#greynoise — Public Fediverse posts

GreyNoise At The Edge — April 13–20, 2026. Four themes dominated activity on the GreyNoise sensor network this week — spanning reconnaissance, exploitation attempts, credential brute-forcing, and botnet recruitment.

1. A broad credential and configuration discovery campaign ran at ~6.2M sessions across hundreds of IPs — ENV files, .git/config, AWS metadata, path traversal, sensitive file access. The biggest real story, distributed rather than concentrated.

2. VNC scanning surged to the third-most-targeted port on the internet — port 5900 at 17.4M sessions. Not in prior briefs.

3. A new multi-cloud Masscan framework activated this week. Shared JA3 across a new Poland IP and an existing DigitalOcean Singapore cluster.

4. VPSVAULT IoT worm weaponized CVE-2025-54322 (Xspeeder SXZOS, CVSS 10.0). CVE-2026-24061 (GNU telnetd, CVSS 9.8, CISA KEV) also in payload.

Full Report: https://www.greynoise.io/resources/at-the-edge-clear-042026

#ThreatIntel #CyberSecurity #InfoSec #GreyNoise

See you in Glasgow for #CyberUK! 🇬🇧

Find GreyNoise at Booth D2 + catch our talks:
🗓 Apr 22, 12:20 – Nishawn Smagh
🗓 Apr 23, 14:30 – Glenn Thorpe III

Happy Hour @ Golf Fang on Apr 22 ⛳️

Book 1:1 time: https://info.greynoise.io/cyberuk-meet-with-us

#CyberSecurity #ThreatIntelligence #GreyNoise

NEW: GreyNoise At The Edge Intel Brief (March 23-30)

187,998,900 sessions from 100 top source IPs observed by GreyNoise sensors between March 23-30, 2026. Daily volumes surged 4x mid-week — from 8.5M to 36.6M in 72 hours.

1. VPSVAULT IoT botnet recruitment across 22 CVEs — 3,347,443 sessions from 4 Brazilian IPs targeting Hikvision, MikroTik, TP-Link, D-Link devices. Includes CVE-2026-24061, now on CISA KEV.

2. VisionHeight fleet of 6 AWS IPs generated 5,892,055 sessions mapping enterprise perimeters across Palo Alto, Sophos, Ivanti, Citrix, F5, and ConnectWise — probing CVE-2024-1709 (CVSS 10.0).

3. React/Next.js exploit chaining (CVE-2025-55182 + CVE-2025-29927) produced 1,338,336 sessions, with attackers spoofing GoogleBot user-agents to bypass detection.

4. At least 4 new scanning operations activated simultaneously mid-week, driving the sharp volume surge across the observation period.

Here's what we found: 🔗 https://www.greynoise.io/resources/at-the-edge-clear-033026

#ThreatIntel #CyberSecurity #InfoSec #GreyNoise

200,886,675 sessions. 101 unique source IPs. March 16–23, 2026.

GreyNoise At The Edge intelligence brief highlights:

1. The MEVSPACE RDP brute-force operator returned after a 99.8% infrastructure collapse — single IP generated 7,975,241 sessions before deliberately withdrawing after 4 days. GreyNoise has tracked a surge-withdraw-reconstitute cycle since January 2026, reinforcing that well-resourced operators can reconstitute capacity within days.

2. Two coordinated campaigns emerged: VPSVAULT.HOST (IoT worm weaponizing 21+ CVEs against 12+ manufacturers) and Omegatech (TLS fingerprint randomization with 5,854 unique JA3s per node).

3. Sophos CVE-2022-1040 exploitation stabilized at 638,654 sessions in its fifth consecutive week. Enterprise VPN credential pressure reached week 9 across five vendors with 2.9M+ combined sessions.

4. n8n CVE-2026-21858 (CVSS 10.0) reached 118,086 sessions with links to MuddyWater and ZeroBot. ICS/SCADA reconnaissance expanded with new HMI and PLC vulnerabilities trending.

🔗 https://www.greynoise.io/resources/at-the-edge-clear-032326

#ThreatIntel #CyberSecurity #InfoSec #GreyNoise

52% of RCE attempts came from IPs with no prior GreyNoise history. New research on where edge defenses fall short + what to do about it: https://www.greynoise.io/resources/2026-state-of-the-edge-report

#ThreatIntel #Cybersecurity #GreyNoise

This week's At the Edge: CLEAR is out — a preview of the intel brief GreyNoise customers get every week.

🔗 https://www.greynoise.io/resources/at-the-edge-clear-021626

That's just the preview. greynoise.io/contact

#ThreatIntel #CyberSecurity #GreyNoise

Three campaigns. One has Cobalt Strike ready.

RDP nearly quadrupled. A botnet picked up a new CVE. And someone built a Kubernetes cluster just to exploit n8n.

A preview of what GreyNoise customers get every week. Full brief has the IOCs, attribution, and analysis.

#ThreatIntelligence #InfoSec #GreyNoise #CyberSecurity

We observed a 65% drop in global telnet traffic in a single hour on Jan 14, settling into a sustained 59% reduction. 18 ASNs went silent, 5 countries disappeared, but cloud providers were unaffected.

Our analysis of 51.2M sessions points to backbone-level port 23 filtering by a North American Tier 1 transit provider.

🔗 https://www.labs.greynoise.io/grimoire/2026-02-10-telnet-falls-silent/

#GreyNoise #ThreatIntel #CyberSecurity #InfoSec

⚠️ Unlike typical exploits, no buffer overflow or memory corruption needed - just one manipulated environment variable grants root access

🛡️ Not all Telnet implementations affected - only #GNU inet utils; proprietary versions like #Cisco and #BusyBox are safe

📊 #GreyNoise threat intelligence reports multiple exploit attempts per hour already detected in the wild

🔄 Telnet's unencrypted nature makes attacks visible to defenders monitoring plaintext traffic for "-f root" patterns

🎙️ Python Bytes 467: Toads in my AI
with @mkennedy and @brianokken
https://pythonbytes.fm/467
#Python #GreyNoise #tprof #TOAD #FastAPI #Digg

🎙️ Python Bytes 467: Toads in my AI
with @mkennedy and @brianokken
https://pythonbytes.fm/467
#Python #GreyNoise #tprof #TOAD #FastAPI #Digg

🎙️ Python Bytes 467: Toads in my AI
with @mkennedy and @brianokken
https://pythonbytes.fm/467
#Python #GreyNoise #tprof #TOAD #FastAPI #Digg

🎙️ Python Bytes 467: Toads in my AI
with @mkennedy and @brianokken
https://pythonbytes.fm/467
#Python #GreyNoise #tprof #TOAD #FastAPI #Digg

🎙️ Python Bytes 467: Toads in my AI
with @mkennedy and @brianokken
https://pythonbytes.fm/467
#Python #GreyNoise #tprof #TOAD #FastAPI #Digg

New on the GreyNoise blog: We borrow from some unexpected fields, enzyme kinetics, species biodiversity models, astrophotography, to understand internet-wide scanning activity and measure what we might be missing.

https://www.greynoise.io/blog/filtering-noise-cyber-space

#GreyNoise #Cybersecurity

GreyNoise analyzed activity targeting exposed Ollama and LLM infrastructure, identifying SSRF abuse attempts and large-scale probing of LLM model endpoints.
Analysis: https://www.greynoise.io/blog/threat-actors-actively-targeting-llms
#GreyNoise #ThreatIntelligence #LLMSecurity

Ransomware starts with reconnaissance: we observed a recent large-scale scanning campaign validating exploitable systems, data that feeds the initial access market and shows up later in real attacks. 🕵️‍♀️

https://www.greynoise.io/blog/christmas-scanning-campaign-fuel-2026-attacks

#GreyNoise #Ransomware #InitialAccess #IAB #Recon

Ransomware starts with reconnaissance: we observed a recent large-scale scanning campaign validating exploitable systems, data that feeds the initial access market and shows up later in real attacks. 🕵️‍♀️

https://www.greynoise.io/blog/christmas-scanning-campaign-fuel-2026-attacks

#GreyNoise #Ransomware #InitialAccess #IAB #Recon

Ransomware starts with reconnaissance: we observed a recent large-scale scanning campaign validating exploitable systems, data that feeds the initial access market and shows up later in real attacks. 🕵️‍♀️

https://www.greynoise.io/blog/christmas-scanning-campaign-fuel-2026-attacks

#GreyNoise #Ransomware #InitialAccess #IAB #Recon

Ransomware starts with reconnaissance: we observed a recent large-scale scanning campaign validating exploitable systems, data that feeds the initial access market and shows up later in real attacks. 🕵️‍♀️

https://www.greynoise.io/blog/christmas-scanning-campaign-fuel-2026-attacks

#GreyNoise #Ransomware #InitialAccess #IAB #Recon

Ransomware starts with reconnaissance: we observed a recent large-scale scanning campaign validating exploitable systems, data that feeds the initial access market and shows up later in real attacks. 🕵️‍♀️

https://www.greynoise.io/blog/christmas-scanning-campaign-fuel-2026-attacks

#GreyNoise #Ransomware #InitialAccess #IAB #Recon

React2Shell Update – 7 January 2026
Full update & analysis: https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far

#GreyNoise #React2Shell

React2Shell Update – 7 January 2026
Full update & analysis: https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far

#GreyNoise #React2Shell

@briankrebs Hi Sir sorry for the disturb. A swift question is it possible to detect such activity via https://check.labs.greynoise.io/ #greynoise #botnet

Or does one have to use dedicated scans via wireshark and #shodan and the likes?

GreyNoise IP Check – narzędzie pozwalające sprawdzić adres IP

Firma GreyNoise, zajmująca się zbieraniem informacji o trwających skanach sieci i próbach wykorzystania podatności, stworzyła narzędzie, które może przydać się każdemu. TLDR: GreyNoise IP Check, bo o nim mowa, pozwala sprawdzić, czy adres IP, którym aktualnie wychodzimy do Internetu, jest widziany jako bezpieczny, czy może zauważono jakieś jego powiązania ze skanowaniem...

#WBiegu #Awareness #Greynoise #Internet #Ip

https://sekurak.pl/greynoise-ip-check-narzedzie-pozwalajace-sprawdzic-adres-ip/

GreyNoise is tracking a coordinated credential-based campaign targeting Cisco SSL VPN and Palo Alto Networks GlobalProtect.

🔗 https://www.greynoise.io/blog/credential-based-campaign-cisco-palo-alto-networks-vpn-gateways

#Cisco #PaloAltoNetworks #GreyNoise #VPN #CiscoSSLVPN #GlobalProtect #ThreatIntel

Just in: Watch #React2Shell exploitation unfold over time in the map below (geo of source IPs attempting to exploit CVE-2025-55182).

#GreyNoise #ThreatIntel #CVE202555182 #Nextjs #Cybersecurity

👀 React2Shell attacker profiles fresh from GreyNoise telemetry: https://info.greynoise.io/hubfs/PDFs-Sales-Marketing/GreyNoise-React2Shell-Attacker-Profiles.pngAlso, don't miss the latest contribution from GreyNoise Labs on React2Shell: https://www.labs.greynoise.io/grimoire/2025-12-09-react2shell-meshcentral/

#React2Shell #Nextjs #CVE202555182 #CVE #GreyNoise

React2Shell blog update 🚨 compromised Next.js nodes are rapidly being enlisted into botnets; threat actor activity reaches ~80 source countries; and more. https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far
#React2Shell #Nextjs #GreyNoise #ThreatIntel

Warto tym narzędziem sprawdzić swoją sieć lokalną pod kątem podejrzanych aktywności (botnety, malware, wirusy, itp) a potem dodać do zakładek ✅

https://check.labs.greynoise.io/

#GreyNoise

Headed to BlackHat EU? 🇬🇧
Swing by the @corelight + GreyNoise booth for a chat and then grab drinks with the team after the con on Wednesday, Dec 10th. Sign up today to reserve your spot!

🔗 https://info.greynoise.io/events/blackhat-europe-hh-2025

#BHEU #Corelight #GreyNoise

Headed to BlackHat EU? 🇬🇧
Swing by the @corelight + GreyNoise booth for a chat and then grab drinks with the team after the con on Wednesday, Dec 10th. Sign up today to reserve your spot!

🔗 https://info.greynoise.io/events/blackhat-europe-hh-2025

#BHEU #Corelight #GreyNoise

Headed to BlackHat EU? 🇬🇧
Swing by the @corelight + GreyNoise booth for a chat and then grab drinks with the team after the con on Wednesday, Dec 10th. Sign up today to reserve your spot!

🔗 https://info.greynoise.io/events/blackhat-europe-hh-2025

#BHEU #Corelight #GreyNoise

Headed to BlackHat EU? 🇬🇧
Swing by the @corelight + GreyNoise booth for a chat and then grab drinks with the team after the con on Wednesday, Dec 10th. Sign up today to reserve your spot!

🔗 https://info.greynoise.io/events/blackhat-europe-hh-2025

#BHEU #Corelight #GreyNoise

Headed to BlackHat EU? 🇬🇧
Swing by the @corelight + GreyNoise booth for a chat and then grab drinks with the team after the con on Wednesday, Dec 10th. Sign up today to reserve your spot!

🔗 https://info.greynoise.io/events/blackhat-europe-hh-2025

#BHEU #Corelight #GreyNoise

GreyNoise stellt IP-Check vor: Ein neues Tool erkennt Botnetz-Aktivitäten direkt am eigenen Internetanschluss! 🔍🛡️ Perfekt zur Abwehr von Cyberbedrohungen. Mehr Infos: https://www.golem.de/news/greynoise-ip-check-neues-tool-erkennt-botnetz-aktivitaeten-am-eigenen-anschluss-2512-202764.html #Cybersecurity #Botnetz #GreyNoise #Newz

📢 GreyNoise lance un scanner gratuit pour vérifier si votre IP participe à un botnet
📝 Source: BleepingComputer — GreyNoise Labs a annoncé « GreyNoise IP Check », un outil gratuit...
📖 cyberveille : https://cyberveille.ch/posts/2025-11-29-greynoise-lance-un-scanner-gratuit-pour-verifier-si-votre-ip-participe-a-un-botnet/
🌐 source : https://www.bleepingcomputer.com/news/security/greynoise-launches-free-scanner-to-check-if-youre-part-of-a-botnet/
#GreyNoise #botnet #Cyberveille

We’ve launched At The Edge, a weekly brief for GreyNoise customers highlighting shifts in attacker behavior seen across the Global Observation Grid (GOG).

Human-led analysis that turns internet noise into insight defenders can act on.

#ThreatIntel #GreyNoise

We deployed MCP honeypots to understand how threat actors engage with AI middleware exposed to the internet. What we observed was unexpected. Full analysis: https://www.greynoise.io/blog/deploying-mcp-honeypots

#GreyNoise #AI #AISecurity #MCP #MCPSecurity #Cybersecurity #ThreatIntel

GreyNoise has observed a surge in PHP exploitation activity since late summer — now peaking as attackers deploy cryptominers at scale.
Full analysis → https://www.greynoise.io/blog/php-cryptomining-campaign
#GreyNoise #PHP #ThreatIntel

GreyNoise observed a ~500% surge in IPs scanning Palo Alto Networks login portals on October 3, 2025 — the highest level we’ve seen in 90 days. Read our full analysis here 👉 https://www.greynoise.io/blog/palo-alto-scanning-surges
#PaloAltoNetworks #PaloAlto #GreyNoise #ThreatIntel #PANOS

GreyNoise now has coverage for Cisco zero-days CVE-2025-20333 and CVE-2025-20362. Watch for exploit attempts in real-time:

CVE-2025-20333 (Net new): https://viz.greynoise.io/tags/cisco-asa-vpn-input-validation-cve-2025-20333-rce-attempt?days=1

CVE-2025-20362 (Updated tag): https://viz.greynoise.io/tags/cisco-asa-directory-traversal-cve-2018-0296-and-cve-2025-20362-attempt

#CiscoASA #Cisco #ZeroDay #CiscoZeroDays #CVE202520333 #CVE202520362 #GreyNoise #ThreatIntel

GreyNoise now has coverage for Cisco zero-days CVE-2025-20333 and CVE-2025-20362. Watch for exploit attempts in real-time:

CVE-2025-20333 (Net new): https://viz.greynoise.io/tags/cisco-asa-vpn-input-validation-cve-2025-20333-rce-attempt?days=1

CVE-2025-20362 (Updated tag): https://viz.greynoise.io/tags/cisco-asa-directory-traversal-cve-2018-0296-and-cve-2025-20362-attempt

#CiscoASA #Cisco #ZeroDay #CiscoZeroDays #CVE202520333 #CVE202520362 #GreyNoise #ThreatIntel

GreyNoise now has coverage for Cisco zero-days CVE-2025-20333 and CVE-2025-20362. Watch for exploit attempts in real-time:

CVE-2025-20333 (Net new): https://viz.greynoise.io/tags/cisco-asa-vpn-input-validation-cve-2025-20333-rce-attempt?days=1

CVE-2025-20362 (Updated tag): https://viz.greynoise.io/tags/cisco-asa-directory-traversal-cve-2018-0296-and-cve-2025-20362-attempt

#CiscoASA #Cisco #ZeroDay #CiscoZeroDays #CVE202520333 #CVE202520362 #GreyNoise #ThreatIntel

GreyNoise now has coverage for Cisco zero-days CVE-2025-20333 and CVE-2025-20362. Watch for exploit attempts in real-time:

CVE-2025-20333 (Net new): https://viz.greynoise.io/tags/cisco-asa-vpn-input-validation-cve-2025-20333-rce-attempt?days=1

CVE-2025-20362 (Updated tag): https://viz.greynoise.io/tags/cisco-asa-directory-traversal-cve-2018-0296-and-cve-2025-20362-attempt

#CiscoASA #Cisco #ZeroDay #CiscoZeroDays #CVE202520333 #CVE202520362 #GreyNoise #ThreatIntel

GreyNoise now has coverage for Cisco zero-days CVE-2025-20333 and CVE-2025-20362. Watch for exploit attempts in real-time:

CVE-2025-20333 (Net new): https://viz.greynoise.io/tags/cisco-asa-vpn-input-validation-cve-2025-20333-rce-attempt?days=1

CVE-2025-20362 (Updated tag): https://viz.greynoise.io/tags/cisco-asa-directory-traversal-cve-2018-0296-and-cve-2025-20362-attempt

#CiscoASA #Cisco #ZeroDay #CiscoZeroDays #CVE202520333 #CVE202520362 #GreyNoise #ThreatIntel

🚨GreyNoise has published a new Situation Report on Cisco ASA reconnaissance activity we observed before the new zero-days were disclosed.

Read the full report: https://info.greynoise.io/hubfs/Situation-Reports/SITREP-Cisco-Zero-Days.pdf

#Cisco #ASA #CiscoASA #GreyNoise #ThreatIntel #CVE202520333 #CVE202520362

🚨GreyNoise has published a new Situation Report on Cisco ASA reconnaissance activity we observed before the new zero-days were disclosed.

Read the full report: https://info.greynoise.io/hubfs/Situation-Reports/SITREP-Cisco-Zero-Days.pdf

#Cisco #ASA #CiscoASA #GreyNoise #ThreatIntel #CVE202520333 #CVE202520362

🚨GreyNoise has published a new Situation Report on Cisco ASA reconnaissance activity we observed before the new zero-days were disclosed.

Read the full report: https://info.greynoise.io/hubfs/Situation-Reports/SITREP-Cisco-Zero-Days.pdf

#Cisco #ASA #CiscoASA #GreyNoise #ThreatIntel #CVE202520333 #CVE202520362

🚨GreyNoise has published a new Situation Report on Cisco ASA reconnaissance activity we observed before the new zero-days were disclosed.

Read the full report: https://info.greynoise.io/hubfs/Situation-Reports/SITREP-Cisco-Zero-Days.pdf

#Cisco #ASA #CiscoASA #GreyNoise #ThreatIntel #CVE202520333 #CVE202520362