Glenn

If you’re passionate about broadening who gets seen, heard, and valued in this field, attend and lets continue the conversation in person. www.mincybsec.org/an...

(beyond job titles, traditional career paths, and gatekeeping checklists)

Excited to share that I've been asked to speak at the Minorities in Cybersecurity Conference this March!

I’ll be on a panel “How Do You Define Cybersecurity Experience? A Change in Perspective” where we’ll dig into what really counts as cybersecurity experience

My latest pet project, an RSS feed to alert you to the silent KEV knownRansomwareCampaignUse flips!

(Did you know there were four CVEs flipped last week?) #threatintel

We're tracking it here: viz.greynoise.io/tag...

Appears to be from github.com/Ashwesker...
2/2

🍩 & #threatintel - 95% of exploitation attempts targeting CVE-2026-20045, a critical vulnerability in Cisco Unified Communications Manager, have used a distinctive user-agent: Mozilla/5.0 (compatible; CiscoExploit/1.0) and are heavily targeting our Cisco Unified Communications Manager sensors.
1/2

Inside the Infrastructure: Who’s Scanning for Ivanti Connect Secure? – GreyNoise Labs GreyNoise detected a 100x surge in Ivanti Connect Secure reconnaissance targeting CVE-2025-0282 (EPSS 93%). Analysis reveals two distinct campaigns: an aggressive AS213790-based operation generating 34K+ sessions and a stealthier distributed botnet approach across 6K IPs. Infrastructure analysis and defender recommendations included.

☕ & #threatintel - Two campaigns (100x spike!) are hitting Ivanti Connect Secure; one loud (34K sessions from Romania/Moldova), one stealthy (~6K distributed IPs). Both target a pre-exploitation endpoint for CVE-2025-0282.

CISA's KEV hit 1,500 yesterday. I'm working on a cool #threatintel blog (yes, I'm biased) about additional hidden intel in KEV that should be published soon, along with a helpful tool hosted by GreyNoise! :)

If I recall correctly, this is the first time the due date has been modified.

In all honesty, if you haven't already patched this vulnerability, it's likely too late. As a reminder, patching does not boot attackers, so you should check for indicators of compromise.
2/2

☕ & #threatintel: CISA has moved the due date for mitigating CVE-2025-55182 (Meta React Server Components Remote Code Execution Vulnerability) up by two weeks. It was initially set for December 26, but it is now due on December 12.
1/2

Presented at SuriCon 2025 by Ron Bowes and Glenn Thorpe Network protocols are messy! Sure, there are standards — RFCs, IEEEs, you name it — but there are also multiple ways to do basically everything. If you’re relying on network IDS/IPS tools like Suricata, I have bad news — a sufficiently cl SuriCon 2025 | Abusing HTTP Quirks to Evade Detection

Ron & my talk from SuriCon 2025 | Abusing HTTP Quirks to Evade Detection
I think it turned out pretty well; pardon the disco effect where a stage light was failing :)

www.youtube.com/watc...

CC: @iagox86.bsky.social @greynoise.io

Noise from crypto mine pushes Texas neighbors to start a town Leaders of the effort say they moved to rural Hood County for its quiet country charm, which was shattered by what locals call “that roar” from the facility.

I hate everything.

http://www.texastrib...

Network protocols are messy! Sure, there are standards — RFCs, IEEEs, you name it — but there are also multiple ways to do basically everything. If you’re relying on network IDS/IPS tools like Suricata, I have bad news — a sufficiently clever attacker can bypass *a lot* of your signatures, leaving you completely blind. The cool part about HTTP is that, at every level of the stack, your software tries to make sense of the user’s (aka: the attacker’s) requests. From the web server (Apache, IIS, etc) to the language parser (PHP, .NET, etc) — everything just wants your requests to work, often at the expense of security! That’s great for ensuring the internet keeps working, but creates makes it *really* hard to write signatures! This talk will start with the basics: we’ll look at HTTP requests and learn the in-depth quirks of how the protocol works. Then we’ll look at a variety of different HTTP-based exploits (path traversal, SQL injection, shell command injection, and more!). We’ll exam

Ron (@iagox86.bsky.social) and I are presenting at #Suricon (Montreal) next month! If you're around, you'll definitely want to find us for some sweet swag (oh, and our talk is pretty cool too!).

suricon.net/agenda-m...

It’s time for many folks’ annual cultural learning session. 🤣

Coordinated Grafana Exploitation Attempts on 28 September GreyNoise observed a sharp one-day surge of exploitation attempts targeting CVE-2021-43798 — a Grafana path traversal vulnerability that enables arbitrary file reads. All observed IPs are classified a...

On 28 September, GreyNoise observed a sharp one-day surge in attempts to exploit Grafana CVE-2021-43798. Full analysis & malicious IPs ⬇️
#Grafana #GreyNoise #ThreatIntel

We all know that @hrbrmstr.dev is a mad scientist, and when you give him the amazing telemetry our new fleet has been collecting lately, you get knowledge drops like this! Super proud of our @greynoise.io team’s work on the deception capabilities we now have! hashtag#threatintel

A Spike in the Desert: How GreyNoise Uncovered a Global Pattern of VOIP-Based Telnet Attacks A spike in botnet traffic from a single utility in a rural part of New Mexico led to the discovery of a global botnet. Explore how human-led, AI-powered analysis exposed compromised devices, uncovered...

An unexpected cluster of malicious IPs in a remote U.S. town led GreyNoise researchers to uncover a 500+ device botnet. Full analysis ⬇️
#Cybersecurity #ThreatIntel #Botnet #VoIP #GreyNoise #Cyber #Tech

📝 CVE-2017-18370 (Zyxel P660HN)

Oldie but goodie.

viz.greynoise.io/tag...
4/4

⚡ CVE-2024-20439 (Cisco Smart Licensing Utility) (9.8/10, KEV)

Hardcoded credentials have been known since late last year.

viz.greynoise.io/tag...
3/4

🔥 CVE-2025-49132 (Pterodactyl Panel RCE) (10/10 RCE)

Active exploitation observed within days of disclosure.

viz.greynoise.io/tag...
2/4

🫖 & #threatintel - noticing a few other spikes orgs should be mindful of:
🔥 CVE-2025-49132 (Pterodactyl Panel RCE) (10/10 RCE)
⚡ CVE-2024-20439 (Cisco Smart Licensing Utility) (9.8/10, KEV)
📝 CVE-2017-18370 (Zyxel P660HN)
1/4

The main takeaway is we, first hand, observed exploitation almost two weeks before the POC was released, so ensure all retro threat hunting goes back at LEAST a month, but ideally further.
2/2

Exploitation of CitrixBleed 2 (CVE-2025-5777) Began Before PoC Was Public GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 — nearly two weeks before a public proof-of-concept was released on July 4.

🩸& #threatintel | We (GreyNoise) just published a quick note (www.greynoise.io/blo...) regarding CVE-2025-5777 - CitrixBleed 2
1/2

...here: viz.greynoise.io/tag...
2/2

🥜 & #threatintel - Thanks to @horizon3ai.bsky.social, we pushed a tag out today for CitrixBleed 2 CVE-2025-5777 and are backfilling. Currently, we see 233 hits starting on July 1 from:
64.176.50[.]109
38.154.237[.]100
102.129.235[.]108
121.237.80[.]241
45.135.232[.]2
Follow along...

1/2

Just a totally normal trip home from the airport last night… passing the national guard rolling down the highway as they prepare for NO KINGS DAY protests. F this administration. About 3 more months before they start trying to censor social media via tech controls.

Paleoproteomic profiling recovers diverse proteins from 200-year-old human brains A new method developed by researchers at the Nuffield Department of Medicine, University of Oxford, could soon unlock the vast repository of biological information held in the proteins of ancient soft ...

Seems like a lot of work when you could have found 200 year old brain proteins in the US Congress rn.

phys.org/news/2025-0...

It's hard to beat good deception. :)

If you're ever feeling lonely, just close Zoom.
This works because a funny thing always happens: a random last-minute Zoom will appear if you close it completely.

🥤& #threat-intel: CISA added Langflow Code Injection CVE-2025-3248 to the KEV on May 5. Recently, it has garnered considerable attention, with South Korea leading the pack. This vuln enables unauthenticated attackers to execute arbitrary code via /api/v1/validate/code

viz.greynoise.io/tag...