBIR. The DBIR’s ransomware corpus is far from complete, but aligns in proportion with statistics from other sources of ransomware incidents.
As noted in the text of the report, ransomware starts with some action; usually, one of those found in the Initial Actions noted above. Ransomware actors often take advantage of the latest and greatest exploits for recent CVEs, which is activity you can track in the GreyNoise platform to help you frame the need for speed when it comes to mitigating and patching.
Prioritizing patching actively exploited vulnerabilities should be at the top of your to-do list.
Attackers Getting High On Your Supply [Chain]
Supply chain attacks have been making headlines ever since the highly disruptive SolarWinds incident back in 2019 (though there have been numerous documented supply chain attacks long before that mega-event). The DBIR documented over 3,400 “System Intrusion” events this year, showing you need to be as vigilant on the inside as you are on your internet-facing attack surface; this ensures you aren’t a conduit to other organizations for criminals. Furthermore, you should have a solid third-party risk management program and some way to track software development dependencies, which prevents breach by those you trust.
A Bucketful Of Errors
In this year’s corpus, the DBIR team found that 13% of breaches were caused by errors, often when it comes to securing cloud storage. So, make sure you mind your buckets, but take some comfort: this particular disheartening statistic appears to be stabilizing.
To Err Is Still Human
Humans likely helped cause some (most?) of the aforementioned misconfigurations as well as many other incidents that ended up as breaches. As the DBIR researchers themselves note: “Use of stolen credentials, phishing, misuse, or simply an error, people continue to play a very large role in incidents and breaches alike.”
How To Avoid Being an Accidental DBIR Contributor Next Year
GreyNoise has tools, data, and insights which easily integrate into your comprehensive cybersecurity program to help keep your organization safe and resilient.
We’re almost halfway through the year, and if you’ve managed to avoid a major incident or breach so far, you’re doing pretty well. But (there’s always a “but”), we should note that we’re also likely to see more groups like LAPSUS$ pop up to use their smash-and-grab model. Plus, you’ve also got all the old-school attacks to worry about.
If you and your team can filter out the noise, figure out what you don’t need to do, and get visibility into the areas you do need to focus on (while ensuring you have a spot-on incident response program), you may just make it another year without adding to the 9.8 terabytes of data the DBIR team already has to crunch for each report.
This IP address has been observed attempting to exploit CVE-2021-40865, a pre-auth remote code execution vulnerability in Apache Storm supervisor server.
Hikvision IP Camera RCE Attempt [Intention: Malicious]
CVE-2021-36260
This IP address has been observed attempting to exploit CVE-2021-36260, a remote command execution vulnerability in Hikvision IP cameras and NVR firmware.
This IP address has been observed attempting to exploit CVE-2021-20034, an arbitrary file deletion vulnerability that allows performing a factory reset on SonicWall SMA100 devices.
This IP address has been observed attempting to exploit CVE-2021-22502, a remote command execution vulnerability in Micro Focus Operation Bridge Reporter software.
This IP address has been observed attempting to exploit CVE-2021-27561, a remote command execution vulnerability in Yealink Device Management Platform.
This IP address has been observed scanning the internet for WSMan Powershell providers without an Authorization header, a root RCE in Azure Open Management Infrastructure.
Sources: Wiz, Microsoft Security Response Center [1, 2, 3, 4]
This IP address has been observed scanning the internet for WSMan Powershell providers without an Authorization header, but has not provided a valid SOAP XML Envelope payload.
Sources: Wiz, Microsoft Security Response Center [1, 2, 3, 4]
Cisco IMC Supervisor and UCS Director Backdoor [Intention: Malicious]
CVE-2019-1935
This IP address has been observed attempting to authenticate via SSH using default credentials for Cisco IMC Supervisor and Cisco UCS Director products.
Our research team is always looking for ways to improve our tagging methodology to enable GreyNoise users to understand actor behavior and tooling. GreyNoise already identifies clients with JA3 and HASSH data.
To expand on this work, GreyNoise recently added 3 new tags to shed more light on how various internet background noise-makers using HTTP clients manage their internal state. The below tags improve client fingerprinting for HTTP-based protocols.
Carries HTTP Referer: This tag identifies HTTP clients that include a “Referer” header which indicates what page or site the HTTP request was referred from.
Stores HTTP Cookies - This tag identifies HTTP clients that allow “Cookies” to be set and stored in the client’s storage and are sent with subsequent requests.
Follows HTTP Redirects - This tag identifies HTTP clients that follow “Location” 301 (Permanent) redirects to another page or site.
On their own, each individual tag contributes a small indication of how the HTTP client manages its internal state. While that alone has value in helping to profile the actor behind the IP and possibly track them across IPs, the more interesting insights can be seen when these tags are viewed holistically.
Figure 1: Venn Diagram representing IPs that match each tag and their respective overlaps, data pulled on Aug. 25, 2021.
Figure 2: Venn Diagram representing IPs that match each tag and their respective overlaps, data pulled on Sep. 10, 2021.
As seen above, the tagged activity is not homogenous, allowing us a glimpse into the diversity of tooling or techniques used in scanning and opportunistic exploitation. While many actors may use the same exploit vector or payload, they may launch them from tools that support different HTTP features. These new tags may help the analyst determine if two IPs appear to be using the same tools.
Figure 3: IP Details page for 42.236.10.75. See it in the GreyNoise Viz.
For example, in Figure 3, we are able to determine with a high degree of confidence that the IP shown above is orchestrating a full-featured web browser (such as Puppeteer) to scan the internet. We see this because the IP exhibits browser-like behavior and attributes, including carrying a referer header, accepting cookies, and following redirects.
We hope these new tags offer our users greater insight into the tooling and libraries utilized by internet background noise-makers. Let us know what you think by sharing your feedback on the GreyNoise Community Slack channel (must have a GreyNoise account).
This IP address has been observed checking for the existence of the ProxyShell vulnerability in Microsoft Exchange, an activity which commonly leaks sensitive information.
This IP address has been observed checking for the existence of CVE-2021-35464, a path traversal vulnerability in ForgeRock OpenAM which can lead to RCE.
This IP address has been observed attempting to use CVE-2021-30497, a path traversal vulnerability in Ivanti Avalanche that could lead to arbitrary file retrieval.
This IP address has been observed attempting to exploit CVE-2021-29200, a deserialization vulnerability in Apache OFBiz 17.12.07 and earlier that can lead to unauthenticated RCE.
These tags have been removed because they no longer exist, scan, and/or can no longer be accurately identified
RDP Bruteforcer
Windows RDP Cookie Hijacker
RDP Scanner
Multiple RDP tags have been deprecated in favor of RDP Crawler, which more accurately accounts for much of the behavior we see. We are currently working to create more accurate and narrowly scoped tags for RDP scanning and exploitation.
The RDP Bruteforcer tag was created around the same time as BlueKeep and aggressively assigned `malicious` intent to basic RDP connection attempts. After re-evaluating this, we feel this was incorrect and have taken actions to improve our RDP tags in general.
Tag Improvements
As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.
This IP has been observed attempting to exploit CVE-2021-1497 and CVE-2021-1498, remote code execution vulnerabilities in Cisco HyperFlex HX Data Platform.
This IP has been observed checking for the existence of CVE-2021-1497 and CVE-2021-1498, remote code execution vulnerabilities in Cisco HyperFlex HX Data Platform.
This IP address has been observed attempting to exploit CVE-2021-21974, a heap overflow vulnerability in VMware ESXi OpenSLP that can lead to remote code execution.
Tag: NetMotion Mobility Server RCE Attempt [Intention: Malicious]
This IP address has been observed attempting to exploit a deserialization vulnerability in NetMotion Mobility Server that can lead to remote code execution.
Tag: QNAP walter SSH Backdoor Attempt [Intention: Malicious]
This IP address has been observed attempting to connect using the username and password 'walter,' which are hardcoded backdoor SSH credentials that exist in some QNAP devices.
.png)
