Grey Noise

GreyNoise researcher Jacob Fisher discusses the importance of reactive honeypots/sensors for accurate and comprehensive packet captures, along with his methodology for exploring real-world service exploitation.

Through further investigation into CVE-2022-28958 revealed that the vulnerability did not actually exist. This case serves as a reminder of the importance of thorough and rigorous vulnerability verification.

While the 10/10 CVE-2023-49103 got all the attention last week, organizations should not quickly overlook CVE-2023-49105!

File server and collaboration platform ownCloud publicly disclosed a critical vulnerability with a CVSS severity rating of 10 out of 10. This vulnerability, tracked as CVE-2023-49103, affects the "graphapi" app used in ownCloud.

Learn more about our new integration for Microsoft Sentinel that enhances threat intelligence capabilities for business security.

The Cybersecurity and Infrastructure Security Agency (CISA) has added a field to their Known Exploited Vulnerabilities (KEV) catalog that denotes if a KEV CVE has been used in ransomware attacks. 35% of those have a corresponding GreyNoise tag. See how together CISA and GreyNoise can help you stay even further ahead of our combined adversaries

Explore the high-severity vulnerability CVE-2023-29552 in the Service Location Protocol (SLP) that enables potential attackers to launch powerful Denial-of-Service (DoS) attacks. Learn about the potential impacts, the affected organizations, and the steps to mitigate this vulnerability. Discover how GreyNoise's new tag helps identify sources scanning for internet accessible endpoints exposing the SLP and how their customers can gain proactive protection.

Despite each’s similar purpose of early threat detection, honeypots and honeytokens vastly differ in deployment, interaction, and scope. Let's delve into the various aspects that contribute to the misunderstanding and clarify the distinctive features of each.

The GreyNoise Labs team shares one way to dig into HTTP content in PCAPs generated by our Early Access Program sensors.

Citrix's NetScaler ADC and NetScaler Gateway have, once more, been found to have multiple vulnerabilities, tracked as CVE-2023-4966 and CVE-2023-4967. Read this blog to get all the details.

Explore an in-depth analysis of the critical software Web UI Privilege Escalation Vulnerability, CVE-2023-20198, in Cisco IOS XE. Learn about its exploitation in the wild, the threat it poses, and the current lack of a patch. Understand how it's leveraged for initial access and the subsequent delivery of an implant through an undetermined mechanism. Also discover how GreyNoise can help provide timely intelligence surrounding activity related to these Cisco IOS XE systems.‍

Discover Precursor, a revolutionary tool for payload similarity analysis in data science and cybersecurity. Dive deep into its features, potential applications, and how it can enhance your work in threat intelligence, malware detection, and network traffic analysis. Learn more now!"

On October 11th, 2023, a heap-based buffer overflow in curl was disclosed under the identifier CVE-2023-38545. The vulnerability affects libcurl 7.69.0 to and including 8.3.0. Vulnerable versions of libcurl may be embedded in existing applications. However, to reach the vulnerable code path, the application must be configured to utilize one of the SOCKS5 proxy modes and attempt to resolve a hostname with extraneous length.

A critical zero-day vulnerability has recently been discovered in the Confluence Data Center and Server. The vulnerability, known as CVE-2023-22515 and scored a CVSS 10 out of 10, is a privilege escalation vulnerability that allows external attackers to exploit the system and create administrator accounts that can be used to access Confluence instances. Check out this blog for all the details GreyNoise has compiled on this vulnerability.

The blog post introduces Sift, a new tool from GreyNoise that helps threat hunters filter out noise and prioritize investigation of potentially malicious web traffic. Sift uses AI techniques like large language models to analyze HTTP requests seen across GreyNoise's sensor network and generate reports on new and relevant threats. The reports describe and analyze suspicious payloads, estimate the threat level, provide contextual tags/information on associated IPs, and suggest Suricata rules to detect similar traffic. This allows analysts to focus only on the most critical potential threats instead of sifting through millions of requests manually. Sift is currently limited to HTTP traffic but will expand to other protocols soon. The post invites readers to provide feedback on how to further develop Sift's capabilities, such as expanding historical reports, customizing for specific organizations, analyzing submitted PCAPs, and integrating additional GreyNoise data/tools.

GreyNoise is excited to officially announce the emergence of GreyNoise Labs and Labs API. Check out this post to learn more.

This post recaps our recent webinar "How MSSPs Can Leverage Automation to Reduce Alerts & Maximize their Analysts." Check it out to see key takeaways related to their automation journey.

GreyNoise Labs introduces their new greynoiselabs CLI tool to work with cutting edge, experimental APIs that expose planetary scale internet honeypot and scan data to help defenders stay one step ahead of adversaries.

GreyNoise tags come from extremely talented humans who painstakingly craft detection rules for emergent threats that pass our “100%” test every time. Last week was bonkers when it comes to the number of tags (7) our team cranked out. Check out this blog to see why.

Many traditional threat intelligence solutions used by MSSPs can have an unintended consequence of creating more noise for your security operations center (SOC) – GreyNoise changes that. In this post, we will take a deeper look at exactly HOW existing GreyNoise MSSP customers are realizing these benefits.