Threat Signals

During BlackHat 2021, security researcher Orange Tsai demonstrated a proof-of-concept exploit for Microsoft Exchange vulnerabilities, including a Pre-auth Path Confusion leading to Access-Control List (ACL) bypass (tracked as CVE-2021-34473, also called ProxyShell). Since Tsai’s talk, multiple researchers have published write-ups about the vulnerabilities [1, 2]. GreyNoise had not observed any mass scanning activity until Aug. 9, and has seen a significant uptick in scanning as of Thursday, Aug. 12. GreyNoise has created two tags to track activity related to these vulnerabilities.

Exchange ProxyShell Vuln Check: The vulnerability check for CVE-2021-34473 has several public variations. These include checking for access to /mapi/nspi which results in exposure of potentially sensitive information such as Version, User, UPN, SID, and Organization. Out of caution, GreyNoise tags this as malicious intent despite being a Vuln Check. [View In GreyNoise]

Exchange ProxyShell Vuln Attempt: Active attempts that leverage and chain the Pre-Auth Path Confusion for further exploitation through Elevation of Privilege on Exchange PowerShell Backend (CVE-2021-34523) or Post-auth Arbitrary-File-Write leading to remote code execution (CVE-2021-31207) are included in this tag. [View In GreyNoise]

Editor's Note: If either of these tags, or any tags for that matter, return "no results," this means that we have not observed any recent activity. You can be notified if this changes by using our Alerts feature.

New Tags

CVE-2009-0545, CVE-2019-12725, CVE-2020-29390

Tag: Zeroshell RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit a remote command execution vulnerability in Zeroshell.
• Sources: NIST [1, 2, 3]
• See it on GreyNoise Viz

Tag: Cisco Smart Install RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit Cisco Smart Install Protocol.
• Sources: Rapid7, GitHub [1, 2]
• See it on GreyNoise Viz

CVE-2021-35464

Tag: ForgeRock OpenAM Pre-Auth RCE Vuln Check [Intention: Unknown]

• This IP address has been observed checking for the existence of CVE-2021-35464, a path traversal vulnerability in ForgeRock OpenAM which can lead to RCE.
• Sources: PortSwigger, NIST
• See it on GreyNoise Viz

CVE-2021-35464

Tag: ForgeRock OpenAM Pre-Auth RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2021-35464, a path traversal vulnerability in ForgeRock OpenAM that can lead to RCE.
• Sources: PortSwigger, NIST
• See it on GreyNoise Viz

CVE-2021-33544 to CVE-2021-33544 (11 CVEs)

Tag: UDP Technology IP Camera Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit CVEs in UDP Technology camera firmware and has attempted exploitation.
• Sources: PortSwigger, Randorisec
• See it on GreyNoise Viz

CVE-2021-33544, CVE-2021-33548, CVE-2021-33550 to CVE-2021-33554

Tag: UDP Technology IP Camera Check [Intention: Unknown]

• This IP address has been observed attempting to exploit CVEs in UDP Technology camera firmware and has attempted exploitation.
• Sources: PortSwigger, Randorisec
• See it on GreyNoise Viz

CVE-2017-12149

Tag: Jboss Application Server RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2017-12149, a remote code execution vulnerability in JBoss Application Server.
• Sources: NIST, GitHub
• See it on GreyNoise Viz

CVE-2021-30497

Tag: Ivanti Avalanche Path Traversal [Intention: Malicious]

• This IP address has been observed attempting to use CVE-2021-30497, a path traversal vulnerability in Ivanti Avalanche that could lead to arbitrary file retrieval.
• Sources:  Ivanti, SSD Disclosure
• See it on GreyNoise Viz

Tag: Double URL Encoding [Intention: Malicious]

• This IP address has been observed requesting double encoded URLs, a method commonly used for bypassing defensive rules and directory traversal.
• Sources:  OWASP, Imperva
• See it on GreyNoise Viz

Tag: Apache OFBiz Deserialization RCE [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2021-29200, a deserialization vulnerability in Apache OFBiz 17.12.07 and earlier that can lead to unauthenticated RCE.
• Sources:  NIST, xz.aliyun.com
• See it on GreyNoise Viz

Removed Tags

These tags have been removed because they no longer exist, scan, and/or can no longer be accurately identified

• RDP Bruteforcer
• Windows RDP Cookie Hijacker
• RDP Scanner

Multiple RDP tags have been deprecated in favor of RDP Crawler, which more accurately accounts for much of the behavior we see. We are currently working to create more accurate and narrowly scoped tags for RDP scanning and exploitation.

The RDP Bruteforcer tag was created around the same time as BlueKeep and aggressively assigned `malicious` intent to basic RDP connection attempts. After re-evaluating this, we feel this was incorrect and have taken actions to improve our RDP tags in general.

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: Cisco Smart Install Endpoint Scanner [Intention: Unknown]

• This IP address has been seen scanning for exposed Cisco Smart Install Protocol ports.
• Sources:  Rapid7, GitHub [1, 2]
• See it on GreyNoise Viz

Tag: Linksys E-Series TheMoon Worm [Intention: Malicious]

• This IP address has been observed attempting to leverage the Linksys E-Series TheMoon command injection exploit.
• Sources:  Computerworld, SANS, GitHub
• See it on GreyNoise Viz

Integrations

Anomali: Now supports RIOT and the Community API.

New Tags

CVE-2020-36289

Tag: Jira User Enumeration Attempt [Intention: Unknown]

• This IP address has been observed attempting to use CVE-2020-36289 vulnerability and enumerate Jira users.
• Sources: NIST, Twitter
• See it on GreyNoise Viz

CVE-2021-1497, CVE-2021-1498

Tag: Cisco HyperFlex HX RCE Attempt [Intention: Malicious]

• This IP has been observed attempting to exploit CVE-2021-1497 and CVE-2021-1498, remote code execution vulnerabilities in Cisco HyperFlex HX Data Platform.
• Sources: MITRE [1, 2], Packet Storm Security, Zero Day Initiative
• See it on GreyNoise Viz

CVE-2021-1497, CVE-2021-1498

Tag: Cisco HyperFlex HX RCE Vuln Check [Intention: Unknown]

• This IP has been observed checking for the existence of CVE-2021-1497 and CVE-2021-1498, remote code execution vulnerabilities in Cisco HyperFlex HX Data Platform.
• Sources: MITRE [1, 2], Packet Storm Security, Zero Day Initiative
• See it on GreyNoise Viz

CVE-2020-35846, CVE-2020-35847, CVE-2020-35848

Cockpit CMS Command Injection [Intention: Malicious]

• This IP address has been observed attempting to exploit NoSQL command injection in Cockpit CMS.
• Sources: PT SWARM, NIST [1, 2, 3]
• See it on GreyNoise Viz

Recent Actor Tag

• CISA [Intention: Benign]

• Sources: CISA [1, 2], GitHub
• See it on GreyNoise Viz

Removed Tags

These tags have been removed because they no longer exist, scan, and/or can no longer be accurately identified

• ZeroShell RCE CVE-2009-0545

New Tags

CVE-2020-25494

Tag: SCO OpenServer RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2020-25494, a remote command execution vulnerability in SCO OpenServer.
• Sources: NIST, Packet Storm Security
• See it on GreyNoise Viz

CVE-2021-22911

Tag: Rocket.Chat server RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2021-22911, a remote command execution vulnerability in Rocket.Chat server.
• Sources: NIST, @CsEnox (GitHub )
• See it on GreyNoise Viz

Tag: Vesta Control Panel RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit a remote command execution vulnerability in Vesta Control Panel.
• Sources: ExploitDB, Cisco Talos
• See it on GreyNoise Viz

CVE-2021-27144/46 | CVE-2021-27148/55 | CVE-2021-27158/59 | CVE-2021-27162/66 | CVE-2021-27168/69 | CVE-2021-27172

Tag: FiberHome Telnet Backdoor [Intention: Malicious]

• This IP address has been observed attempting to authenticate via telnet using one of several known backdoor accounts in FiberHome routers.
• Sources: Pierre Kim
• See it on GreyNoise Viz

Tag: LokiBot C2 Crawler [Intention: Unknown]

• This IP address has been observed crawling the Internet and attempting to discover LokiBot C2 nodes.
• Sources: CISA
• See it on GreyNoise Viz

Tag: Aerospike Crawler [Intention: Unknown]

• This IP address has been observed crawling for insecure Aerospike databases.
• Sources: GitHub [1, 2]
• See it on GreyNoise Viz

Recent Actor Tag

• ESET  [Intention: Benign]

• Sources: ESET [1, 2]
• See it on GreyNoise Viz

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: Tomcat Manager Scanner [Intention: Unknown]

• This IP address has been observed scanning the Internet for exposed Tomcat Manager instances.
• Source: Ethicaltechsupport
• See it on GreyNoise Viz

New Tags

CVE-2021-21985

Tag: Vmware vSphere Client RCE Attempt [Intention: Malicious]

• This IP address has been observed sending requests that exploit CVE-2021-21985, a remote code execution vulnerability in VMware Sphere Client.
• Sources: VMware, NIST, AttackerKB, @alt3kx (GitHub PoC)
• See it on GreyNoise Viz

Tag: VMware vSphere Client RCE Vuln Check [Intention: Unknown]

• This IP has been observed checking for the existence of CVE-2021-21985, a remote code execution vulnerability in VMware Sphere Client.
• Sources: VMware, NIST, AttackerKB, @wvu (Twitter)
• See it on GreyNoise Viz

CVE-2021-28799

Tag: VMware ESXi OpenSLP RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2021-21974, a heap overflow vulnerability in VMware ESXi OpenSLP that can lead to remote code execution.
• Source: VMware, Zero Day Initiative, @straight_blast (Medium, GitHub PoC)
• See it on GreyNoise Viz

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: Elasticsearch RCE Attempt [Intention: Malicious]

• This IP address has been observed sending requests that exploit CVE-2015-1427, an Elasticsearch code injection vulnerability.
• Sources: NIST, PoC Blog, GitHub
• See it on GreyNoise Viz

Recent Actor Tag

• Cyber Casa [Intention: Benign]‍
• Sources: CyberCasa‍
• See it on GreyNoise Viz

Removed Tags

These tags have been removed because they no longer exist, scan, and/or can no longer be accurately identified

• Swedish Defense Research Agency (FOI)
• Elasticsearch Worm

New Tags

CVE-2021-26912 | CVE-2021-26913 | CVE-2021-26914 | CVE-2021-26915

Tag: NetMotion Mobility Server RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit a deserialization vulnerability in NetMotion Mobility Server that can lead to remote code execution.
• Sources: NIST [1, 2 , 3, 4], SSD Disclosure
• See it on GreyNoise Viz

CVE-2021-21402

Tag: Jellyfin File Disclosure [Intention: Malicious]

• This IP address has been observed attempting to use CVE-2021-21402, an arbitrary file disclosure vulnerability in Jellyfin media server.
• Source: GitHub SecurityLab
• See it on GreyNoise Viz

CVE-2021-28799

Tag: QNAP walter SSH Backdoor Attempt [Intention: Malicious]

• This IP address has been observed attempting to connect using the username and password 'walter,' which are hardcoded backdoor SSH credentials that exist in some QNAP devices.
• Source: QNAP, QNAP Forum
• See it on GreyNoise Viz

CVE-2021-30461

Tag: VoIPmonitor Unauthenticated RCE Attempt  [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2021-30461, an unauthenticated command execution vulnerability in VoIPmonitor software.
• Source: NIST, SSD Disclosure
• See it on GreyNoise Viz

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: RDP Bruteforcer [Intention: Malicious]

• This IP address has been observed attempting to brute-force Microsoft Remote Desktop credentials.
• Source: Microsoft [1, 2]
• See it on GreyNoise Viz

Recent Integrations

Rapid 7 InsightConnect: Supports Enterprise API and Community API access.

CORTEX XSOAR: Supports Enterprise API and Community API access.