Glenn

It’s time for many folks’ annual cultural learning session. 🤣

Coordinated Grafana Exploitation Attempts on 28 September GreyNoise observed a sharp one-day surge of exploitation attempts targeting CVE-2021-43798 — a Grafana path traversal vulnerability that enables arbitrary file reads. All observed IPs are classified a...

On 28 September, GreyNoise observed a sharp one-day surge in attempts to exploit Grafana CVE-2021-43798. Full analysis & malicious IPs ⬇️
#Grafana #GreyNoise #ThreatIntel

We all know that @hrbrmstr.dev is a mad scientist, and when you give him the amazing telemetry our new fleet has been collecting lately, you get knowledge drops like this! Super proud of our @greynoise.io team’s work on the deception capabilities we now have! hashtag#threatintel

A Spike in the Desert: How GreyNoise Uncovered a Global Pattern of VOIP-Based Telnet Attacks A spike in botnet traffic from a single utility in a rural part of New Mexico led to the discovery of a global botnet. Explore how human-led, AI-powered analysis exposed compromised devices, uncovered...

An unexpected cluster of malicious IPs in a remote U.S. town led GreyNoise researchers to uncover a 500+ device botnet. Full analysis ⬇️
#Cybersecurity #ThreatIntel #Botnet #VoIP #GreyNoise #Cyber #Tech

📝 CVE-2017-18370 (Zyxel P660HN)

Oldie but goodie.

viz.greynoise.io/tag...
4/4

⚡ CVE-2024-20439 (Cisco Smart Licensing Utility) (9.8/10, KEV)

Hardcoded credentials have been known since late last year.

viz.greynoise.io/tag...
3/4

🔥 CVE-2025-49132 (Pterodactyl Panel RCE) (10/10 RCE)

Active exploitation observed within days of disclosure.

viz.greynoise.io/tag...
2/4

🫖 & #threatintel - noticing a few other spikes orgs should be mindful of:
🔥 CVE-2025-49132 (Pterodactyl Panel RCE) (10/10 RCE)
⚡ CVE-2024-20439 (Cisco Smart Licensing Utility) (9.8/10, KEV)
📝 CVE-2017-18370 (Zyxel P660HN)
1/4

The main takeaway is we, first hand, observed exploitation almost two weeks before the POC was released, so ensure all retro threat hunting goes back at LEAST a month, but ideally further.
2/2

Exploitation of CitrixBleed 2 (CVE-2025-5777) Began Before PoC Was Public GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 — nearly two weeks before a public proof-of-concept was released on July 4.

🩸& #threatintel | We (GreyNoise) just published a quick note (www.greynoise.io/blo...) regarding CVE-2025-5777 - CitrixBleed 2
1/2

...here: viz.greynoise.io/tag...
2/2

🥜 & #threatintel - Thanks to @horizon3ai.bsky.social, we pushed a tag out today for CitrixBleed 2 CVE-2025-5777 and are backfilling. Currently, we see 233 hits starting on July 1 from:
64.176.50[.]109
38.154.237[.]100
102.129.235[.]108
121.237.80[.]241
45.135.232[.]2
Follow along...

1/2

Just a totally normal trip home from the airport last night… passing the national guard rolling down the highway as they prepare for NO KINGS DAY protests. F this administration. About 3 more months before they start trying to censor social media via tech controls.

Paleoproteomic profiling recovers diverse proteins from 200-year-old human brains A new method developed by researchers at the Nuffield Department of Medicine, University of Oxford, could soon unlock the vast repository of biological information held in the proteins of ancient soft ...

Seems like a lot of work when you could have found 200 year old brain proteins in the US Congress rn.

phys.org/news/2025-0...

It's hard to beat good deception. :)

If you're ever feeling lonely, just close Zoom.
This works because a funny thing always happens: a random last-minute Zoom will appear if you close it completely.

🥤& #threat-intel: CISA added Langflow Code Injection CVE-2025-3248 to the KEV on May 5. Recently, it has garnered considerable attention, with South Korea leading the pack. This vuln enables unauthenticated attackers to execute arbitrary code via /api/v1/validate/code

viz.greynoise.io/tag...

The number of times I've murmured, "This wouldn't have happened with a PM," is too damn high.

Good news everyone! www.cisa.gov/news-events/...

"Update May 13: (...) As such, we have paused immediate changes while we re-assess the best approach to sharing with our stakeholders."

www.cisa.gov/news-ev...

The only beneficiary here is, checks notes, X.
2/2

This change legitimately pisses me off.

TL;DR—They appear to be removing RSS for KEV alerts and moving them to email or X.
They gave orgs 0 days to prepare. RSS is already a thing. The emails arrive many hours later. X is NOT a gov website(!); it even warns you when you click their link!
1/2

Join us live! Or later? Looking forward to chatting with Tracy!

Hi yes. Help your local cybersecurity researchers. If you blog a thing, please date the blog. kthx.

🚨 New GreyNoise Tag Alert: We've added a fresh tag tracking CrushFTP Authentication Bypass (CVE-2025-2825) exploitation attempts. Thanks to @horizon3ai.bsky.social for the intel! Dive into the details: viz.greynoise.io/tags/crushft...

🔮 clearly! 🙃

Today is Opening Day for baseball season in the US. At least now I have my fav sport to put on when I want to watch something but avoid TV news.

Dammit

GreyNoise - NoiseFest at RSAC 2025 Join us for NoiseFest at RSAC 2025 on April 30th, At the House of Shields. Enjoy drinks, snacks, and engaging conversations with your peers. RSVP now!

Headed to RSAC next month? 👀 NoiseFest will be just a few blocks away...no nonsense (well maybe a little 😈), just drinks, good people, and real security talk.

House of Shields | April 30 | 7–10PM

Spots are limited. RSVP now.
info.greynoise.io/events/noise...

this morning was quite the haul

And another one. Two in one day.