Threat Signals

Path Traversal and Remote Code Execution in Apache HTTP Server, CVE-2021-41773

On October 4th, 2021, Apache disclosed a path traversal vulnerability CVE-2021-41773 that affects HTTP Server version 2.4.49. The vulnerability was introduced in this version (2.4.49) and is patched in version 2.4.50.

This path traversal vulnerability allows sensitive files outside of the expected document root to be accessed, such as configuration files and Common Gateway Interface (CGI) scripts. This allows for specially crafted requests to read arbitrary files as well as perform Remote Code Execution (RCE) on systems that have the Apache “mod_cgi” module enabled.

On October 3rd, 2021, at 08:44 UTC, GreyNoise observed the first scan for this vulnerability from 36.68.53.196. This predates the mailing list announcement from Apache on October 5th as well as the release of 2.4.50 on October 4th, but after the patch was committed on September 29th. [View 36.68.53.196 in GreyNoise]

As of October 5th, 2021, the first Proof of Concept (POC) code became available which demonstrated arbitrary file read. It was closely followed by a POC demonstrating RCE.

GreyNoise Tag for CVE-2021-41773

GreyNoise has released the following tag to enable monitoring of relevant activity:

• Apache HTTP Server Path Traversal Attempt: The vulnerability attempt tag for CVE-2021-41773, path traversal vulnerability in Apache HTTP Server v2.4.49 which can lead to arbitrary file read and remote code execution. [View In GreyNoise]*

As of 7-Oct-21, GreyNoise is seeing 47 unique IP addresses that have scanned for this vulnerability, 39 of which are “malicious” and 8 of which are “benign."

* Editor’s Note: If this tag returns “No results found’,' this means that GreyNoise has not observed any IP addresses scanning the internet for this CVE in the past 90 days. You can use GreyNoise to notify you if this changes by using our Alerts feature.

10/15/21: This blog has been updated with Figure 1 to depict the timeline of events.

New Tags

Azure OMI RCE Attempt  [Intention: Malicious]

• CVE-2021-38647, CVE-2021-38648, CVE-2021-38645, CVE-2021-38649
• This IP address has been observed scanning the internet for WSMan Powershell providers without an Authorization header, a root RCE in Azure Open Management Infrastructure.
• Sources: Wiz, Microsoft Security Response Center [1, 2, 3, 4]
• See it on GreyNoise Viz

Azure OMI RCE Check [Intention: Unknown]

• CVE-2021-38647, CVE-2021-38648, CVE-2021-38645, CVE-2021-38649
• This IP address has been observed scanning the internet for WSMan Powershell providers without an Authorization header, but has not provided a valid SOAP XML Envelope payload.
• Sources: Wiz, Microsoft Security Response Center [1, 2, 3, 4]
• See it on GreyNoise Viz

VMWare VCSA File Upload Attempt  [Intention: Malicious]

• CVE-2021-22005, CVE-2021-22017
• This IP address has been observed attempting to exploit a remote file upload vulnerability in VMWare vCenter Server Appliance.
• Sources: VMware [1, 2], MITRE [1, 2]
• See it on GreyNoise Viz

VMWare VCSA File Upload Check [Intention: Unknown]

• CVE-2021-22005, CVE-2021-22017
• This IP address has been observed checking for the presence of a remote file upload vulnerability in VMWare vCenter Server Appliance.
• Sources: VMware [1, 2], MITRE [1, 2]
• See it on GreyNoise Viz

LDAP Crawler [Intention: Unknown]

• This IP address has been observed crawling the internet and attempting to discover hosts that respond to LDAP SearchRequest messages.
• Sources: IETF, ldap.com, LDAP Wiki
• See it on GreyNoise Viz

Veeder-Root ATGs Crawler [Intention: Unknown]

• This IP address has been observed attempting to discover Veeder-Root Automatic Oil Tank Gauges.
• Sources: Rapid7 [1, 2], Veeder
• See it on GreyNoise Viz

VMware vCenter File Disclosure [Intention: Malicious]

• This IP address has been observed attempting to exploit an arbitrary file disclosure vulnerability in VMware vCenter.
• Sources: GitHub, PT Swarm
• See it on GreyNoise Viz

PJL Crawler [Intention: Unknown]

• This IP address has been observed sending Printer Job Language commands.
• Sources: Tenable, HP Developers Portal
• See it on GreyNoise Viz

PowerShell Generic Shell Attempt [Intention: Malicious]

• This IP address has been observed attempting to spawn a generic PowerShell reverse or bind shell using the web request.
• Sources: GitHub
• See it on GreyNoise Viz

Cisco IMC Supervisor and UCS Director Backdoor [Intention: Malicious]

• CVE-2019-1935
• This IP address has been observed attempting to authenticate via SSH using default credentials for Cisco IMC Supervisor and Cisco UCS Director products.
• Sources: NIST
• See it on GreyNoise Viz

On September 21, 2021, VMWare published an advisory for several vulnerabilities. This included, most notably, CVE-2021-22005, which affects their vCenter Server product. This vulnerability is an arbitrary file upload vulnerability that can lead to remote code execution (RCE) via upload of a specially crafted file. This works regardless of the configuration settings of vCenter Server.

Due to the severity of this vulnerability, VMWare published workaround instructions detailing how to manually or automatically patch the affected products. The automated patching script (available in the right-hand panel in the link above) includes logic to validate if your product is vulnerable to CVE-2021-22005, as well as confirm the patch has worked as expected.

As of September 23, 2021, there is no known publicly available proof-of-concept (PoC) code for the CVE that enables arbitrary file upload or RCE. However, GreyNoise is observing a significant number of checks for vulnerable instances of vCenter Server based off of the automated patching script provided by VMWare, most of these egressing via Tor.

The following tags have been released to enable monitoring of relevant activity:

• VMWare VCSA File Upload Check: The vulnerability check tag for CVE-2021-22005 matches on actively utilized variations based off of VMWare’s patching script, typically sending invalid JSON or an empty JSON object to vulnerable endpoints. [View In GreyNoise]
• VMWare VCSA File Upload Attempt: The vulnerability attempt tag for CVE-2021-22005 matches on activity to vulnerable endpoints containing valid, parsable, or non-empty payloads. [View In GreyNoise]

Editor's Note: If either of these tags return "no results," this means that we have not observed any recent activity. You can be notified if this changes by using our Alerts feature.

‍

New Tags

MongoDB Crawler  [Intention: Unknown]

• This IP address has been observed crawling the Internet and attempting to discover MongoDB instances.
• Sources: MongoDB Docs, RAPID7
• See it on GreyNoise Viz

Apple iOS Lockdownd Crawler [Intention: Unknown]

• This IP address has been observed attempting to discover legacy Apple iOS devices with remotely accessible lockdownd service.
• Sources: iPhone Wiki, Zdziarski's Blog, GitHub, Apple Support
• See it on GreyNoise Viz

HTTP Request Smuggling [Intention: Malicious]

• This IP address has been observed attempting to smuggle HTTP requests, a method commonly used to bypass load balancer or proxy security restrictions.
• Sources: PortSwigger, JFrog
• See it on GreyNoise Viz

Gh0st RAT Crawler  [Intention: Malicious]

• This IP address has been observed checking for the existence of hosts infected with Gh0st trojan.
• Sources: RSA Community, norman.no
• See it on GreyNoise Viz

nJRAT Crawler  [Intention: Malicious]

• This IP address has been observed sending unobfuscated njRAT traffic.
• Sources: RSA Community, Krebs On Security
• See it on GreyNoise Viz

Supervisor XML-RCE Attempt  [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2017-11610, a remote command execution vulnerability in Supervisor client/server.
• Sources: NIST, Supervisor
• See it on GreyNoise Viz

New Actor Tag

BLEXbot [Intention: Benign]

• Sources: WebMeUp
• See it on GreyNoise Viz

New Tags

Atlassian Confluence Server OGNL Injection Attempt [Intention: Malicious]

• CVE-2021-26084
• This IP address has been observed attempting to exploit CVE-2021-26084, an OGNL injection vulnerability in Confluence Server and Data Center.
• Sources: GitHub (1, 2), MITRE
• See it on GreyNoise Viz

Atlassian Confluence Server OGNL Injection Vuln Check [Intention: Unknown]

• CVE-2021-26084
• This IP address has been observed checking for the existence of CVE-2021-26084, an OGNL injection vulnerability in Confluence Server and Data Center.
• Sources: GitHub (1, 2), MITRE
• See it on GreyNoise Viz

Oracle WebLogic RCE CVE-2021-2109 [Intention: Malicious]

• CVE-2021-2109
• This IP address has been observed exploiting Oracle WebLogic CVE-2021-2109.
• Sources: Mitre, PacketStorm Security, GitHub
• See it on GreyNoise Viz

Seagate BlackArmor RCE Attempt [Intention: Malicious]

• CVE-2014-3206
• This IP address has been observed exploiting CVE-2014-3206, a remote code execution vulnerability in Seagate BlackArmor NAS.
• Sources: NIST, VulDB, ExploitDB
• See it on GreyNoise Viz

ASUS GT-AC2900 Auth Bypass Attempt [Intention: Malicious]

• CVE-2021-32030
• This IP address has been observed attempting to exploit CVE-2021-32030, an authentication bypass in ASUS GT-AC2900 routers.
• Sources: MITRE, Atredis
• See it on GreyNoise Viz

Apache SkyWalking GraphQL SQL Injection  [Intention: Malicious]

• CVE-2020-9483
• This IP address has been observed attempting to exploit CVE-2020-9483, a SQL injection vulnerability in Apache SkyWalking via GraphQL.
• Sources: GitHub, NVD
• See it on GreyNoise Viz

Carries HTTP Referer [Intention: Unknown]

• This IP address has been observed scanning the internet with an HTTP client that includes the Referer header in its requests.
• Sources: Firefox
• See it on GreyNoise Viz

Stores HTTP Cookies  [Intention: Unknown]

• This IP address has been observed scanning the internet with an HTTP client that supports storing Cookies.
• Sources: Firefox (1, 2)
• See it on GreyNoise Viz

Follows HTTP Redirects  [Intention: Unknown]

• This IP address has been observed scanning the internet with an HTTP client that follows redirects defined in a Location header.
• Sources: Firefox
• See it on GreyNoise Viz

RSYNC Crawler  [Intention: Unknown]

• This IP address has been observed scanning the internet and attempting to discover rsync server instances.
• Sources: Red Hat, Hacktricks.xyz
• See it on GreyNoise Viz

New Actor Tag

University of Michigan [Intention: Benign]

• Sources: Department of Electrical Engineering and Computer Science
• See it on GreyNoise Viz

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

ADB Check [Intention: Unknown]

• This IP address has been observed checking for the existence of the Android Debug Bridge protocol.
• See it on GreyNoise Viz

ADB Attempt [Intention: Malicious]

• This IP address has been observed checking for the existence of the Android Debug Bridge protocol and has requested interactivity.
• See it on GreyNoise Viz

EDITORS NOTE: This blog post has been updated as of Sep. 2 to reflect edits to the Atlassian Confluence Server OGNL Injection tags.

New Tags

Tag: Exchange ProxyShell Vuln Attempt [Intention: Malicious]

• CVE-2021-34473, CVE-2021-34523, CVE-2021-31207
• This IP address has been observed attempting to exploit the ProxyShell vulnerability in Microsoft Exchange.
• Sources: Medium, BlackHat, y4y.space
• See it on GreyNoise Viz

Tag: Exchange ProxyShell Vuln Check [Intention: Unknown]

• CVE-2021-34473, CVE-2021-34523, CVE-2021-31207
• This IP address has been observed checking for the existence of the ProxyShell vulnerability in Microsoft Exchange, an activity which commonly leaks sensitive information.
• Sources: Medium, BlackHat, y4y.space
• See it on GreyNoise Viz

Tag: Javascript Enabled [Intention: Unknown]

• This IP address has been observed scanning the internet with a client that supports javascript, such as a web browser controlled through automation.
• See it on GreyNoise Viz

Tag: Aerospike RCE Attempt [Intention: Malicious]

• CVE-2020-13151
• This IP address has been observed attempting to exploit CVE-2020-13151, a remote command execution in Aerospike databases.
• Sources: NIST, GitHub [1, 2]
• See it on GreyNoise Viz

Tag: Docker API Container Creation Attempt [Intention: Malicious]

• This IP address has been observed attempting to provision a container using the Docker API.
• Sources: Docker Docs
• See it on GreyNoise Viz

Tag: Buffalo Router RCE Check [Intention: Unknown]

• CVE-2021-20091
• This IP address has been observed attempting to discover Buffalo routers susceptible to remote command injection through path traversal.
• Sources: Tenable, MITRE
• See it on GreyNoise Viz

Tag: Buffalo Router RCE Attempt [Intention: Malicious]

• CVE-2021-20091
• This IP address has been observed attempting to exploit Buffalo routers susceptible to remote command injection through path traversal.
• Sources: Tenable, MITRE
• See it on GreyNoise Viz

Tag: FirebirdSQL Crawler [Intention: Unknown]

• This IP address has been observed crawling the Internet and attempting to discover FirebirdSQL instances.
• Sources: GitHub, Nmap Service Probes
• See it on GreyNoise Viz

Tag: Ruijie EG Command Injection Attempt [Intention: Malicious]

• This IP address has been observed attempting command injection on Ruijie network devices with Easy Gateway support.
• Sources: peiqi.tech [1, 2]
• See it on GreyNoise Viz

Recent Actor Tag

• Cortex® Xpanse™ [Intention: Benign]

• Sources: Palo Alto Networks, Expanse, ARIN
• See it on GreyNoise Viz

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: X Server Connection Attempt [Intention: Malicious]

• This IP address has been observed scanning the Internet for X11 servers with access control disabled, which allows for unauthenticated connections.
• See it on GreyNoise Viz

Tag: ADB Worm [Intention: Malicious]

• This IP address has been observed exploiting the Android Debug Bridge vulnerability.
• See it on GreyNoise Viz

Removed Tags

• Stretchoid
• Security Scorecard

During BlackHat 2021, security researcher Orange Tsai demonstrated a proof-of-concept exploit for Microsoft Exchange vulnerabilities, including a Pre-auth Path Confusion leading to Access-Control List (ACL) bypass (tracked as CVE-2021-34473, also called ProxyShell). Since Tsai’s talk, multiple researchers have published write-ups about the vulnerabilities [1, 2]. GreyNoise had not observed any mass scanning activity until Aug. 9, and has seen a significant uptick in scanning as of Thursday, Aug. 12. GreyNoise has created two tags to track activity related to these vulnerabilities.

Exchange ProxyShell Vuln Check: The vulnerability check for CVE-2021-34473 has several public variations. These include checking for access to /mapi/nspi which results in exposure of potentially sensitive information such as Version, User, UPN, SID, and Organization. Out of caution, GreyNoise tags this as malicious intent despite being a Vuln Check. [View In GreyNoise]

Exchange ProxyShell Vuln Attempt: Active attempts that leverage and chain the Pre-Auth Path Confusion for further exploitation through Elevation of Privilege on Exchange PowerShell Backend (CVE-2021-34523) or Post-auth Arbitrary-File-Write leading to remote code execution (CVE-2021-31207) are included in this tag. [View In GreyNoise]

Editor's Note: If either of these tags, or any tags for that matter, return "no results," this means that we have not observed any recent activity. You can be notified if this changes by using our Alerts feature.

New Tags

CVE-2009-0545, CVE-2019-12725, CVE-2020-29390

Tag: Zeroshell RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit a remote command execution vulnerability in Zeroshell.
• Sources: NIST [1, 2, 3]
• See it on GreyNoise Viz

Tag: Cisco Smart Install RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit Cisco Smart Install Protocol.
• Sources: Rapid7, GitHub [1, 2]
• See it on GreyNoise Viz

CVE-2021-35464

Tag: ForgeRock OpenAM Pre-Auth RCE Vuln Check [Intention: Unknown]

• This IP address has been observed checking for the existence of CVE-2021-35464, a path traversal vulnerability in ForgeRock OpenAM which can lead to RCE.
• Sources: PortSwigger, NIST
• See it on GreyNoise Viz

CVE-2021-35464

Tag: ForgeRock OpenAM Pre-Auth RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2021-35464, a path traversal vulnerability in ForgeRock OpenAM that can lead to RCE.
• Sources: PortSwigger, NIST
• See it on GreyNoise Viz

CVE-2021-33544 to CVE-2021-33544 (11 CVEs)

Tag: UDP Technology IP Camera Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit CVEs in UDP Technology camera firmware and has attempted exploitation.
• Sources: PortSwigger, Randorisec
• See it on GreyNoise Viz

CVE-2021-33544, CVE-2021-33548, CVE-2021-33550 to CVE-2021-33554

Tag: UDP Technology IP Camera Check [Intention: Unknown]

• This IP address has been observed attempting to exploit CVEs in UDP Technology camera firmware and has attempted exploitation.
• Sources: PortSwigger, Randorisec
• See it on GreyNoise Viz

CVE-2017-12149

Tag: Jboss Application Server RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2017-12149, a remote code execution vulnerability in JBoss Application Server.
• Sources: NIST, GitHub
• See it on GreyNoise Viz

CVE-2021-30497

Tag: Ivanti Avalanche Path Traversal [Intention: Malicious]

• This IP address has been observed attempting to use CVE-2021-30497, a path traversal vulnerability in Ivanti Avalanche that could lead to arbitrary file retrieval.
• Sources:  Ivanti, SSD Disclosure
• See it on GreyNoise Viz

Tag: Double URL Encoding [Intention: Malicious]

• This IP address has been observed requesting double encoded URLs, a method commonly used for bypassing defensive rules and directory traversal.
• Sources:  OWASP, Imperva
• See it on GreyNoise Viz

Tag: Apache OFBiz Deserialization RCE [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2021-29200, a deserialization vulnerability in Apache OFBiz 17.12.07 and earlier that can lead to unauthenticated RCE.
• Sources:  NIST, xz.aliyun.com
• See it on GreyNoise Viz

Removed Tags

These tags have been removed because they no longer exist, scan, and/or can no longer be accurately identified

• RDP Bruteforcer
• Windows RDP Cookie Hijacker
• RDP Scanner

Multiple RDP tags have been deprecated in favor of RDP Crawler, which more accurately accounts for much of the behavior we see. We are currently working to create more accurate and narrowly scoped tags for RDP scanning and exploitation.

The RDP Bruteforcer tag was created around the same time as BlueKeep and aggressively assigned `malicious` intent to basic RDP connection attempts. After re-evaluating this, we feel this was incorrect and have taken actions to improve our RDP tags in general.

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: Cisco Smart Install Endpoint Scanner [Intention: Unknown]

• This IP address has been seen scanning for exposed Cisco Smart Install Protocol ports.
• Sources:  Rapid7, GitHub [1, 2]
• See it on GreyNoise Viz

Tag: Linksys E-Series TheMoon Worm [Intention: Malicious]

• This IP address has been observed attempting to leverage the Linksys E-Series TheMoon command injection exploit.
• Sources:  Computerworld, SANS, GitHub
• See it on GreyNoise Viz

Integrations

Anomali: Now supports RIOT and the Community API.

New Tags

CVE-2020-36289

Tag: Jira User Enumeration Attempt [Intention: Unknown]

• This IP address has been observed attempting to use CVE-2020-36289 vulnerability and enumerate Jira users.
• Sources: NIST, Twitter
• See it on GreyNoise Viz

CVE-2021-1497, CVE-2021-1498

Tag: Cisco HyperFlex HX RCE Attempt [Intention: Malicious]

• This IP has been observed attempting to exploit CVE-2021-1497 and CVE-2021-1498, remote code execution vulnerabilities in Cisco HyperFlex HX Data Platform.
• Sources: MITRE [1, 2], Packet Storm Security, Zero Day Initiative
• See it on GreyNoise Viz

CVE-2021-1497, CVE-2021-1498

Tag: Cisco HyperFlex HX RCE Vuln Check [Intention: Unknown]

• This IP has been observed checking for the existence of CVE-2021-1497 and CVE-2021-1498, remote code execution vulnerabilities in Cisco HyperFlex HX Data Platform.
• Sources: MITRE [1, 2], Packet Storm Security, Zero Day Initiative
• See it on GreyNoise Viz

CVE-2020-35846, CVE-2020-35847, CVE-2020-35848

Cockpit CMS Command Injection [Intention: Malicious]

• This IP address has been observed attempting to exploit NoSQL command injection in Cockpit CMS.
• Sources: PT SWARM, NIST [1, 2, 3]
• See it on GreyNoise Viz

Recent Actor Tag

• CISA [Intention: Benign]

• Sources: CISA [1, 2], GitHub
• See it on GreyNoise Viz

Removed Tags

These tags have been removed because they no longer exist, scan, and/or can no longer be accurately identified

• ZeroShell RCE CVE-2009-0545

New Tags

CVE-2020-25494

Tag: SCO OpenServer RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2020-25494, a remote command execution vulnerability in SCO OpenServer.
• Sources: NIST, Packet Storm Security
• See it on GreyNoise Viz

CVE-2021-22911

Tag: Rocket.Chat server RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2021-22911, a remote command execution vulnerability in Rocket.Chat server.
• Sources: NIST, @CsEnox (GitHub )
• See it on GreyNoise Viz

Tag: Vesta Control Panel RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit a remote command execution vulnerability in Vesta Control Panel.
• Sources: ExploitDB, Cisco Talos
• See it on GreyNoise Viz

CVE-2021-27144/46 | CVE-2021-27148/55 | CVE-2021-27158/59 | CVE-2021-27162/66 | CVE-2021-27168/69 | CVE-2021-27172

Tag: FiberHome Telnet Backdoor [Intention: Malicious]

• This IP address has been observed attempting to authenticate via telnet using one of several known backdoor accounts in FiberHome routers.
• Sources: Pierre Kim
• See it on GreyNoise Viz

Tag: LokiBot C2 Crawler [Intention: Unknown]

• This IP address has been observed crawling the Internet and attempting to discover LokiBot C2 nodes.
• Sources: CISA
• See it on GreyNoise Viz

Tag: Aerospike Crawler [Intention: Unknown]

• This IP address has been observed crawling for insecure Aerospike databases.
• Sources: GitHub [1, 2]
• See it on GreyNoise Viz

Recent Actor Tag

• ESET  [Intention: Benign]

• Sources: ESET [1, 2]
• See it on GreyNoise Viz

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: Tomcat Manager Scanner [Intention: Unknown]

• This IP address has been observed scanning the Internet for exposed Tomcat Manager instances.
• Source: Ethicaltechsupport
• See it on GreyNoise Viz

New Tags

CVE-2021-21985

Tag: Vmware vSphere Client RCE Attempt [Intention: Malicious]

• This IP address has been observed sending requests that exploit CVE-2021-21985, a remote code execution vulnerability in VMware Sphere Client.
• Sources: VMware, NIST, AttackerKB, @alt3kx (GitHub PoC)
• See it on GreyNoise Viz

Tag: VMware vSphere Client RCE Vuln Check [Intention: Unknown]

• This IP has been observed checking for the existence of CVE-2021-21985, a remote code execution vulnerability in VMware Sphere Client.
• Sources: VMware, NIST, AttackerKB, @wvu (Twitter)
• See it on GreyNoise Viz

CVE-2021-28799

Tag: VMware ESXi OpenSLP RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2021-21974, a heap overflow vulnerability in VMware ESXi OpenSLP that can lead to remote code execution.
• Source: VMware, Zero Day Initiative, @straight_blast (Medium, GitHub PoC)
• See it on GreyNoise Viz

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: Elasticsearch RCE Attempt [Intention: Malicious]

• This IP address has been observed sending requests that exploit CVE-2015-1427, an Elasticsearch code injection vulnerability.
• Sources: NIST, PoC Blog, GitHub
• See it on GreyNoise Viz

Recent Actor Tag

• Cyber Casa [Intention: Benign]‍
• Sources: CyberCasa‍
• See it on GreyNoise Viz

Removed Tags

These tags have been removed because they no longer exist, scan, and/or can no longer be accurately identified

• Swedish Defense Research Agency (FOI)
• Elasticsearch Worm

New Tags

CVE-2021-26912 | CVE-2021-26913 | CVE-2021-26914 | CVE-2021-26915

Tag: NetMotion Mobility Server RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit a deserialization vulnerability in NetMotion Mobility Server that can lead to remote code execution.
• Sources: NIST [1, 2 , 3, 4], SSD Disclosure
• See it on GreyNoise Viz

CVE-2021-21402

Tag: Jellyfin File Disclosure [Intention: Malicious]

• This IP address has been observed attempting to use CVE-2021-21402, an arbitrary file disclosure vulnerability in Jellyfin media server.
• Source: GitHub SecurityLab
• See it on GreyNoise Viz

CVE-2021-28799

Tag: QNAP walter SSH Backdoor Attempt [Intention: Malicious]

• This IP address has been observed attempting to connect using the username and password 'walter,' which are hardcoded backdoor SSH credentials that exist in some QNAP devices.
• Source: QNAP, QNAP Forum
• See it on GreyNoise Viz

CVE-2021-30461

Tag: VoIPmonitor Unauthenticated RCE Attempt  [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2021-30461, an unauthenticated command execution vulnerability in VoIPmonitor software.
• Source: NIST, SSD Disclosure
• See it on GreyNoise Viz

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: RDP Bruteforcer [Intention: Malicious]

• This IP address has been observed attempting to brute-force Microsoft Remote Desktop credentials.
• Source: Microsoft [1, 2]
• See it on GreyNoise Viz

Recent Integrations

Rapid 7 InsightConnect: Supports Enterprise API and Community API access.

CORTEX XSOAR: Supports Enterprise API and Community API access.