Threat Signals

GreyNoise has observed steady deployments of previously unseen IPs attacking Microsoft RDP services through timing-based vulnerabilities. Attackers are rotating significant volumes of new IPs each day to target two primary vectors — RD Web Access timing attacks and RDP web client login enumeration — likely in an effort to evade detection and blocking.

Use GreyNoise Block to dynamically block all IPs engaged in this activity. On 10 October, GreyNoise partially linked this activity to a global botnet, publishing a blocking template named “Oct-2025 RDP Botnet Campaign.” Applying this template instantly neutralizes the threat actors’ IP rotation strategy. 

‍

‍

‍

From September 2025 to present, we’ve observed a steady rise in the number of unique IPs targeting RDP — now exceeding 500,000. 

‍

‍

Geographic Distribution

The top three source countries in the past 90 days are:

• Brazil (63%)
• Argentina (14%)
• Mexico (3%)

Nearly 100 percent of targeting has been directed at U.S.-based systems. Source and target patterns remain consistent with the botnet activity first identified on 10 October. 

‍

IP Turnover Increases Risk

The rapid churn of new IPs underscores an emerging trend: threat actors are increasingly rotating infrastructure to evade static blocking and complicate attribution.

Use GreyNoise Block to dynamically block all IPs engaged in this activity. The “Oct-2025 RDP Botnet Campaign” template remains the most effective method for mitigation. Get started with a free 14-day trial.

‍

GreyNoise will continue to monitor the situation and update this post as necessary. 

‍

— — — ‍

‍

^{This discovery was led by boB Rudis.‍}

Update: 15 October 2025

GreyNoise is sharing an Executive Situation Report (SITREP) for this event, providing leadership with actionable judgments and evidence to support decision making.

‍

Update: 14 October 2025

‍In a significant escalation, the botnet has grown to ~300,000 IPs — more than tripling in size. The threat actor(s) continues its focus on RDP infrastructure in the United States, leveraging IPs from Brazil, Argentina, Singapore, and other countries. 

The associated threat actor(s) is rapidly activating new botnet nodes to target U.S. RDP infrastructure. Therefore, static defense measures will not be effective at mitigating this threat.

‍

‍

Since October 8, 2025, GreyNoise has tracked a coordinated botnet operation involving over 100,000 unique IP addresses from more than 100 countries targeting Remote Desktop Protocol (RDP) services in the United States. The campaign employs two specific attack vectors — RD Web Access timing attacks and RDP web client login enumeration — with most participating IPs sharing one similar TCP fingerprint, indicating centralized control. 

‍

Use GreyNoise Block to dynamically block all IPs engaged in this activity.  New users can try GreyNoise Block free for 14-days.

• Leverage the template named “Oct-2025 RDP Botnet Campaign"

‍

Key Findings 

• Campaign start: October 8, 2025 — coordinated RDP targeting wave begins. 
• Scale: Over 100,000 unique IPs participating in US-focused RDP attacks. 
• Geographic scope: 100+ source countries including Brazil, Argentina, Iran, China, Mexico, Russia, South Africa, Ecuador, and others.
• Primary target: United States RDP infrastructure, mostly uniform across source countries.
• Attack methods: Microsoft RD Web Access Anonymous Authentication Timing Attack Scanner and Microsoft RDP Web Client Login Enumeration Check.
• Signatures: Similar TCP fingerprints across all participating IPs. GreyNoise customers can check their email for the precise client signatures identified. 
• Botnet activity: We assess with high confidence that the elevated RDP targeting beginning this week is attributable to a multi-country botnet. 

‍

Discovery Timeline

Spike in Brazil-geolocated IPs

The botnet was discovered after GreyNoise detected an unusual spike in Brazilian IP space this week, which prompted investigation into broader traffic patterns.

‍

‍

Note: Full interaction = completed three-way handshake; No 3wh = no three-way handshake

‍

Broader Spikes Across Source Countries

Broadening our analysis, we observed additional surges in activity across many source countries since the beginning of October. 

‍

‍

Multi-Country Botnet Targeting US RDP Infrastructure

Pivoting from these findings, we then discovered a repeated pattern in RDP targeting — originating from many countries, sharing a similar client fingerprint, and all targeting US RDP infrastructure. 

‍

‍

Several factors suggest this activity is originating from one botnet:

• Almost all traffic shared one similar TCP fingerprint, with only the MSS changing. 
• MSS in this context likely changes depending on the compromised botnet cluster.
• The timing and pattern of targeting implies coordinated activity with centralized control.
• The shared RDP attack vector again suggests centralized control, likely activated by the operator(s) for this sole purpose. 

‍

Defender Recommendations 

• Use GreyNoise Block to dynamically block all IPs engaged in this activity. Get started with a free 14-day trial.
  
  • Leverage the template named “Oct-2025 RDP Botnet Campaign”
• Check logs for any unusual RDP probing.
• Monitor the GreyNoise tags implicated in this event: 
  
  • Microsoft RD Web Access Anonymous Authentication Timing Attack Scanner
  • Microsoft RDP Web Client Login Enumeration Check

‍

GreyNoise will continue monitoring the situation and provide updates here as necessary. 

‍

---

^{This discovery was led by boB Rudis with contributions from the broader GreyNoise team.} ‍

Update: 8 October 2025

GreyNoise has identified several links between three recent campaigns: 

• Cisco ASA scanning.
• Elevated login attempts against Palo login portals.
• Spike in brute force attempts against Fortinet SSL VPNs (new; info below).

We assess with high confidence that all three campaigns are at least partially driven by the same threat actor(s), evidenced by: 

• Recurring fingerprint: shared TCP fingerprints across each campaign. 
• Shared infrastructure: recurring subnets leveraged in each campaign. 
• Temporal correlation: elevated activity at similar times across each campaign. 

In addition to continued escalation of login attempts against Palo login portals, GreyNoise has identified likely related and coordinated credential brute forcing against Fortinet SSL VPNs. We are providing lists of credentials used in both campaigns:

• Fortinet SSL Brute Forcing
• Palo Alto Networks Login Attempts

‍

‍

All three campaigns — Cisco ASA scanning, Palo login attempts, and Fortinet VPN brute forcing — heavily rely on the same subnets: 

‍

‍

‍Use GreyNoise Block to directly block threat IPs from all relevant GreyNoise tags (ASA Scanner, Fortinet VPN Bruteforcer, Palo Scanner) and the below ASNs:

• AS200373 (3xK Tech GmbH)
• AS11878 (tzulo, Inc.)

Defenders can use GreyNoise Block to craft custom blocklists, instantly mitigating risk at the perimeter.

‍

Elevated Fortinet Brute Force Attempts Correlated with New Vulnerabilities 

In July, GreyNoise research identified a significant correlation: 

Spikes in Fortinet VPN brute force attempts are typically followed by Fortinet VPN vulnerabilities disclosures within six weeks. 

‍

‍

Block all IPs brute forcing Fortinet SSL VPNs, and consider hardening defenses for firewall and VPN appliances amid these findings.

‍

‍

Update: 7 October 2025

For defender review, GreyNoise has published a list of all unique usernames and passwords from Palo login attempts observed in the last week.

GreyNoise has produced an Executive Situation Report (SITREP) on the situation, intended for decision makers.  

‍In the past days, GreyNoise has observed an escalation in scanning against Palo Alto Networks PAN-OS GlobalProtect login portals. Since our original reporting of ~1,300 IPs in the afternoon of 3 October, we have observed a sharp rise in the daily number of unique IPs scanning for Palo login portals. Peaking today on 7 October, over 2,200 unique IPs scanned for Palo login portals.

‍

‍

Increasing ASN Diversity Suggests Broadening Operator Involvement

In addition to an increase in the number of IPs involved, GreyNoise has observed a sharp increase in the unique count of ASNs involved in scanning Palo login portals, suggesting an increase in the number of threat actors involved. 

‍

‍

Separately, we discovered that approximately 12 percent of all ASN11878 subnets are allocated to scanning Palo login portals.

‍

Potential Iteration Through Large Credential Dataset

The pace of login attempts suggests elevated activity may be driven by a threat actor(s) iterating through a large dataset of credentials.

‍

‍

‍

On October 3, 2025, GreyNoise observed a ~500% increase in IPs scanning Palo Alto Networks login portals, the highest level recorded in the past 90 days. 

‍

‍

‍

GreyNoise research in July found that surges in activity against Palo Alto technologies have, in some cases, been followed by new vulnerability disclosures within six weeks (see chart below). However, surges against GreyNoise’s Palo Alto Networks Login Scanner tag have not shown this correlation. GreyNoise will continue monitoring in case this activity precedes a new Palo Alto disclosure, which would represent an additive signal to our July research.  

‍

‍

Key Findings

• Volume: ~1,300 unique IPs triggered GreyNoise’s Palo Alto Networks Login Scanner tag on 3 October. For the prior 90 days, daily volumes rarely exceeded 200 IPs.
• Classification: 93% of IPs were classified as suspicious and 7% as malicious.
• Source infrastructure: 91% of IPs geolocated to the United States, with smaller clusters in the U.K., Netherlands, Canada, and Russia. 
• Targeted profiles: Nearly all activity was directed at GreyNoise’s emulated Palo Alto profiles (Palo Alto GlobalProtect, Palo Alto PAN-OS), suggesting the activity is targeted in nature, likely derived from public (e.g., Shodan, Censys) or attacker-originated scans fingerprinting Palo Alto devices.
• Destination focus: Distinct scanning clusters were observed in the past 48 hours. One directed most of its traffic toward the United States, while another concentrated on Pakistan – both from distinct TCP fingerprints but not without overlap. Environments/Sensors/Deployments based in Mexico, France, Australia, and the U.K. were also targeted. 

‍

Potentially Related Activity

GreyNoise analysis shows that this Palo Alto surge shares characteristics with Cisco ASA scanning occurring in the past 48 hours. In both cases, the scanners exhibited regional clustering and fingerprinting overlap in the tooling used. Both Cisco ASA and Palo Alto login scanning traffic in the past 48 hours share a dominant TCP fingerprint tied to infrastructure in the Netherlands. This comes after GreyNoise initially reported an ASA scanning surge before Cisco’s disclosure of two ASA zero-days.

These similarities indicate the activity may be related through shared tooling or centrally managed infrastructure, but GreyNoise cannot confirm whether it was carried out by the same operators or with the same intent. 

‍

Cross-Tech Activity May Be Coordinated

In addition to a possible connection to ongoing Cisco ASA scanning, GreyNoise identified concurrent surges across remote access services. While suspicious, we are unsure if this activity is related. 

‍

‍

Implications for Defenders

‍

‍

• The October 3 surge was the largest burst of IPs scanning for Palo Alto login portals in three months.
• Almost all participating infrastructure was first observed in the past 48 hours. 
• Traffic was targeted and structured, aimed overwhelmingly at Palo Alto login portals and split across distinct scanning clusters.

These factors distinguish the surge from background noise and mark it as a clear reconnaissance event. GreyNoise will continue monitoring for potential follow-on exploitation attempts. 

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

— — — 

‍

^{This research and discovery was a collaborative effort between boB Rudis and Noah Stone, with additional contributions from Towne Besel.}

‍

‍

For executive audiences, please see the accompanying Situation Report (SITREP) for this activity.

‍

On 28 September 2025, GreyNoise observed a sharp one-day surge of exploitation attempts targeting CVE-2021-43798 — a Grafana path traversal vulnerability that enables arbitrary file reads. Over the course of the day, 110 unique IPs attempted exploitation against GreyNoise’s Global Observation Grid (GOG). All 110 IPs are classified as malicious. 

‍

The Spike

Grafana exploitation had been largely quiet in recent months. On 28 September, activity spiked sharply:

• 110 unique IPs observed in a single day. 
• Destinations targeted: United States, Slovakia, and Taiwan — the only three destinations observed. 
• Top three source countries: Bangladesh (107 IPs), China (2 IPs), Germany (1 IP).
• Of the Bangladesh-based IPs, 105 of 107 targeted U.S. endpoints.
• The majority of IPs were first seen on 28 September, the same day they attempted exploitation. 

‍

‍

‍

Patterns in the Activity 

Two elements stand out in the data: 

• Consistent targeting across sources. All traffic followed a distinct destination pattern, targeting each country following a roughly 3:1:1 ratio (U.S.: Slovakia: Taiwan). Similar patterns in traffic ratios emerged when narrowing this view to the top three source countries: 
  
  • China-based IPs → U.S. (7), Slovakia (2), Taiwan (2)
  • Germany-based IPs → U.S. (3), Slovakia (1), Taiwan (1)
  • Bangladesh-based IPs → U.S. (100), Slovakia (1), Taiwan (1)
• Convergence across tooling. The top TCP fingerprints observed that day also mapped to the same three destinations. Looking back further at activity against this tag, GreyNoise has identified at least two distinct HTTP fingerprints as well, further indicating multiple tools being applied against a common target set.

The alignment across both geography and tooling suggests shared tasking or a common target list, not uncoordinated traffic. 

‍

Notable Infrastructure

Two IPs geolocated to China are worth highlighting:

• 60.186.152.35
• 122.231.163.197

Both belong to CHINANET-BACKBONE, were first observed on 28 September, active only that day, and overwhelmingly focused on Grafana. 

‍

Threat Context 

Exploitation of older, high-impact vulnerabilities like CVE-2021-43798 is common across different threat categories: 

• Global Exploitation: Grafana path traversal and related vulnerabilities have been leveraged in large-scale SSRF / exploit waves targeting many IPs and software ecosystems. 
• Vulnerability Reuse & Toolkits: Grafana flaws (e.g., CVE-2025-6023) are being actively researched and weaponized for account takeovers and integrated into attacker tool sets. 
• Exploit Chains & Reconnaissance: In advisories and analyses, Grafana vulnerabilities show up in reconnaissance stages of multi-step exploit chains (such as SSRF campaigns).

‍

Assessment 

This activity reflects a coordinated push against a known, older vulnerability. The uniform targeting pattern across source countries and tooling indicates common tasking or shared exploit use. GreyNoise does not attribute this to a specific threat actor, but the convergence suggests either one operator leveraging diverse infrastructure or multiple operators reusing the same exploit kit and target set. 

We anticipate old vulnerabilities —  like CVE-2021-43798, and even older ones — will continue resurging in the future. Read GreyNoise’s research from earlier this year to learn more about the patterns and behaviors resurgent vulnerabilities tend to exhibit, and how defenders can stay ahead. 

‍

Defender Recommendations

• Block the 110 malicious IPs observed on 28 September. 
• Confirm Grafana instances are patched against CVE-2021-43798.
• Review logs for evidence of traversal requests and ensure no sensitive files were returned. 

Please contact your GreyNoise support team if you are interested in the JA4+ signatures in this investigation.

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

— — — 

‍

^{This research and discovery was a collaborative effort between Glenn Thorpe, Noah Stone, Towne Besel, and boB Rudis.}

Update: 9 October

GreyNoise identified a connection between three campaigns targeting Cisco, Palo Alto, and Fortinet firewalls and VPNs. We observed infrastructure overlap between recent Cisco ASA scanning, Palo login attempts, and Fortinet brute force attempts:

‍

‍

See the full update here. 

‍

Update: 29 September 2025

GreyNoise has produced an Executive Situation Report (SITREP) on the situation, intended for decision makers.

Update: 26 September 2025

Yesterday, Cisco announced two zero-day vulnerabilities affecting their Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) platforms. These disclosures come just weeks after GreyNoise reported a surge in scanning activity against Cisco ASA devices (see initial reporting below). The timing is notable because recent research found that spikes in attacker activity against a specific technology (white dots) may serve as an early warning signal for future vulnerability disclosures affecting that same technology (red dots). 

‍

‍
‍

GreyNoise’s detection of 25,000 IPs scanning Cisco ASA in the weeks leading up to two zero day disclosures is a clear example of this research turning into reality:

“This is a real signal we’re seeing in our data across enterprise edge tech,” said boB Rudis, VP of Data Science and Security Research at GreyNoise. “We see elevated attacker activity against XYZ tech and then weeks later, new CVEs are disclosed affecting XYZ tech. This has repeatedly happened across enterprise edge, with Cisco ASA being the most recent example. So, yes, we’re very excited to learn our data may serve as an early warning signal for future vulnerability disclosures and we hope defenders will use this information to make the world a little safer.”
‍

CISA issued an Emergency Directive (ED 25-03), requiring federal agencies to apply mitigations within 24 hours — representing the third-ever emergency directive since the agency’s founding. Both vulnerabilities, tracked as CVE-2025-20333 and CVE-2025-20362, have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
‍

Resurgent Brute Force Attacks Against Cisco SSL VPNs

After investigating activity against our Cisco profiles, GreyNoise identified resurgent brute force attacks targeting Cisco SSL VPNs occurring yesterday at approximately 1:00pm EST. This activity was preceded by a period of inactivity, ceasing on September 24 at 6PM EST and restarting yesterday. All traffic during this period shares the same client fingerprint and source organization (Global Connectivity Solutions LLP), along with other shared characteristics: 

• Example URI: /+webvpn+/index.html
• User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36

‍

Take Action Now

CISA has issued guidance and mitigation instructions related to CVE-2025-20333 and CVE-2025-20362. We encourage defenders to review CISA’s official resources and apply recommended actions. 

GreyNoise will continue monitoring its Cisco profiles for anomalous behavior, and will provide updates here as necessary. 
‍

---

End of Update
‍

GreyNoise observed two scanning surges against Cisco Adaptive Security Appliance (ASA) devices in late August. The first involved more than 25,000 unique IPs in a single burst; the second, smaller but related, followed days later. This activity represents a significant elevation above baseline, typically registering at less than 500 IPs per day. 

Both events targeted the ASA web login path (/+CSCOE+/logon.html), a common reconnaissance marker for exposed devices. Subsets of the same IPs also probed GreyNoise’s Cisco Telnet/SSH and ASA software personas, signaling a Cisco-focused campaign rather than purely opportunistic scanning. 

‍

The Two Spikes

• Spike One: ~25,000 IPs scanned ASA login portals; a subset also targeted Cisco IOS Telnet/SSH.
• Spike Two: A smaller wave repeated ASA probing, with subsets hitting both IOS Telnet/SSH and ASA software personas. 
• Shared traits: Overlapping client signatures and spoofed Chrome-like user-agents, indicating a common scanning toolkit used across both events. 

‍

‍

Geographic Context

In the past 90 days, GreyNoise has observed traffic triggering its Cisco ASA Scanner tag originating from and targeting the following countries: 

Top Source Countries: 

1. Brazil (64%)
2. Argentina (8%)
3. United States (8%)

Top Target Countries:

1. United States (97%)
2. United Kingdom (5%)
3. Germany (3%)

Note: Target country percent sum may exceed 100% due to one source IP targeting several IPs based in different countries. 

‍

Brazil-Heavy Botnet Behind August 26 Wave

Analysis of the August 26 wave shows that it was driven primarily by a single botnet cluster concentrated in Brazil. By isolating a specific client fingerprint, and reviewing two months of activity, GreyNoise determined that this fingerprint was used exclusively to scan for Cisco ASA devices.

On August 26: 

• 16,794 IPs were observed scanning ASA devices.
• 2,858 did not match this client signature.
• Meaning roughly 14,000 of the ~17,000 IPs active that day — more than 80% — were tied to this botnet. 

The client signature was seen alongside a suite of closely related TCP signatures, suggesting all nodes share a common stack and tooling. This makes the August 26 spike attributable to a coordinated botnet campaign dominated by Brazil-sourced infrastructure. 

‍

Could Indicate Upcoming Cisco ASA Vulnerability Disclosure

GreyNoise’s Early Warning Signals research shows that scanning spikes often precede disclosure of new CVEs. In past cases, activity against GreyNoise’s Cisco ASA Scanner tag surged shortly before a new ASA vulnerability was disclosed (see last row in chart below). The late-August spikes may represent a similar early warning signal. 

‍

Even if organizations are fully patched, blocking these IPs now may reduce the likelihood of appearing on target lists used to exploit new CVEs in the future. 

‍

Related Real-World Precedent 

• Espionage: The ArcaneDoor campaign used two zero-days in Cisco ASA (Line Dancer, Line Runner) to infiltrate government networks. 
• Ransomware: The Akira and LockBit ransomware groups have historically targeted Cisco ASA systems. 
• Global Campaign: CVE-2020-3452 was weaponized worldwide soon after disclosure, with exploitation attempts observed within days. 

‍

Defender Takeaways

• Limit exposure: Avoid placing ASA web portals, Telnet, or SSH directly on the internet.
• Patch quickly if a new CVE emerges: ASA vulnerabilities have historically been exploited soon after disclosure. 
• Require MFA: Strengthen remote access with multi-factor authentication. 

Monitor GreyNoise’s Cisco ASA tags for real-time scanning and exploitation activity: 

• Cisco ASA Scanner
• Cisco ASA CVE-2020-3259 Information Disclosure Attempt
• Cisco ASA Information Disclosure Attempt 
• Cisco ASA XSS Attempt 
• Cisco ASA Arbitrary File Retrieval Attempt

‍

GreyNoise will continue monitoring the situation and update this blog as necessary. Concentrated reconnaissance bursts, such as those in August, should be treated as potential early indicators of future vulnerability disclosures. 

Please contact your GreyNoise support team if you are interested in the JA4+ signatures in this investigation.

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

— — — 

‍

^{This research and discovery was a collaborative effort between Towne Besel and Noah Stone.}

Update: 25 August 2025

Hours after publishing this blog, GreyNoise identified a much larger wave: on August 24, over 30,000 unique IPs simultaneously triggered both Microsoft RD Web Access and Microsoft RDP Web Client tags, largely from the same client signature behind the August 21 spike we reported below.

‍

‍

‍

‍

A Sudden Surge in RDP Probing 

On August 21, GreyNoise observed a sharp surge in scanning against Microsoft Remote Desktop (RDP) services. Nearly 2,000 IPs — the vast majority previously observed and tagged as malicious — simultaneously probed both Microsoft RD Web Access and Microsoft RDP Web Client authentication portals. The wave’s aim was clear: test for timing flaws that reveal valid usernames, laying the groundwork for credential-based intrusions. 

‍

The Spike

• Normal baseline: ~ 3-5 IPs/day across these tags.
• August 21: 1,971 IPs — orders of magnitude above baseline.
• 100% overlap: every IP on one tag also appeared on the other.
• Timelines show the same client signature hitting both tags simultaneously.
• The client signature was first observed August 21 and has only engaged in activity targeting Microsoft RDP. 

‍

Microsoft RD Web Access

‍

‍

‍

Microsoft RDP Web Client

‍

‍

What the Data Shows

• Uniform client signature: 1,851/1,971 IPs shared the same client signature, indicating a single toolset or botnet module. 
• Malicious classifications: 1,698/1,851 (~ 92%) of those IPs are already tagged malicious in GreyNoise.
• Sources & Targets: Source countries skew heavily to Brazil (~ 73%); the United States was the only target country observed in this spike. 
• Multi-pronged behavior: The same IPs were also flagged as Open Proxy Scanners and Web Crawlers, consistent with a multipurpose toolkit that includes carrying an HTTP referrer header. 

Separately but potentially relevant, on August 22 GreyNoise observed a spike in scanning for open proxies. This heightened activity follows recent anomalies observed on July 31 and August 9 against GreyNoise’s Open Proxy Scanner tag. Early research indicates there is partial overlap in client signatures between this spike and the RDP scan detected on August 21. 

‍

Why Now? Back-to-School Exposure

The timing may not be accidental. August 21 sits squarely in the US back-to-school window, when universities and K-12 bring RDP-backed labs and remote access online and onboard thousands of new accounts. These environments often use predictable username formats (student IDs, firstname.lastname), making enumeration more effective. Combined with budget constraints and a priority on accessibility during enrollment, exposure could spike. 

The campaign’s US-only targeting aligns with that calendar — education and IT teams should harden RDP now and watch for follow-up activity from this same client signature. 

‍

What’s Being Mapped

The RDP scanners were doing more than just touching login pages:

• Step 1: Finding endpoints — identifying IPs that expose RD Web Access or RDP Web Client. 
• Step 2: Testing for flaws — checking if authentication workflows leak information via timing (or other login-flow differences) that lets an attacker infer valid usernames. 

This is enumeration: confirming accounts on exposed systems so later credential stuffing, password spraying, or brute force has a much higher chance of success. 

‍

Why It Matters

A large, uniform, maliciously-classified scanner set is actively mapping Microsoft RDP authentication surfaces for account discovery weaknesses. Even without immediate exploitation, the output of this campaign (which endpoints exist, which accounts likely exist) is directly reusable for: 

• Credential stuffing (pairing confirmed usernames with breached passwords)
• Password spraying/brute force (now guided by a valid-user list)
• Future exploitation (attacker already has target map if an RDP-related CVE emerges)

Recent research found spikes in attacker activity against a given technology tend to precede new vulnerabilities in that technology. In 80 percent of cases, a new vulnerability emerged within six weeks of a spike. 

‍

Related Real-World Precedent

RDP has been leveraged by threat actors in the past to conduct espionage, deploy ransomware, and run global exploit campaigns: 

• Espionage — Russia-nexus actor abusing RDP features for data theft: Google Threat Analysis Group (TAG) reported a suspected Russia-nexus espionage actor (UNC5839) abusing lesser-known RDP capabilities to read victim drives and exfiltrate files during targeted intrusions. Different from timing/enumeration, but shows RDP used directly in espionage tradecraft. The incident mainly targeted European militaries and governments. 
• Ransomware — SamSam’s RDP initial access: U.S. CISA/FBI’s SamSam advisory documents actors using RDP for persistent access, typically via brute force or stolen credentials, before deploying ransomware (e.g., City of Atlanta). 
• Global exploitation event — BlueKeep (CVE-2019-0708): In 2019, a critical flaw in Windows Remote Desktop Services — the service behind RDP — was broadly scanned and then exploited in the wild (e.g., cryptominer campaigns). It’s a clear example of RDP-exposed systems moving from recon to mass exploitation once a workable flaw appears. 

GreyNoise will continue monitoring the situation and update this blog as necessary. 

Please contact your GreyNoise support team if you are interested in the JA4+ signatures in this investigation.

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

— — — 

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.‍}

On August 3, GreyNoise observed a significant spike in brute-force traffic targeting Fortinet SSL VPNs. Over 780 unique IPs triggered our Fortinet SSL VPN Bruteforcer tag in a single day — the highest single-day volume we’ve seen on this tag in recent months. 

‍

‍

‍

‍

New research shows spikes like this often precede the disclosure of new vulnerabilities affecting the same vendor — most within six weeks. In fact, GreyNoise found that spikes in activity triggering this exact tag are significantly correlated with future disclosed vulnerabilities in Fortinet products. The below chart shows spikes in activity against Fortinet tags (white dots) and CVE disclosures affecting Fortinet products (red dots): 

Critically, the observed traffic was also targeting our FortiOS profile, suggesting deliberate and precise targeting of Fortinet’s SSL VPNs. This was not opportunistic — it was focused activity. 

The top target countries in the past 90 days are Hong Kong and Brazil. 

‍

A Tale of Two Brute Force Waves Against Fortinet

When we reviewed a two week window of traffic matching the Fortinet SSL VPN Bruteforcer tag, two distinct waves emerged: 

• Wave One: A long-running set of brute-force activity tied to a single TCP signature that remained relatively steady over time. 
• Wave Two: A sudden and concentrated burst of traffic beginning August 5. This second wave had a completely different TCP signature and stood out due to its abrupt onset. 

This made the decision easy: we pivoted to the second wave to learn more. 

‍

A Shift in Targeting: From VPN to FortiManager

Once the TCP signature for the second wave was isolated, we paired it with an observed client signature seen in sessions during the same timeframe. 

What we found was surprising. 

While the August 3 traffic has targeted the FortiOS profile, traffic fingerprinted with TCP and client signatures — a meta signature — from August 5 onward was not hitting FortiOS. Instead, it was consistently targeting our FortiManager - FGFM profile albeit still triggering our Fortinet SSL VPN Bruteforcer tag. 

This indicated a shift in attacker behavior — potentially the same infrastructure or toolset pivoting to a new Fortinet-facing service. 

IPs associated with the meta signature:

31.206.51.194
23.120.100.230
96.67.212.83
104.129.137.162
118.97.151.34
180.254.147.16
20.207.197.237
180.254.155.227
185.77.225.174
45.227.254.113

‍

A Residential Clue

One additional lead emerged during the investigation. 

When reviewing historical data tied to the same post-August 5 TCP fingerprint, we found an earlier spike in June with a unique client signature that resolved to an IP — a FortiGate device — in a residential ISP block (Pilot Fiber Inc.). This may indicate that the brute-force tooling was initially tested or launched from a home network — or it could reflect use of a residential proxy. A quick search of the device revealed: 

• Not detected as a residential proxy or host of VPN services by Spur.us. 
• Recent detections by AbuseDB.
• Not seen on Virustotal.

Notably, traffic tied to that same client signature in June was later seen paired with the same TCP signature associated with the longer-running brute-force cluster (Wave One) mentioned earlier. This overlap doesn’t confirm attribution, but it suggests possible reuse of tooling or network environments. Simply put, this side quest led us back to the original traffic associated with the August 3 spike. 

‍

Key Takeaways

• Brute-force attacks against Fortinet SSL VPN continue, and they appear to evolve over time.
• GreyNoise uncovered a behavioral shift, with traffic moving from FortiOS targeting to FGFM targeting just days after the August 3 spike. 
• JA4+ based signatures reveal clustering, connecting recent waves to prior traffic — and even a potential residential origin. 
• GreyNoise research has shown that spikes in attacker activity often precede new vulnerabilities affecting the same vendor — with 80 percent of observed cases followed by a CVE disclosure within six weeks. 

‍

Defender Recommendations

Use GreyNoise to:

• Search for this traffic using our Fortinet SSL VPN Bruteforcer tag.
• Block malicious IPs using our dynamic IP blocklist for this tag. 

‍

‍

Please contact your GreyNoise support team if you are interested in the JA4+ signatures in this investigation.

GreyNoise will continue monitoring the situation and provide updates as necessary. 

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

— — — 

‍

^{This research and discovery was a collaborative effort between Towne Besel and Noah Stone.} ‍

GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 — nearly two weeks before a public proof-of-concept (PoC) was released on July 4. 

We created a tag on July 7 to track this activity. Because GreyNoise retroactively associates pre-tag traffic with new tags, prior exploitation attempts are now visible in the GreyNoise Visualizer. 

‍

Key Observations

• First observed activity: June 23, 2025
• PoC released: July 4, 2025
• GreyNoise tag published: July 7, 2025
• CISA confirms activity with GreyNoise: July 9, 2025 (prior to KEV addition) 

‍

‍

‍

Targeted Behavior 

Early exploitation attempts came from malicious IPs geolocated in China. Rather than exploiting indiscriminately, these IPs targeted GreyNoise sensors configured to emulate Citrix NetScaler appliances, suggesting deliberate targeting. 

‍

CISA Confirmation 

On July 9, shortly after we published the tag, CISA contacted GreyNoise to confirm exploitation activity. CVE-2025-5777 was subsequently added to the Known Exploited Vulnerabilities (KEV) catalog. 

‍

Recommended Actions

Defenders can dynamically block malicious IPs to reduce exposure and suppress alerts. 

‍

‍

The above list will stay updated as new IPs are observed attempting to exploit CVE-2025-5777.

‍

‍GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

GreyNoise has identified a notable surge in scanning activity targeting MOVEit Transfer systems, beginning on May 27, 2025. Prior to this date, scanning was minimal — typically fewer than 10 IPs observed per day. But on May 27, that number spiked to over 100 unique IPs, followed by 319 IPs on May 28. 

Since that initial jump, daily scanner IP volume has remained intermittently elevated between 200 to 300 IPs per day — a significant deviation from baseline and an indicator that MOVEit Transfer is once again in the crosshairs.

‍

‍

‍

These patterns often coincide with new vulnerabilities emerging two to four weeks later.

‍

Key Findings 

• 682 unique IPs have triggered GreyNoise’s MOVEit Transfer Scanner tag over the past 90 days.
• The surge began on May 27 — prior activity was near-zero.
• 303 IPs (44%) originate from Tencent Cloud (ASN 132203) — by far the most active infrastructure. 
• Other source providers include Cloudflare (113 IPs), Amazon (94), and Google (34). 
• Top destination countries include the United Kingdom, United States, Germany, France, and Mexico. 
• The overwhelming majority of scanner IPs geolocate to the United States. 

‍

Confirmed Exploitation Attempts on June 12

GreyNoise also observed low-volume exploitation attempts on June 12, 2025, associated with two previously disclosed MOVEit Transfer vulnerabilities: 

‍

CVE-2023-34362

‍

‍

‍

CVE-2023-36934

‍

‍

‍

These events occurred during the period of heightened scanning and may represent target validation or exploit testing, but at this time, no widespread exploitation has been observed by GreyNoise. 

‍

Infrastructure Concentration Suggests Deliberate Scanning

A significant portion of scanner IPs are hosted by a small number of cloud providers: 

• Tencent Cloud (ASN 132203) accounts for 44% of all scanner IPs.
• Other contributors include Cloudflare, Amazon, and Google. 

This level of infrastructure concentration — particularly within a single ASN — suggests that the scanning is deliberate and programmatically managed, rather than random or distributed probing. 

‍

Defender Recommendations

Organizations should take the following steps: 

1. Dynamically block malicious and suspicious IPs using GreyNoise Block:

‍

‍

2. Audit public exposure of any MOVEit Transfer systems. 

3. Apply patches for known vulnerabilities, including CVE-2023-34362 and CVE-2023-36934.

4. Monitor real-time attacker activity against MOVEit Transfer by navigating to each respective GreyNoise tag:

• MOVEit Transfer Scanner
• CVE-2023-34362
• CVE-2023-36934

‍

We will continue to monitor the situation and provide updates as necessary. 

‍

‍GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}‍

‍On June 16, GreyNoise observed exploit attempts targeting CVE-2023-28771 — a remote code execution vulnerability affecting Zyxel Internet Key Exchange (IKE) packet decoders over UDP port 500. 

‍

Key Stats

• CVE: CVE-2023-28771
• Exploit method: UDP port 500 (IKE packet decoder) 
• Date observed: June 16, 2025
• Duration of activity: One day (June 16, 2025)
• Unique IPs: 244
• Top destination countries: U.S., U.K., Spain, Germany, India.
• IP classification: All malicious per GreyNoise
• Infrastructure: Verizon Business (all IPs geolocated to U.S.)
• Spoofable traffic: Yes (UDP-based)

‍

Observed Activity

Exploitation attempts against CVE-2023-28771 were minimal throughout recent weeks. On June 16, GreyNoise observed a concentrated burst of exploit attempts within a short time window, with 244 unique IPs observed attempting exploitation.

The top destination countries were the U.S., U.K., Spain, Germany, and India.

Historical analysis indicates that in the two weeks preceding June 16, these IPs were not observed engaging in any other scanning or exploit behavior — only targeting CVE-2023-28771.

‍

‍

IP Analysis 

All 244 IP addresses are registered to Verizon Business infrastructure and geolocated to the United States. However, because CVE-2023-28771 is exploited over UDP (port 500), spoofing is possible and these IPs may not reflect the true source of the traffic. 

Deeper analysis by GreyNoise identified indicators consistent with Mirai botnet variants, as confirmed by VirusTotal. Example payload, and IP metadata below: 

‍

‍

‍

Recommendations

• Block malicious IPs: While spoofing is possible, GreyNoise has classified all 244 IPs as malicious. Defenders should immediately block these IPs while monitoring for related activity. 
• Review Zyxel device exposure: Verify that any internet-exposed Zyxel devices are patched for CVE-2023-28771. 
• Monitor for post-exploitation activity: Exploit attempts may lead to botnet enlistment or additional compromise. Monitor affected devices for anomalies. 
• Limit unnecessary IKE/UDP port 500 exposure: Apply network filtering where possible to reduce unnecessary exposure. 

‍

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

GreyNoise recently observed a coordinated spike in malicious activity against Apache Tomcat Manager interfaces. On June 5, 2025, two GreyNoise tags — Tomcat Manager Brute Force Attempt and Tomcat Manager Login Attempt — registered well above baseline volumes, indicating a deliberate attempt to identify and access exposed Tomcat services at scale. 

‍

Summary of Observed Activity

‍

Tomcat Manager Brute Force Attempt

• 250 unique IPs observed 
• Baseline range: 1-15 IPs
• All classified as malicious 

‍

‍

‍

Tomcat Manager Login Attempt

• 298 unique IPs observed 
• Baseline range: 10-40 IPs
• 99.7% classified as malicious 

‍

‍

‍

Summary of Observed Activity

Roughly 400 unique IPs were involved in the activity observed across both tags during this period of elevated activity. Most of the activity originating from these IPs exhibited a narrow focus on Tomcat services. 

A significant portion of this activity originated from infrastructure hosted by DigitalOcean (ASN 14061). 

‍

Recommendations for Defenders

Immediately block the malicious IPs engaged in this activity with GreyNoise Block

‍

‍

While not tied to a specific vulnerability, this behavior highlights ongoing interest in exposed Tomcat services. Broad, opportunistic activity like this often serves as an early warning of future exploitation.  

Organizations with Tomcat Manager interfaces accessible over the internet should verify that strong authentication and access restrictions are in place. Reviewing recent login activity for anomalies is also advised. 

GreyNoise will continue monitoring for shifts in behavior or signs of follow-on exploitation. Subscribe to the GreyNoise Blog for updates. 

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

Key Takeaways

• 251 malicious IPs, all hosted by Amazon and geolocated in Japan, launched a coordinated one-day scan on May 8.
• These IPs triggered 75 distinct behaviors, including CVE exploits, misconfiguration probes, and recon activity. 
• All IPs were silent before and after the surge, indicating temporary infrastructure rental for a single operation. 
• Overlap analysis confirms tight coordination, not random scanning. 
• Targeted technologies included ColdFusion, Apache Struts, Elasticsearch, WebLogic, Tomcat, and more. 
• All 251 IPs are classified as malicious by GreyNoise.
• This activity reflects patterns outlined in GreyNoise’s latest study, which tracks the reemergence of long-dormant threats. 
• Defenders should take action now: check May 8 logs, block the 251 IPs, dynamically block IPs targeting these 75 tags, and monitor for follow-up exploitation. 
• Similar scanning behavior preceded the discovery of two zero-days in Ivanti EPMM, reinforcing the need to treat coordinated scanning as an early warning signal. 

‍

A Brief, Coordinated Reconnaissance Operation 

On May 8, GreyNoise observed a highly coordinated reconnaissance campaign launched by 251 malicious IP addresses, all geolocated to Japan and hosted by Amazon AWS. Over the span of a single day, these IPs triggered 75 distinct scanning behaviors, each tracked by a GreyNoise tag — ranging from exploitation attempts for known CVEs to probes for misconfigurations and weak points in web infrastructure. 

This operation was opportunistic — as is all scanning observed by GreyNoise — but the infrastructure and execution suggest centralized planning. Every IP was active only on May 8, with no noticeable activity immediately before or after, indicating temporary use of cloud infrastructure rented specifically for this operation.  

‍

Targeted Technologies 

Some of the behaviors observed included exploit attempts for: 

• Adobe ColdFusion — CVE-2018-15961 (RCE)
• Apache Struts — CVE-2017-5638 (OGNL Injection)
• Elasticsearch — CVE-2015-1427 (Groovy Sandbox Bypass RCE)
• Atlassian Confluence — CVE-2022-26134 (OGNL Injection)
• Bash — CVE-2014-6271 (Shellshock)

These CVEs, while disclosed years ago, continue to attract interest from opportunistic attackers — a pattern explored in our latest research, which tracks the return of long-disclosed flaws to the threat landscape. 

‍

Scope of the Scan: 75 Exposure Behaviors

The 251 IPs collectively triggered 75 distinct scanning behaviors, including: 

• Old vulnerability exploits — ColdFusion, Struts, WebLogic, Drupal, Tomcat, Elasticsearch.  
• Recon and enumeration techniques — WordPress author checks, CGI script scanning, web.xml access attempts. 
• Misconfiguration probes — Git config crawlers, ENV variable exposures, shell upload checks. 

This wasn’t an operation focused on one exploit or tech stack. It reflected a broad-spectrum search for any exposed system — particularly older edge infrastructure that may be overlooked in patch cycles. 

The 2025 Verizon DBIR revealed the edge as a critical risk, reporting concerning trends across time-to-mass-exploit and remediation lags in edge technologies. 

‍

Infrastructure Overlap Suggests Central Control

GreyNoise analysis revealed the following: 

• 295 IPs scanned for ColdFusion (CVE-2018-15961).
• 265 IPs scanned for Apache Struts (CVE-2017-5638).
• 260 IPs scanned for Elasticsearch Groovy (CVE-2015-1427).
• 262 IPs overlapped between ColdFusion and Struts.
• 251 IPs overlapped across all three — and triggered 75 GreyNoise tags. 

This level of overlap points to a single operator or toolset deployed across many temporary IPs — an increasingly common pattern in opportunistic but orchestral scanning. 

‍

Block These Malicious IPs

GreyNoise has compiled the full list of all 251 malicious IPs observed in this operation. 

13.112.127.102,13.112.137.152,13.112.240.11,13.112.5.89,13.112.69.56,13.113.0.143,13.113.184.40,13.113.217.149,13.114.127.223,13.114.149.129,13.114.218.63,13.114.31.226,13.114.60.193,13.114.98.0,13.115.180.180,13.115.202.46,13.115.229.240,13.115.2.3,13.115.69.54,13.115.71.29,13.230.129.147,13.230.147.105,13.230.225.215,13.230.233.152,13.230.5.184,13.230.8.99,13.230.96.118,13.231.106.81,13.231.146.138,13.231.146.225,13.231.146.246,13.231.153.70,13.231.174.40,13.231.179.96,13.231.184.66,13.231.185.166,13.231.189.33,13.231.191.131,13.231.212.197,13.231.213.253,13.231.214.67,13.231.224.0,13.231.232.177,13.231.232.45,13.231.41.82,13.231.5.78,175.41.228.130,18.176.55.146,18.176.59.175,18.177.143.78,18.177.146.44,18.179.142.39,18.179.197.80,18.179.198.67,18.179.206.138,18.179.30.23,18.179.45.108,18.179.45.73,18.179.46.150,18.179.46.189,18.179.61.223,18.181.212.31,18.182.15.49,18.182.26.23,18.182.9.108,18.182.9.65,18.183.102.143,18.183.102.157,18.183.105.164,18.183.131.125,18.183.165.137,18.183.168.179,18.183.168.64,18.183.176.53,18.183.186.98,18.183.208.224,18.183.213.115,18.183.221.123,18.183.225.18,18.183.229.102,18.183.233.113,18.183.245.235,18.183.248.39,18.183.75.21,18.183.80.208,3.112.124.171,3.112.131.166,3.112.14.18,3.112.150.85,3.112.18.153,3.112.18.248,3.112.203.162,3.112.208.32,3.112.211.126,3.112.218.237,3.112.227.46,3.112.231.205,3.112.233.225,3.112.235.102,3.112.238.114,3.112.253.75,3.112.26.102,3.112.28.119,3.112.32.198,3.112.32.225,3.112.5.87,3.113.0.228,3.113.0.28,3.113.15.97,3.113.25.14,3.113.32.74,35.72.14.113,35.72.14.164,35.72.4.135,35.72.9.173,35.77.105.104,35.77.90.69,35.77.93.26,43.206.215.21,43.206.231.122,43.206.234.13,43.206.235.211,43.206.253.231,43.207.0.130,43.207.103.240,43.207.105.145,43.207.115.43,43.207.118.103,43.207.1.24,43.207.139.186,43.207.150.212,43.207.155.29,43.207.155.87,43.207.166.102,43.207.170.51,43.207.191.167,43.207.198.203,43.207.201.71,43.207.202.54,43.207.203.44,43.207.225.86,43.207.232.1,43.207.232.100,43.207.3.58,43.207.74.241,43.207.79.249,43.207.81.76,52.192.111.156,52.192.125.55,52.192.14.49,52.192.27.19,52.192.56.196,52.192.99.140,52.194.205.49,52.194.220.244,52.194.248.125,52.194.250.54,52.194.254.213,52.195.11.174,52.195.12.82,52.195.171.70,52.195.177.128,52.195.181.143,52.195.183.23,52.195.189.155,52.195.189.78,52.195.194.167,52.195.207.5,52.195.208.52,52.195.209.222,52.195.211.238,52.195.218.94,52.195.221.157,52.195.3.244,52.195.8.164,52.197.210.229,52.199.10.181,52.199.149.12,52.199.199.160,52.199.253.240,52.199.8.84,52.68.188.9,52.68.94.94,52.69.157.91,52.69.46.191,54.150.219.131,54.168.241.135,54.168.247.234,54.168.71.21,54.178.0.190,54.178.114.236,54.178.4.74,54.178.5.144,54.199.101.111,54.199.161.31,54.199.176.59,54.199.40.192,54.199.77.18,54.199.94.62,54.238.101.236,54.238.147.176,54.238.179.56,54.238.189.57,54.238.237.183,54.238.237.9,54.238.4.12,54.238.80.76,54.248.152.214,54.248.156.216,54.248.201.195,54.248.36.134,54.249.121.50,54.249.133.28,54.249.155.117,54.249.219.65,54.249.26.220,54.250.153.158,54.250.161.184,54.250.16.51,54.250.188.209,54.250.237.20,54.250.241.63,54.250.244.142,54.250.244.229,54.250.33.160,54.250.33.94,54.65.130.227,54.65.45.54,54.95.18.182,54.95.193.225,54.95.23.202,54.95.23.87,54.95.36.237,57.180.10.227,57.180.18.215,57.180.242.12,57.180.246.9,57.180.248.217,57.180.27.121,57.180.35.101,57.180.38.232,57.180.40.26,57.180.41.47,57.180.42.39,57.180.47.171,57.180.47.190,57.180.48.122,57.180.56.170,57.180.9.137,57.181.30.246,57.181.37.146

Defenders should block these IPs immediately. While follow-up exploitation may come from different infrastructure, GreyNoise classified all 251 IPs as malicious in real time. Dynamic IP blocking using GreyNoise allows defenses to respond instantly to new scanning infrastructure as it appears, removing guesswork and reducing exposure windows. 

‍

Dynamically Block IPs Targeting These 75 Tags

Identify which of the 75 GreyNoise tags apply to your environment and dynamically block IPs engaging in that activity. 

Edge & Middleware RCEs

‍

CMS & Web App Exploits

‍

IoT & Hardware Targets

‍

Reconnaissance & Crawlers

‍

File Uploads & Web Shells

‍

SQLi & Path Traversal

‍

Legacy & Resurgent CVEs

‍

Authentication & Config Scans

‍

Miscellaneous or Unclassified

‍

GreyNoise will continue to monitor this situation and provide updates as necessary. 

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

The bottom line: Two critical Ivanti zero-days (CVE-2025-4427 and CVE-2025-4428) are now being actively exploited after GreyNoise reported a surge in scanning activity against other Ivanti technologies last month. Immediate patching is required.

‍

‍

Why It Matters

When chained together, these vulnerabilities enable unauthenticated remote code execution on Ivanti Endpoint Manager Mobile (EPMM) systems. In April, GreyNoise warned about a 9X surge in scanning against Ivanti products — that reconnaissance has now transitioned to exploitation.

‍

The Vulnerabilities

• CVE-2025-4427 (CVSS: 5.3): Authentication bypass via improper validation sequence
• CVE-2025-4428 (CVSS: 7.2): Remote code execution through Expression Language injection

How they work: The flaws target the /api/v2/featureusage and /api/v2/featureusage_history endpoints. Input validation occurs before authentication checks, allowing attackers to inject malicious code without credentials.

‍

What We're Seeing

• We initialy observed a small number of attempts to exploit CVE-2025-4427 from one IP address — 212.102.51.249 — on 2025-05-16 (~02:30 GMT), but only attacking our Ivanti sensors, so the attacks are unlikely to be random/opportunistic in nature
• The IP count has since risen to three — all non-spoofable and malicious, originating from Indonesia, United States, and India.
• Pattern follows predicted reconnaissance → exploitation lifecycle
• Activity tracked via our CVE-2025-4427 🏷️ 

‍

Who Discovered It

Credit to Project Discovery and WatchTowr for their excellent technical analysis:

• Project Discovery revealed validation precedes authorization in Spring MVC's workflow.
• WatchTowr provided detailed proof-of-concept exploits showing the order-of-operations issue.

Affected Versions & Patches

Vulnerable:

• 11.12.0.4 and earlier
• 12.3.0.1, 12.4.0.1, 12.5.0.0

‍

Patched:

• 11.12.0.5, 12.3.0.2, 12.4.0.2, 12.5.0.1

‍

Take Action Now

1. Patch immediately to fixed versions.
2. Review logs for suspicious API activity.
3. Block malicious IPs using GreyNoise Intelligence tag-focused block lists.
4. Implement WAF rules if patching is delayed.
5. Hunt for IOCs focusing on unusual API access patterns.

‍

The Big Picture

This case demonstrates why monitoring scanning trends provides early warning of attacks. The exploitation activity is currently limited, but will likely accelerate as more threat actors incorporate these vulnerabilities into their toolkits.

Organizations with Portal ACLs or WAF restrictions have reduced exposure, but patching remains the only complete solution.

‍

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

‍

‍GreyNoise observed a significant increase in crawling activity targeting Git configuration files on April 20-21, 2025. While the crawling itself is reconnaissance, successful discovery of exposed Git configuration files can lead to exposure of internal codebases, developer workflows, and potentially sensitive credentials. This activity is tracked under the GreyNoise Git Config Crawler tag, which identifies IPs crawling the internet for sensitive Git configuration files. 

‍

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

‍

Majority of IPs are Malicious — Potential Regional Targeting

GreyNoise observed nearly 4,800 unique IP addresses daily from April 20-21, marking a substantial increase compared to typical levels. Although activity was globally distributed, Singapore ranked as both the top source and destination for sessions during this period, followed by the U.S. and Germany as the next most common destinations. 

Likewise, in the past 90 days by unique IP count, Singapore remains the top source and destination country for this activity. None of the IPs are spoofed, indicating the traffic originated from the IPs observed. GreyNoise can confirm that 95% of all IPs engaged in this behavior in the past 90 days are malicious.  

‍

Top Source Countries:

• Singapore (4,933 unique IPs)
• U.S. (3,807 unique IPs)
• Germany (473 unique IPs)
• U.K. (395 unique IPs)
• Netherlands (321 unique IPs)

‍

Top Destination Countries: 

• Singapore (8,265 unique IPs)
• U.S. (5,143 unique IPs)
• Germany (4,138 unique IPs)
• U.K. (3,417 unique IPs)
• India (3,373 unique IPs)

The IPs are linked to cloud infrastructure providers such as Cloudflare, Amazon, and DigitalOcean.

‍

Four Spikes Since September — April the Largest Yet

Since September 2024, GreyNoise has observed four distinct spikes in Git configuration crawling activity, each involving approximately 3,000 unique IPs — with the April 20-21, 2025 spike marking the largest to date. 

‍

‍

The late February spike tells somewhat of a different story in terms of source and destination session traffic:

‍

Top Source Countries:

• Netherlands 
• U.S. 
• Germany

‍

Top Destination Countries:

• U.S.
• U.K. 
• Spain

‍

Why It Matters

Git configuration files can reveal: 

• Remote repository URLs (GitHub, GitLab)
• Branch structures and naming conventions 
• Metadata that provides insight into internal development processes

In some cases, if the full .git directory is also exposed, attackers may be able to reconstruct the entire codebase — including commit history, which may contain confidential information, credentials, or sensitive logic. 

In 2024, a Git configuration breach exposed 15,000 credentials and resulted in 10,000 cloned private repositories. 

‍

Recommendations

To prevent this type of exposure: 

• Ensure .git/ directories are not accessible via public web servers
• Block access to hidden files and folders in web server configurations
• Monitor logs for repeated requests to .git/config and similar paths
• Rotate any credentials exposed in version control history

‍

Related CVE:

CVE-2021-23263

‍

GreyNoise will continue to monitor the situation and provide updates as necessary. To stay abreast of the latest developments, please navigate to the top of this page and subscribe to our blog. 

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

— — — 

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

May 20, 2025 Update:

Our April 23 report highlighted a sharp surge in scanning activity targeting Ivanti Connect Secure and Pulse Secure products. Just weeks later, two zero-day vulnerabilities were disclosed in Ivanti EPMM — a separate but related technology. Click the yellow button below to view attacker IPs targeting these zero-days in real time.

‍

‍

While the scanning we observed was not directly tied to EPMM, the timeline underscores a critical reality: scanning activity often precedes the public emergence of zero-day vulnerabilities. It’s a leading indicator — a signal that attackers are probing critical systems, potentially in preparation for future exploitation. 

For defenders, this reinforces the value of watching real-time reconnaissance trends. Watching scanning patterns offers a rare opportunity to anticipate zero-days before they surface and proactively harden exposed systems.

‍

‍

On April 18, 2025, GreyNoise observed a 9X spike in suspicious scanning activity targeting Ivanti Connect Secure (ICS) or Ivanti Pulse Secure (IPS) VPN systems. 

More than 230 unique IPs probed ICS/IPS endpoints — a sharp rise from the usual daily baseline of fewer than 30. This surge may indicate coordinated reconnaissance and possible preparation for future exploitation. 

‍

‍

What We’re Seeing

GreyNoise has a tag tracking suspicious scanning activity for Ivanti Connect Secure systems. This tag includes IPs observed attempting to identify internet-accessible ICS/IPS systems.

‍

‍

Observed Spike: 234 Unique IPs on April 18, 2025

Observed Activity in Past 90 Days: 1,004 Unique IPs 

Spoofable IPs: 0% (All IPs are not spoofable)

IP Classifications: 

• 634 Suspicious
• 244 Malicious
• 126 Benign

‍

Top 3 Source Countries:

• U.S. 
• Germany 
• Netherlands

‍

Top 3 Destination Countries:

• U.S. 
• Germany 
• U.K.

‍

Infrastructure Insights

A closer look at the source infrastructure reveals a notable split in behavior:

• Malicious IPs (those observed in other known malicious activity) are primarily using: 
  
  • Tor exit nodes
  • Common cloud and VPS providers with familiar names. 
• Suspicious IPs are linked to:
  
  • Lesser-known or niche hosting providers. 
  • Less mainstream cloud infrastructure. 

‍

Why This Matters

Ivanti Connect Secure has been targeted repeatedly in recent years due to its role in enterprise remote access. 

While no specific CVEs have been tied to this scanning activity yet, spikes like this often precede active exploitation. GreyNoise has previously observed similar patterns in the lead-up to the public discovery of new vulnerabilities. 

‍

Recommended Defensive Actions

Security teams should: 

• Review logs for suspicious probes of ICS/IPS.
• Monitor login activity from new or suspicious IPs. 
• Block known malicious or suspicious IPs using GreyNoise. 
• Patch all ICS/IPS systems with the latest updates. 

‍

GreyNoise will continue tracking this activity and will publish updates as necessary. 

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

— — — 

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

GreyNoise has observed a significant spike — 3 times that of typical activity — in exploitation attempts against TVT NVMS9000 DVRs, peaking on April 3 at over 2,500 unique IPs. This information disclosure vulnerability can be used to gain administrative control over affected systems. 

GreyNoise has identified sufficient overlap with Mirai, indicating this activity is associated with the botnet. Countless reports in the past have named the TVT NVMS9000 DVR as a target for botnet enlistment, including a GreyNoise update reporting Mirai targeting in early March. 

Manufactured by TVT Digital Technology Co., Ltd., a Shenzhen-based company, NVMS9000 DVRs are reportedly used in security and surveillance systems. The DVRs are used for recording, storing, and managing video footage from security cameras. A company report mentions TVT has “served customers in more than 120 countries.” 

Most malicious IP addresses are targeting systems based in the United States, United Kingdom, and Germany. 

‍

GreyNoise Observations 

On March 31, 2025, GreyNoise observed the beginning of a surge in unique IP addresses attempting to exploit the NVMS9000 DVR. The number of IPs peaked at over 2,500 on April 3, with over 6,600 IPs attempting to exploit the flaw in the past 30 days. 

GreyNoise can confirm that all IPs targeting the flaw in the past 30 days are malicious, and none of them are spoofable. 

‍

‍

Attackers could potentially use this flaw to gain full control of the DVR. 

‍

Source and Destination Countries

The majority of IPs in the past 30 days have originated from the Asia-Pacific (APAC) region, while the U.S., U.K., and Germany are the top target countries.  

‍

Top Source Countries

• Taiwan (3,637 IPs)
• Japan (809 IPs)
• South Korea (542 IPs). 

‍

Top Destination Countries

• United States (6,471 IPs)
• United Kingdom (5,738 IPs)
• Germany (5,713 IPs). 

‍

Mitigations 

Organizations using the NVMS9000 DVR or similar systems should ensure that they are properly secured. Recommended actions include: 

• Use GreyNoise to block known malicious IP addresses attempting to exploit this vulnerability. 
• Apply all available patches.
• Restrict public internet access to DVR interfaces. 
• Monitor network traffic for signs of unusual scanning or exploitation attempts. 

Monitor attacker activity targeting this flaw and block malicious IPs. 

‍

Stay updated by visiting the GreyNoise tag for this activity. 

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

April 7, 2025 Update

After GreyNoise’s reporting of heightened activity targeting key technologies on March 28, we now observe on April 7 a significant rise in exploitation attempts against Linksys E-Series routers. 

GreyNoise assesses the activity is linked to Mirai. 

The associated GreyNoise tag is:

• Linksys E-Series TheMoon Remote Command Injection Attempt

‍

‍

These updates come at a time when routers and other edge technologies are reportedly attracting significant interest from advanced, well-resourced attackers.

‍

On March 28, GreyNoise observed a significant spike in activity targeting multiple edge technologies, including SonicWall, Zoho, Zyxel, F5, Linksys, and Ivanti systems. While some of these technologies are edge systems, others are primarily internal management tools. 

This uptick suggests increased reconnaissance or exploitation attempts, indicating that threat actors may be probing for vulnerabilities or unpatched systems. Security teams should be aware of this trend and assess potential risks. 

‍

Observed Activity 

GreyNoise telemetry indicates a marked increase in in-the-wild activity targeting these systems.

View real-time activity and block malicious IPs by navigating to the GreyNoise Visualizer’s CVE Search feature and pasting CVEs of interest. 

‍

Ivanti

‍

SonicWall

‍

Zoho

‍

Zyxel

‍

F5

‍

Linksys 

‍

Recommended Actions

1. Patch Management: Ensure that all systems are up to date with the latest security patches to mitigate known vulnerabilities. 
2. Network Monitoring: Closely monitor traffic — retroactively analyzing March 28 logs — for unusual patterns or activity targeting these systems. 
3. Threat Intelligence & Dynamic Blocking: Use GreyNoise to view real-time activity targeting these systems, and to block malicious IPs. 

View real-time activity and block malicious IPs by navigating to the GreyNoise Visualizer’s CVE Search feature and pasting CVEs of interest. 

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

May 2, 2025 Update:  

GreyNoise has observed a sharp and sustained decline in suspicious opportunistic scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals — dropping by more than 99 percent within 48 hours of our March 31 report. 

Opportunistic scanning activity fell from a peak of 20,000 unique IPs per day to just over 100 per day, and remained low through April until now.

3xK Tech GmbH IP Infrastructure Abused

The majority of IPs involved in this activity are associated with the provider, 3xK Tech GmbH — accounting for nearly 20,000 of the 25,000+ IPs observed in the past 90 days. Of the physical subnets in which these IPs exist, 80 to 90 percent were involved in this activity. 

Similar to recent GreyNoise reporting on Git Config scanning, where actors abused Cloudflare infrastructure, actors are now relying heavily on infrastructure provided by 3xK Tech GmbH.

Threat actors are increasingly rotating between infrastructure providers, making provider-based blocking both ineffective and unsustainable. Dynamic IP blocking is essential to defend against these threats and future ones alike.

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

‍

GreyNoise has observed a significant surge in login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals. Over the last 30 days, nearly 24,000 unique IP addresses have attempted to access these portals. The pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation. 

Recent patterns observed by GreyNoise suggest that this activity may signal the emergence of new vulnerabilities in the near future: 

“Over the past 18 to 24 months, we’ve observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies,” said Bob Rudis, VP of Data Science at GreyNoise. “These patterns often coincide with new vulnerabilities emerging 2 to 4 weeks later.” 

‍

Key Observations 

• The spike began on March 17, 2025, with activity peaking at nearly 20,000 unique IPs per day and remaining steady until March 26 before tapering off. 
• Most of the observed activity is classified as suspicious (23,800 IPs), with a smaller subset flagged as malicious (154 IPs). 

The consistency of this activity suggests a planned approach to testing network defenses, potentially paving the way for exploitation. Organizations using Palo Alto Networks products should take steps to secure their login portals. 

‍

‍

A significant portion of the traffic is associated with 3xK Tech GmbH (20,010 IPs) under ASN200373. Other notable contributors include PureVoltage Hosting Inc., Fast Servers Pty Ltd., and Oy Crea Nova Hosting Solution Ltd.

Additionally, GreyNoise has identified three JA4h hashes linked to the login scanner tool: 

• po11nn11enus_967778c7bec7_000000000000_000000000000
• po11nn09enus_fb8b2e7e6287_000000000000_000000000000
• po11nn060000_c4f66731b00d_000000000000_000000000000

These hashes indicate the use of specific connection patterns typical of the login scanner tool used by the attackers in question, allowing GreyNoise to identify and correlate separate login attempts as originating from the same toolkit.

Source and Destination Analysis 

• Source Countries: Predominantly originating from the United States (16,249) and Canada (5,823), followed by Finland, Netherlands, and Russia.  
• Destination Countries: The overwhelming majority of traffic targeted systems in the United States (23,768), with smaller volumes directed toward the United Kingdom, Ireland, Russia, and Singapore. 

These patterns reflect the global nature of the activity, indicating that multiple regions are being targeted.

‍

Concurrent Crawler Activity Detected

The activity appears to be linked to other PAN-OS reconnaissance-related tags such as PAN-OS Crawler, where a single spike was observed on March 26, 2025 involving 2,580 unique source IPs. 

‍

‍

Reminiscent of 2024 Espionage Campaign

This surge in activity is reminiscent of a 2024 espionage campaign targeting perimeter network devices, reported by Cisco Talos. While the specific methods differ, both incidents highlight the importance of monitoring and securing critical edge devices against unauthorized access. 

‍

Recommendations

Given the unusual nature of this activity, organizations with exposed Palo Alto Networks systems should review their March logs and consider performing a detailed threat hunt on running systems to identify any signs of compromise.

View Attacker Activity & Block Malicious IPs

GreyNoise will continue to monitor the situation and provide updates if material developments arise. 

Navigate now to the GreyNoise Visualizer to:

‍

‍

Use GreyNoise Block to block malicious IPs. Get started with a free 14-day trial.

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍