Found 10 bookmarks
Newest
GreyNoise detects 500% surge in scans targeting Palo Alto Networks portals
GreyNoise detects 500% surge in scans targeting Palo Alto Networks portals
securityaffairs.com October 04, 2025 Pierluigi Paganini GreyNoise saw a 500% spike in scans on Palo Alto Networks login portals on Oct. 3, 2025, the highest in three months. Cybersecurity firm GreyNoise reported a 500% surge in scans targeting Palo Alto Networks login portals on October 3, 2025, marking the highest activity in three months. On October 3, the researchers observed that over 1,285 IPs scanned Palo Alto portals, up from a usual 200. The experts reported that 93% of the IPs were suspicious, 7% malicious. Most originated from the U.S., with smaller clusters in the U.K., Netherlands, Canada, and Russia. GryNoise defined the traffic targeted and structured, aimed at Palo Alto login portals and split across distinct scanning clusters. The scans targeted emulated Palo Alto profiles, focusing mainly on U.S. and Pakistan systems, indicating coordinated, targeted reconnaissance. GreyNoise found that recent Palo Alto scanning mirrors Cisco ASA activity, showing regional clustering and shared TLS fingerprints linked to the Netherlands infrastructure. Both used similar tools, suggesting possible shared infrastructure or operators. The overlap follows a Cisco ASA scanning surge preceding the disclosure of two zero-day vulnerabilities. “Both Cisco ASA and Palo Alto login scanning traffic in the past 48 hours share a dominant TLS fingerprint tied to infrastructure in the Netherlands. This comes after GreyNoise initially reported an ASA scanning surge before Cisco’s disclosure of two ASA zero-days.” reads the report published by Grey Noise. “In addition to a possible connection to ongoing Cisco ASA scanning, GreyNoise identified concurrent surges across remote access services. While suspicious, we are unsure if this activity is related. “ GreyNoise noted in July spikes in Palo Alto scans sometimes preceded new flaws within six weeks; The experts are monitoring if the latest surge signals another disclosure. “GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats.” concludes the report.
#securityaffairs.com#EN#2025#GreyNoise#PaloAlto#Networks#portals#scan#scanning
·securityaffairs.com·
GreyNoise detects 500% surge in scans targeting Palo Alto Networks portals
Surge in MOVEit Transfer Scanning Activity Could Signal Emerging Threat Activity
Surge in MOVEit Transfer Scanning Activity Could Signal Emerging Threat Activity
GreyNoise has identified a notable surge in scanning activity targeting MOVEit Transfer systems, beginning on May 27, 2025. Prior to this date, scanning was minimal — typically fewer than 10 IPs observed per day. 682 unique IPs have triggered GreyNoise’s MOVEit Transfer Scanner tag over the past 90 days. The surge began on May 27 — prior activity was near-zero. 303 IPs (44%) originate from Tencent Cloud (ASN 132203) — by far the most active infrastructure. Other source providers include Cloudflare (113 IPs), Amazon (94), and Google (34). Top destination countries include the United Kingdom, United States, Germany, France, and Mexico. * The overwhelming majority of scanner IPs geolocate to the United States. ‍
#greynoise#EN#2025#MOVEit#Emerging#Threat#Activity
·greynoise.io·
Surge in MOVEit Transfer Scanning Activity Could Signal Emerging Threat Activity
GreyNoise Observes Exploit Attempts Targeting Zyxel CVE-2023-28771
GreyNoise Observes Exploit Attempts Targeting Zyxel CVE-2023-28771
‍On June 16, GreyNoise observed exploit attempts targeting CVE-2023-28771 — a remote code execution vulnerability affecting Zyxel Internet Key Exchange (IKE) packet decoders over UDP port 500. CVE: CVE-2023-28771 Exploit method: UDP port 500 (IKE packet decoder) Date observed: June 16, 2025 Duration of activity: One day (June 16, 2025) Unique IPs: 244 Top destination countries: U.S., U.K., Spain, Germany, India. IP classification: All malicious per GreyNoise Infrastructure: Verizon Business (all IPs geolocated to U.S.) Spoofable traffic: Yes (UDP-based) ‍ Observed Activity Exploitation attempts against CVE-2023-28771 were minimal throughout recent weeks. On June 16, GreyNoise observed a concentrated burst of exploit attempts within a short time window, with 244 unique IPs observed attempting exploitation. The top destination countries were the U.S., U.K., Spain, Germany, and India. Historical analysis indicates that in the two weeks preceding June 16, these IPs were not observed engaging in any other scanning or exploit behavior — only targeting CVE-2023-28771. ‍
#greynoise#EN#2025#detection#CVE-2023-28771#Zyxel#Exploit#attempts
·greynoise.io·
GreyNoise Observes Exploit Attempts Targeting Zyxel CVE-2023-28771
Surge in Palo Alto Networks Scanner Activity Indicates Possible Upcoming Threats
Surge in Palo Alto Networks Scanner Activity Indicates Possible Upcoming Threats
GreyNoise has observed a significant surge in login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals. Over the last 30 days, nearly 24,000 unique IP addresses have attempted to access these portals. The pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation. Recent patterns observed by GreyNoise suggest that this activity may signal the emergence of new vulnerabilities in the near future: “Over the past 18 to 24 months, we’ve observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies,” said Bob Rudis, VP of Data Science at GreyNoise. “These patterns often coincide with new vulnerabilities emerging 2 to 4 weeks later.”
#greynoise#EN#2025#Palo#Alto#Networks#Scanner#Activity#PAN-OS#GlobalProtect#portals
·greynoise.io·
Surge in Palo Alto Networks Scanner Activity Indicates Possible Upcoming Threats
Resurgence of In-The-Wild Activity Targeting Critical ServiceNow Vulnerabilities
Resurgence of In-The-Wild Activity Targeting Critical ServiceNow Vulnerabilities
GreyNoise has identified a notable resurgence of in-the-wild activity targeting three ServiceNow vulnerabilities CVE-2024-4879 (Critical), CVE-2024-5217 (Critical), and CVE-2024-5178 (Medium). These vulnerabilities reportedly may be chained together for full database access.
#greynoise#EN#2025#CVE-2024-5178#CVE-2024-4879#database#access#ServiceNow#vulnerabilities
·greynoise.io·
Resurgence of In-The-Wild Activity Targeting Critical ServiceNow Vulnerabilities
GreyNoise Detects Mass Exploitation of Critical PHP-CGI Vulnerability (CVE-2024-4577)
GreyNoise Detects Mass Exploitation of Critical PHP-CGI Vulnerability (CVE-2024-4577)
‍GreyNoise data confirms that exploitation of CVE-2024-4577 extends far beyond initial reports. Attack attempts have been observed across multiple regions, with notable spikes in the United States, Singapore, Japan, and other countries throughout January 2025.
#greynoise#EN#2025#CVE-2024-4577#PHP-CGI#Exploitation
·greynoise.io·
GreyNoise Detects Mass Exploitation of Critical PHP-CGI Vulnerability (CVE-2024-4577)
New Exploitation Surge: Attackers Target ThinkPHP and ownCloud Flaws at Scale | GreyNoise Blog
New Exploitation Surge: Attackers Target ThinkPHP and ownCloud Flaws at Scale | GreyNoise Blog
GreyNoise has detected a surge in exploitation attempts for two vulnerabilities—one flagged as a top target by government agencies and another flying under the radar despite real-world attacks. See the latest exploitation trends and why real-time intelligence is essential for risk management.
#greynoise#EN#2025#ThinkPHP#ownCloud#Exploitation#Surge
·greynoise.io·
New Exploitation Surge: Attackers Target ThinkPHP and ownCloud Flaws at Scale | GreyNoise Blog
Active Exploitation of Zero-day Zyxel CPE Vulnerability (CVE-2024-40891)
Active Exploitation of Zero-day Zyxel CPE Vulnerability (CVE-2024-40891)
After identifying a significant overlap between IPs exploiting CVE-2024-40891 and those classified as Mirai, the team investigated a recent variant of Mirai and confirmed that the ability to exploit CVE-2024-40891 has been incorporated into some Mirai strains. ‍GreyNoise is observing active exploitation attempts targeting a zero-day critical command injection vulnerability in Zyxel CPE Series devices tracked as CVE-2024-40891. At this time, the vulnerability is not patched, nor has it been publicly disclosed. Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration. At publication, Censys is reporting over 1,500 vulnerable devices online.
#greynoise#EN#2025#CVE-2024-40891#active#exploitation#zero-day
·greynoise.io·
Active Exploitation of Zero-day Zyxel CPE Vulnerability (CVE-2024-40891)