#greynoise — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #greynoise, aggregated by home.social.
-
GreyNoise At The Edge — April 13–20, 2026. Four themes dominated activity on the GreyNoise sensor network this week — spanning reconnaissance, exploitation attempts, credential brute-forcing, and botnet recruitment.
1. A broad credential and configuration discovery campaign ran at ~6.2M sessions across hundreds of IPs — ENV files, .git/config, AWS metadata, path traversal, sensitive file access. The biggest real story, distributed rather than concentrated.
2. VNC scanning surged to the third-most-targeted port on the internet — port 5900 at 17.4M sessions. Not in prior briefs.
3. A new multi-cloud Masscan framework activated this week. Shared JA3 across a new Poland IP and an existing DigitalOcean Singapore cluster.
4. VPSVAULT IoT worm weaponized CVE-2025-54322 (Xspeeder SXZOS, CVSS 10.0). CVE-2026-24061 (GNU telnetd, CVSS 9.8, CISA KEV) also in payload.
Full Report: https://www.greynoise.io/resources/at-the-edge-clear-042026
-
See you in Glasgow for #CyberUK! 🇬🇧
Find GreyNoise at Booth D2 + catch our talks:
🗓 Apr 22, 12:20 – Nishawn Smagh
🗓 Apr 23, 14:30 – Glenn Thorpe IIIHappy Hour @ Golf Fang on Apr 22 ⛳️
Book 1:1 time: https://info.greynoise.io/cyberuk-meet-with-us
-
NEW: GreyNoise At The Edge Intel Brief (March 23-30)
187,998,900 sessions from 100 top source IPs observed by GreyNoise sensors between March 23-30, 2026. Daily volumes surged 4x mid-week — from 8.5M to 36.6M in 72 hours.
1. VPSVAULT IoT botnet recruitment across 22 CVEs — 3,347,443 sessions from 4 Brazilian IPs targeting Hikvision, MikroTik, TP-Link, D-Link devices. Includes CVE-2026-24061, now on CISA KEV.
2. VisionHeight fleet of 6 AWS IPs generated 5,892,055 sessions mapping enterprise perimeters across Palo Alto, Sophos, Ivanti, Citrix, F5, and ConnectWise — probing CVE-2024-1709 (CVSS 10.0).
3. React/Next.js exploit chaining (CVE-2025-55182 + CVE-2025-29927) produced 1,338,336 sessions, with attackers spoofing GoogleBot user-agents to bypass detection.
4. At least 4 new scanning operations activated simultaneously mid-week, driving the sharp volume surge across the observation period.
Here's what we found: 🔗 https://www.greynoise.io/resources/at-the-edge-clear-033026
-
200,886,675 sessions. 101 unique source IPs. March 16–23, 2026.
GreyNoise At The Edge intelligence brief highlights:
1. The MEVSPACE RDP brute-force operator returned after a 99.8% infrastructure collapse — single IP generated 7,975,241 sessions before deliberately withdrawing after 4 days. GreyNoise has tracked a surge-withdraw-reconstitute cycle since January 2026, reinforcing that well-resourced operators can reconstitute capacity within days.
2. Two coordinated campaigns emerged: VPSVAULT.HOST (IoT worm weaponizing 21+ CVEs against 12+ manufacturers) and Omegatech (TLS fingerprint randomization with 5,854 unique JA3s per node).
3. Sophos CVE-2022-1040 exploitation stabilized at 638,654 sessions in its fifth consecutive week. Enterprise VPN credential pressure reached week 9 across five vendors with 2.9M+ combined sessions.
4. n8n CVE-2026-21858 (CVSS 10.0) reached 118,086 sessions with links to MuddyWater and ZeroBot. ICS/SCADA reconnaissance expanded with new HMI and PLC vulnerabilities trending.
🔗 https://www.greynoise.io/resources/at-the-edge-clear-032326
-
52% of RCE attempts came from IPs with no prior GreyNoise history. New research on where edge defenses fall short + what to do about it: https://www.greynoise.io/resources/2026-state-of-the-edge-report
-
This week's At the Edge: CLEAR is out — a preview of the intel brief GreyNoise customers get every week.
🔗 https://www.greynoise.io/resources/at-the-edge-clear-021626
That's just the preview. greynoise.io/contact
-
Three campaigns. One has Cobalt Strike ready.
RDP nearly quadrupled. A botnet picked up a new CVE. And someone built a Kubernetes cluster just to exploit n8n.
A preview of what GreyNoise customers get every week. Full brief has the IOCs, attribution, and analysis.
-
We observed a 65% drop in global telnet traffic in a single hour on Jan 14, settling into a sustained 59% reduction. 18 ASNs went silent, 5 countries disappeared, but cloud providers were unaffected.
Our analysis of 51.2M sessions points to backbone-level port 23 filtering by a North American Tier 1 transit provider.
🔗 https://www.labs.greynoise.io/grimoire/2026-02-10-telnet-falls-silent/
-
⚠️ Unlike typical exploits, no buffer overflow or memory corruption needed - just one manipulated environment variable grants root access
🛡️ Not all Telnet implementations affected - only #GNU inet utils; proprietary versions like #Cisco and #BusyBox are safe
📊 #GreyNoise threat intelligence reports multiple exploit attempts per hour already detected in the wild
🔄 Telnet's unencrypted nature makes attacks visible to defenders monitoring plaintext traffic for "-f root" patterns
-
🎙️ Python Bytes 467: Toads in my AI
with @mkennedy and @brianokken
https://pythonbytes.fm/467
#Python #GreyNoise #tprof #TOAD #FastAPI #Digg -
🎙️ Python Bytes 467: Toads in my AI
with @mkennedy and @brianokken
https://pythonbytes.fm/467
#Python #GreyNoise #tprof #TOAD #FastAPI #Digg -
🎙️ Python Bytes 467: Toads in my AI
with @mkennedy and @brianokken
https://pythonbytes.fm/467
#Python #GreyNoise #tprof #TOAD #FastAPI #Digg -
🎙️ Python Bytes 467: Toads in my AI
with @mkennedy and @brianokken
https://pythonbytes.fm/467
#Python #GreyNoise #tprof #TOAD #FastAPI #Digg -
🎙️ Python Bytes 467: Toads in my AI
with @mkennedy and @brianokken
https://pythonbytes.fm/467
#Python #GreyNoise #tprof #TOAD #FastAPI #Digg -
New on the GreyNoise blog: We borrow from some unexpected fields, enzyme kinetics, species biodiversity models, astrophotography, to understand internet-wide scanning activity and measure what we might be missing.
-
GreyNoise analyzed activity targeting exposed Ollama and LLM infrastructure, identifying SSRF abuse attempts and large-scale probing of LLM model endpoints.
Analysis: https://www.greynoise.io/blog/threat-actors-actively-targeting-llms
#GreyNoise #ThreatIntelligence #LLMSecurity -
Brute-force attacks hammer Fortinet devices worldwide https://www.helpnetsecurity.com/2025/08/14/brute-force-attacks-hammer-fortinet-devices-worldwide/ #brute-force #Don'tmiss #GreyNoise #Hotstuff #firewall #Fortinet #exploit #News
-
JA4T and JA4TS are the latest additions to the suite of JA4+ network fingerprints.
JA4T can identify intermediary proxies, VPNs, load balancers, tunneling, and fingerprint client/server OS, devices, applications and hosting/provider characteristics. When paired with additional JA4 hashes, this allows WAF tuning to focus on a set of hashes to limit false positives versus a constantly changing list of IPs. This will make a great addition to infrastructure hunting and DDoS attribution.
https://medium.com/foxio/ja4t-tcp-fingerprinting-12fb7ce9cb5a -
React2Shell Update – 7 January 2026
Full update & analysis: https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far -
GreyNoise observed exploitation of CitrixBleed 2 (CVE-2025-5777) nearly two weeks before a public PoC was released. Full breakdown: https://www.greynoise.io/blog/exploitation-citrixbleed-2-cve-2025-5777-before-public-poc #GreyNoise #ThreatIntel #CitrixBleed #Citrix #NetScaler
-
Ransomware starts with reconnaissance: we observed a recent large-scale scanning campaign validating exploitable systems, data that feeds the initial access market and shows up later in real attacks. 🕵️♀️
https://www.greynoise.io/blog/christmas-scanning-campaign-fuel-2026-attacks
-
Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891) https://www.helpnetsecurity.com/2025/01/29/zyxel-cpe-devices-under-attack-vulnerability-cve-2024-40891/ #vulnerability #Don'tmiss #GreyNoise #VulnCheck #Hotstuff #Censys #Zyxel #News
-
New Zyxel Zero-Day Under Attack, No Patch Available https://www.securityweek.com/new-zyxel-zero-day-under-attack-no-patch-available/ #Malware&Threats #Vulnerabilities #CVE202440891 #GreyNoise #Censys #Zyxel
-
New Zyxel Zero-Day Under Attack, No Patch Available https://www.securityweek.com/new-zyxel-zero-day-under-attack-no-patch-available/ #Malware&Threats #Vulnerabilities #CVE202440891 #GreyNoise #Censys #Zyxel
-
Decrypted: Hackers show off their exploits as Black Hat goes virtual - Every year hackers descend on Las Vegas in the sweltering August heat to break ground on security re... - http://feedproxy.google.com/~r/Techcrunch/~3/MsAVDqxhLOM/ #computersecurity #electionsecurity #electronicvoting #microsoftwindows #cryptography #cyberwarfare #searchengine #unitedstates #cybercrime #computing #decrypted #elections #greynoise #mattblaze #security #annarbor #lasvegas #michigan #privacy #seriesb #iran
-
New TeleMessage SGNL Flaw Is Actively Being Exploited by Attackers – Source:hackread.com https://ciso2ciso.com/new-telemessage-sgnl-flaw-is-actively-being-exploited-by-attackers-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #TeleMessageSGNL #cybersecurity #Vulnerability #TeleMessage #0CISO2CISO #Encryption #GreyNoise #Hackread #security #Signal #CISA
-
New TeleMessage SGNL Flaw Is Actively Being Exploited by Attackers https://hackread.com/telemessage-sgnl-flaw-actively-exploited-by-attackers/ #TeleMessageSGNL #Cybersecurity #Vulnerability #TeleMessage #Encryption #GreyNoise #Security #Signal #CISA
-
New Threat Update from GreyNoise — Significant spike in exploitation attempts targeting Linksys E-Series routers, likely Mirai. Full analysis ⬇️
https://www.greynoise.io/blog/heightened-in-the-wild-activity-key-technologies -
In-the-wild activity targeting SonicWall, Zyxel, F5, Linksys, Zoho, and Ivanti. Surge on March 28. Full analysis: https://www.greynoise.io/blog/heightened-in-the-wild-activity-key-technologies
#GreyNoise #F5 #Ivanti #SonicWall #Zoho #Linksys #CVE #Vulnerability
-
GreyNoise is tracking a coordinated credential-based campaign targeting Cisco SSL VPN and Palo Alto Networks GlobalProtect.
🔗 https://www.greynoise.io/blog/credential-based-campaign-cisco-palo-alto-networks-vpn-gateways
#Cisco #PaloAltoNetworks #GreyNoise #VPN #CiscoSSLVPN #GlobalProtect #ThreatIntel
-
🚨 Following reports of widespread DrayTek router reboots, GreyNoise is bringing awareness to in-the-wild activity against multiple known vulnerabilities in DrayTek devices. Read the analysis ⬇️
https://www.greynoise.io/blog/in-the-wild-activity-against-draytek-routers
-
GreyNoise observed a major spike in scanning against Ivanti products weeks before two zero-days were disclosed in Ivanti EPMM. Full update: https://www.greynoise.io/blog/surge-ivanti-connect-secure-scanning-activity
#Ivanti #GreyNoise #Cybersecurity #ZeroDays -
Headed to BlackHat EU? 🇬🇧
Swing by the @corelight + GreyNoise booth for a chat and then grab drinks with the team after the con on Wednesday, Dec 10th. Sign up today to reserve your spot! -
@briankrebs Hi Sir sorry for the disturb. A swift question is it possible to detect such activity via https://check.labs.greynoise.io/ #greynoise #botnet
Or does one have to use dedicated scans via wireshark and #shodan and the likes?
-
GreyNoise IP Check – narzędzie pozwalające sprawdzić adres IP
Firma GreyNoise, zajmująca się zbieraniem informacji o trwających skanach sieci i próbach wykorzystania podatności, stworzyła narzędzie, które może przydać się każdemu. TLDR: GreyNoise IP Check, bo o nim mowa, pozwala sprawdzić, czy adres IP, którym aktualnie wychodzimy do Internetu, jest widziany jako bezpieczny, czy może zauważono jakieś jego powiązania ze skanowaniem...
#WBiegu #Awareness #Greynoise #Internet #Ip
https://sekurak.pl/greynoise-ip-check-narzedzie-pozwalajace-sprawdzic-adres-ip/
-
Just in: Watch #React2Shell exploitation unfold over time in the map below (geo of source IPs attempting to exploit CVE-2025-55182).
#GreyNoise #ThreatIntel #CVE202555182 #Nextjs #Cybersecurity
-
👀 React2Shell attacker profiles fresh from GreyNoise telemetry: https://info.greynoise.io/hubfs/PDFs-Sales-Marketing/GreyNoise-React2Shell-Attacker-Profiles.pngAlso, don't miss the latest contribution from GreyNoise Labs on React2Shell: https://www.labs.greynoise.io/grimoire/2025-12-09-react2shell-meshcentral/
-
React2Shell blog update 🚨 compromised Next.js nodes are rapidly being enlisted into botnets; threat actor activity reaches ~80 source countries; and more. https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far
#React2Shell #Nextjs #GreyNoise #ThreatIntel -
Warto tym narzędziem sprawdzić swoją sieć lokalną pod kątem podejrzanych aktywności (botnety, malware, wirusy, itp) a potem dodać do zakładek ✅
-
GreyNoise stellt IP-Check vor: Ein neues Tool erkennt Botnetz-Aktivitäten direkt am eigenen Internetanschluss! 🔍🛡️ Perfekt zur Abwehr von Cyberbedrohungen. Mehr Infos: https://www.golem.de/news/greynoise-ip-check-neues-tool-erkennt-botnetz-aktivitaeten-am-eigenen-anschluss-2512-202764.html #Cybersecurity #Botnetz #GreyNoise #Newz
-
📢 GreyNoise lance un scanner gratuit pour vérifier si votre IP participe à un botnet
📝 Source: BleepingComputer — GreyNoise Labs a annoncé « GreyNoise IP Check », un outil gratuit...
📖 cyberveille : https://cyberveille.ch/posts/2025-11-29-greynoise-lance-un-scanner-gratuit-pour-verifier-si-votre-ip-participe-a-un-botnet/
🌐 source : https://www.bleepingcomputer.com/news/security/greynoise-launches-free-scanner-to-check-if-youre-part-of-a-botnet/
#GreyNoise #botnet #Cyberveille -
We’ve launched At The Edge, a weekly brief for GreyNoise customers highlighting shifts in attacker behavior seen across the Global Observation Grid (GOG).
Human-led analysis that turns internet noise into insight defenders can act on.
-
We deployed MCP honeypots to understand how threat actors engage with AI middleware exposed to the internet. What we observed was unexpected. Full analysis: https://www.greynoise.io/blog/deploying-mcp-honeypots
#GreyNoise #AI #AISecurity #MCP #MCPSecurity #Cybersecurity #ThreatIntel
-
GreyNoise has observed a surge in PHP exploitation activity since late summer — now peaking as attackers deploy cryptominers at scale.
Full analysis → https://www.greynoise.io/blog/php-cryptomining-campaign
#GreyNoise #PHP #ThreatIntel -
📬 Sicherheitslücke in ownCloud entdeckt: Was man darüber wissen sollte!
#Datenschutz #ITSicherheit #CVE202349103 #CVE202394104 #CVE202394105 #GlennThorpe #Graphapi #Greynoise #KevinBeaumont #ownCloud #ownCloudServer https://tarnkappe.info/artikel/it-sicherheit/sicherheitsluecke-in-owncloud-entdeckt-was-man-darueber-wissen-sollte-284041.html -
ViciousTrap: Persistent SSH Backdoors Found in 9,000+ ASUS Routers
A sophisticated cyberattack campaign, dubbed ViciousTrap, has compromised over 9,000 ASUS routers, establishing persistent SSH backdoors that survive reboots and firmware updates.
https://forum.hashpwn.net/post/637
#backdoor #asus #cybersecurity #botnet #news #greynoise #ViciousTrap #hashpwn
-
Palo Alto firewalls: Public exploits, rising attacks, ineffective mitigation https://www.helpnetsecurity.com/2024/04/17/cve-2024-3400-attacks/ #PaloAltoNetworks #securityupdate #vulnerability #enterprise #TrustedSec #Don'tmiss #GreyNoise #WatchTowr #Hotstuff #firewall #Volexity #exploit #News #PoC
-
Palo Alto firewalls: Public exploits, rising attacks, ineffective mitigation https://www.helpnetsecurity.com/2024/04/17/cve-2024-3400-attacks/ #PaloAltoNetworks #securityupdate #vulnerability #enterprise #TrustedSec #Don'tmiss #GreyNoise #WatchTowr #Hotstuff #firewall #Volexity #exploit #News #PoC
-
Palo Alto firewalls: Public exploits, rising attacks, ineffective mitigation https://www.helpnetsecurity.com/2024/04/17/cve-2024-3400-attacks/ #PaloAltoNetworks #securityupdate #vulnerability #enterprise #TrustedSec #Don'tmiss #GreyNoise #WatchTowr #Hotstuff #firewall #Volexity #exploit #News #PoC
-
Palo Alto firewalls: Public exploits, rising attacks, ineffective mitigation https://www.helpnetsecurity.com/2024/04/17/cve-2024-3400-attacks/ #PaloAltoNetworks #securityupdate #vulnerability #enterprise #TrustedSec #Don'tmiss #GreyNoise #WatchTowr #Hotstuff #firewall #Volexity #exploit #News #PoC