Storm Watch by GreyNoise Intelligence

In this episode of Storm⚡️Watch, we discuss a wide range of intriguing cybersecurity topics. A significant highlight of this episode is our discussion on the recent vulnerabilities discovered in CrushFTP. This popular file transfer software was found to have a critical remote code execution vulnerability, which has been actively exploited. The vulnerability, identified as CVE-2023-43177, allows unauthenticated attackers to execute arbitrary code and access sensitive data. Despite patches being released, the software remains a target for opportunistic attacks, emphasizing the need for users to update and secure their systems promptly. We also explore the cutting-edge realm of LLM (Large Language Model) agents with the capability to autonomously exploit and hack websites. Recent studies have shown that these agents can autonomously perform complex tasks like SQL injections and database schema extractions without prior knowledge of the vulnerabilities. This development poses new challenges and opportunities in cybersecurity, highlighting the dual-use nature of AI technologies in cyber offense and defense. Our "Tool Time" segment introduces listeners to the CPE Guesser tools, which aid in predicting Common Platform Enumeration names, helping cybersecurity professionals streamline their vulnerability management processes. In a lighter segment, "Shameless Self-Promotion," we celebrate GreyNoise's achievement of reaching '1337' status with their tagging system. We also provide updates on the latest cybersecurity trends with our "Tag Roundup," discussing recent and active campaigns, and conclude with a "KEV Roundup" where we discuss the Known Exploited Vulnerabilities catalog by CISA, providing listeners with crucial information on vulnerabilities that require immediate attention. As we wrap up the episode, we reflect on the discussions and insights shared, encouraging our listeners to stay proactive in managing cybersecurity risks. Forecast = The KEV drought continues well-into its second week, but a vulnerable frontal system could bring some much needed exploit rain. Storm Watch Homepage >> Learn more about GreyNoise >>

Forecast = Scattered AI showers with a chance of phishing breezes. ‍ In this episode of Storm⚡Watch, listeners delve into the latest AI technology and its impact on cybersecurity. Featuring Erick Galinkin, an esteemed AI expert, the discussion covers various topics, from Erick's AI security work at NVIDIA to recent AI-assisted threats affecting LastPass and healthcare facilities. Additionally, insights from Check Point's President on AI's evolving role in cybersecurity, as discussed in a December 2023 Fortune article, are shared. In the cyber spotlight, the team examines a XZ-style attack attempt on OpenJS, signaling a concerning development for the JavaScript community. The episode also includes a tool time segment featuring Malpedia, an extensive library of malware profiles, and a captivating data visualization project mapping out malware relationships. As usual, the show embraces a touch of self-promotion, providing updates on Censys' research into vulnerabilities affecting D-Link and Sisense. GreyNoise shares highlights from the recent NetNoiseCon event and discusses a command injection vulnerability in Palo Alto Networks' PAN-OS. We close it out with a tag roundup, spotlighting recent tags and active campaigns from GreyNoise's visualization tools. In addition, the episode offers a KEV roundup, summarizing the Known Exploited Vulnerabilities catalog from CISA, ensuring listeners are well-informed on current cybersecurity challenges. Storm Watch Homepage >> Learn more about GreyNoise >>

Forecast = Hazy, with a 60% chance of KEV squals towards the end of the week. In this episode of Storm⚡Watch, we start by discussing Ivanti's CEO Jeff Abbott's pledge for a comprehensive security overhaul following a series of breaches linked to vulnerabilities, including CVE-2024-21894. We also explore Andres Freund's accidental heroism in uncovering a backdoor in Linux software, and delve into the vulnerability of D-Link NAS devices to remote code execution. Cybersecurity Frontlines: Ivanti's Pledge and Vulnerabilities Ivanti CEO Jeff Abbott has publicly committed to a comprehensive security overhaul following a series of breaches linked to vulnerabilities in Ivanti's products. This episode will explore the implications of Ivanti's new security initiatives and the recent discovery of critical vulnerabilities, including CVE-2024-21894, a heap overflow vulnerability in Ivanti Connect Secure and Policy Secure. We'll discuss the company's promise to adopt a Secure-By- Design ethos and the potential impact on the cybersecurity community. Andres Freund: The Accidental Hero Our Cyber Spotlight shines on Andres Freund, a software engineer whose routine maintenance work led to the inadvertent discovery of a backdoor in a piece of Linux software (XZ). This discovery potentially thwarted a major cyberattack, earning Freund accolades from the tech community and a feature in The New York Times. We'll discuss the critical role of open-source software maintainers in cybersecurity and the importance of vigilance in the industry. D-Link NAS Devices Under Siege A significant threat looms over users of D-Link NAS devices as CVE-2024-3273, a remote code execution vulnerability, is actively being exploited in the wild. With, perhaps, 92,000 devices at risk, we'll dissect the nature of the vulnerability, the hardcoded backdoor account, and the command injection flaw that leaves these devices open to attack. We'll also cover the steps D-Link has taken to address the issue and the importance of securing legacy devices. Shameless Self-Promotion: GreyNoise and Censys Don't miss our segment on GreyNoise and Censys, where we'll highlight their contributions to the cybersecurity field. GreyNoise's analysis of the D-Link NAS vulnerability and their upcoming NetNoiseCon event are on the agenda, as well as Censys' Threat Hunting Workshop in Philadelphia. Tag Round-Up: Vulnerability Alerts We'll wrap up with a rapid-fire rundown of recent vulnerability alerts, including a variety of CVEs that have been identified and tagged for tracking. This segment will provide listeners with a concise overview of the threats they should be aware of and the actions they can take to protect their systems. Storm Watch Homepage >> Learn more about GreyNoise >>

In this episode of Storm⚡️Watch, we cover a variety of cybersecurity topics, opening with a poignant tribute to Ross J. Anderson. Anderson's legacy is vast, with contributions spanning machine learning, cryptographic protocols, and digital rights advocacy. His seminal textbook, "Security Engineering," has been a cornerstone in the education of many in the field. His passing is a significant loss to the academic and security communities, leaving behind a legacy that will continue to influence for years to come. This week we are also joined by special guest Zach Hanley of Horizon3AI. Hanley shares his journey into cybersecurity and the founding of Horizon3AI, as well as insights into the innovative NodeZero platform. This platform aids organizations in focusing on safety and resilience, a crucial aspect in today's digital landscape. Hanley also discusses the three key challenges outlined in Horizon3AI's 2023 report, "Proactive Cybersecurity Unleashed," providing listeners with a glimpse into the ongoing struggles organizations face in cybersecurity. In the segment "Cyberside Chat: Big (Tech) Trouble In Little China," we cover recent sanctions by the United States Treasury Department on individuals linked to the Chinese hacking group APT31, known for targeting critical U.S. infrastructure. Additionally, we discuss the formation of a Water Sector Cybersecurity Task Force in response to threats from the Chinese hacking group Volt Typhoon, and the implications of China's revised state secrets law for U.S. tech firms operating in China. For those interested in the technical side of cybersecurity, we introduce "vulnerability lookup," a tool for fast vulnerability lookup correlation from different sources. This tool is a rewrite of cve-search and supports independent vulnerability ID management and coordinated vulnerability disclosure (CVD). As usual we wrap up with a roundup of recent tags and active campaigns and discuss the Known Exploited Vulnerabilities (KEV) catalog from CISA. Episode Slides >> Storm Watch Homepage >> Learn more about GreyNoise >>

Forecast = Expect a whirlwind of patches with a strong chance of phishing fronts moving in. In this episode of Storm⚡️Watch, we're exploring a plethora of cybersecurity topics that are as turbulent as the weather itself. First is a lively discussion with Nate Warfield from Eclypsium, where we dive into the intricacies of supply chain and firmware safety. Eclypsium's research is pivotal in highlighting critical areas listeners should be aware of, especially concerning supply chain vulnerabilities and firmware-level threats. We're also taking a deep dive into their approach to analyzing CISA's KEV data to understand the dangers lurking within. This week's Cyberside Chat is equally stormy as we pull out the popcorn and preview the Big (Tech) Trouble In Little China, discussing the recent sanctions on APT31 hackers, and the implications of China's newly expanded "Work Secrets" Law. We're also touching upon China's attacks on British MPs and the ongoing U.S. vs. TikTok saga and its broader cybersecurity implications. Tool Time features a look at VulnCheck KEV & Community Extended KEV + NVD APIs, providing listeners with valuable resources for vulnerability management. And in a segment of Shameless Self-Promotion, we're highlighting GreyNoise's innovative approach to the future of honeypots. Our Tag Roundup offers insights into recent tags, active campaigns, and a sneak peek at IP Intention Analysis, ensuring you're up-to-date with the latest cybersecurity trends. The KEV Roundup discusses the latest entries in CISA's Known Exploited Vulnerabilities Catalog, a crucial resource for cybersecurity professionals. Closing the episode, we ponder the possibilities of other dimensions, asking our guests and listeners what they hope to see on the other side. Episode Slides >> Storm Watch Homepage >> Learn more about GreyNoise >>

In this episode of Storm⚡️Watch we're bracing for a tempest of cybersecurity insights. The Cyberside Chat segment takes a deep dive into the Department of Justice's recent announcement regarding AI in crimes, signaling harsher sentences akin to weapon-enhanced offenses. We explore the implications of AI's double-edged sword in criminal justice, the DOJ's Justice AI initiative, and the broader Artificial Intelligence Strategy. We also discuss federal actions to regulate AI, including the Algorithmic Accountability Act of 2022, and the Executive Order on Promoting the Use of Trustworthy Artificial Intelligence in the Federal Government. A study on AI-modified content in peer reviews at AI conferences is examined, highlighting the challenges of distinguishing AI-generated text from human-written content. In the Cyber Spotlight, we shine a light on the National Vulnerability Database (NVD) and its recent slowdown in updates. We discuss the implications for vulnerability management and the cybersecurity community's response, including NIST's efforts to form a consortium to address these issues. Tool Time introduces the Sunlight Certificate Transparency Log, a project aimed at enhancing the scalability and reliability of Certificate Transparency logs. We delve into the new tile-based architecture and its benefits for various stakeholders, including Certificate Authorities, CT monitors and auditors, web browsers, and security researchers. We also engage in some Shameless Self-Promotion, highlighting key insights from the 2024 State of Threat Hunting Report by Censys and tracking the aftermath of Atlassian's Confluence CVE-2023-22527 with GreyNoise. Our Tag Roundup covers recent tags and active campaigns, providing a snapshot of the current threat landscape. Finally, we wrap up the episode with our KEV Roundup, discussing the latest entries in CISA's Known Exploited Vulnerabilities Catalog, and close with a fun question about our dream fictional vehicles. Forecast = Expect a downpour of DDoS with a chance of ransomware gusts, and keep an umbrella handy for data breach drizzles. Episode Slides >> Storm Watch Homepage >> Learn more about GreyNoise >>

In the latest episode of GreyNoise Labs Storm⚡️Watch, we delve into a meta-discussion that stems from an escalating feud between cybersecurity firm Rapid7 and software development company JetBrains over the disclosure of two critical vulnerabilities in JetBrains' TeamCity CI/CD platform. The contention stems from differing approaches to vulnerability disclosure, leading to public disagreements and a series of attacks exploiting these vulnerabilities, identified as CVE-2024-27198 and CVE-2024-27199. On February 20, 2024, Rapid7 disclosed these vulnerabilities to JetBrains, highlighting the severity of CVE-2024-27198, which allows for a complete authentication bypass, potentially enabling attackers to perform administrative actions on the server and its host environment. JetBrains criticized Rapid7 for what it perceived as an uncoordinated disclosure, arguing that Rapid7's immediate release of exploit examples enabled attackers of any skill level to quickly exploit the vulnerabilities. This dispute has led to a "land-rush like assault" from threat groups, with ransomware attacks exploiting these flaws for initial access. Despite the contention, JetBrains remains committed to its Coordinated Disclosure Policy, emphasizing the importance of collaboration and ethical responsibility in addressing vulnerabilities. Meanwhile, Rapid7 insists on following its disclosure policy, emphasizing the importance of public disclosure to prevent silent patching and ensure that patches are thoroughly vetted. Joining us for a cyberside chat is GreyNoise's own Matthew Remacle, who shifts the focus from the feud to discuss silent patching, patch diffing, coordinated disclosure, and offers advice for budding cybersecurity professionals. For a comprehensive understanding of this issue, we reference discussions and analyses from various sources, including The Register, TechTarget, JetBrains' official blog, and Rapid7's blog, which provide insights into the vulnerabilities, the dispute, and the broader implications for cybersecurity practices and policies. Citations: https://www.techtarget.com/searchsecurity/news/366572432/Critical-JetBrains-TeamCity-vulnerabilities-under-attack https://blog.jetbrains.com/teamcity/2024/03/preventing-exploits-jetbrains-ethical-approach-to-vulnerability-disclosure/ https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/ https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/ https://news.ycombinator.com/item?id=39603074 https://www.splunk.com/en_us/blog/security/security-insights-jetbrains-teamcity-cve-2024-27198-and-cve-2024-27199.html https://therecord.media/jet-brains-advisory-teamcity-vulnerabilities https://forums.theregister.com/forum/all/2024/03/12/jetbrains_is_still_mad_at/ https://www.tenable.com/blog/cve-2024-27198-cve-2024-27199-two-authentication-bypass-vulnerabilities-in-jetbrains-teamcity https://www.theregister.com/2024/03/05/rapid7_jetbrains_vuln_disclosure_dispute/ https://thecyberexpress.com/jetbrains-vs-rapid7-vulnerability-disclosure/amp/ https://arcticwolf.com/resources/blog/2024-27198-and-cve-2024-27199/ https://securityaffairs.com/159995/security/jetbrains-teamcity-flaws.html https://securityboulevard.com/2024/03/jetbrains-says-rapid7s-fast-release-of-flaw-details-harmed-users/ https://socprime.com/blog/cve-2024-27198-and-cve-2024-27199-detection-critical-vulnerabilities-in-jetbrains-teamcity-pose-escalating-risks-with-exploits-underway/ https://www.cybersecuritydive.com/news/jetbrains-teamcity-vulnerabilities/709329/ https://www.cybersecuritydive.com/news/jetbrains-teamcity-exploited-disclosure/710017/ https://www.bankinfosecurity.com/jetbrains-teamcity-bugs-could-lead-to-server-takeover-a-24520 https://vulnera.com/newswire/critical-vulnerabilities-in-teamcity-pose-threat-to-software-supply-chain/

Forecast = Areal Cyber Flood Warning In this episode of Storm⚡️Watch we delve into a variety of cybersecurity topics that are essential for professionals in the field. The episode kicks off with a roundtable discussion, setting the stage for a deep dive into recent critical vulnerabilities in VMware's ESXi, as reported by SecurityWeek. We explore the history of VMware vulnerabilities, including the infamous log4j, and speculate on the company's future trajectory. The spotlight then shifts to Microsoft and the implications of Russia's breach of their systems, as well as the impact of the SEC's disclosure policies on Microsoft's transparency. This discussion is informed by reports from The Record and the SEC's official documentation. Our tool segment introduces listeners to aiocrioc, a project available on GitHub, and the work of James Brine, which can be found on his personal website. This tool represents the cutting edge of cybersecurity technology and is a must-know for industry professionals. We also touch on the resurgence of USB hacks by nation-states, a trend highlighted by Dark Reading, and discuss the implications of such low-tech yet effective attack vectors. In our self-promotion segment, we discuss Censys' insights on ConnectWise exposure and GreyNoise's own research on hunting for Fortinet's CVE-2024-21762. These resources are invaluable for cybersecurity practitioners looking to enhance their defensive strategies. The episode wraps up with a roundup of recent and active campaigns, as seen on GreyNoise's visualization trends, and a discussion on the Known Exploited Vulnerabilities (KEV) catalog from CISA, including the new KEV submission form available on the Federal Register. Episode Slides >> Storm Watch Homepage >> Learn more about GreyNoise >>

Forecast = Partly Sunny With A Chance Of Catastrophic Haboobs In this episode of Storm⚡️Watch, we open with a critical discussion on the NSA's recent tracking of Chinese groups targeting Ivanti kit within the defense sector, as reported by TechCrunch. We also feature an in-depth analysis of JFrog's investigation into malicious AI/ML models on Huggingface, highlighting the silent backdoors that pose a threat to data scientists. We delve into the White House's "Back to the Building Blocks" technical report, shedding light on the administration's approach to cybersecurity. The conversation then shifts to the startling revelations of MQTT-based 3D printer hacks, specifically targeting Anycubic printers, as uncovered by Bitdefender. This segment underscores the importance of security in the rapidly growing field of 3D printing. We also explore the latest trends and active campaigns in cybersecurity, utilizing resources like GreyNoise's visualization tools and CISA's known exploited vulnerabilities catalog. Our episode concludes with a roundup of the most recent KEV updates and a discussion on the new submission form for actively exploited vulnerabilities, emphasizing the ongoing efforts to enhance cybersecurity response and reporting. Episode Slides >> Storm Watch Homepage >> Learn more about GreyNoise >>

Forecast = Scattered Graupel Showers In this episode of Storm⚡️Watch, we delve into a series of critical cybersecurity events that have shaped the digital landscape recently. We kick off with by seeing which Disney Princess each co-host identifies with. This light-hearted opener transitions into a deep dive into the resurgence of the LockBit ransomware group, following significant arrests in Ukraine. The episode further explores the audacious claims and trolling by LockBitSupp, alongside a comprehensive summary by Brian Krebs and the response from Fulton County to the incident. The conversation then shifts to a massive Azure hack, dissecting the ongoing malicious campaign impacting Azure cloud environments. We scrutinize Senator Wyden's critical letter to CISA, DOJ, and FTC regarding Microsoft's handling of a breach in 2023, and Amit Yoran's scathing critique on LinkedIn, highlighting the severity of Microsoft's security practices. Additionally, we discuss Microsoft's decision to expand free logging capabilities post-breach, a move that has sparked widespread discussion within the cybersecurity community. UnitedHealth's recent hack, linked to the BlackCat ransomware, is another focal point, emphasizing the dire consequences for healthcare and the urgent calls for hospitals to disconnect from UnitedHealth's compromised pharmacy unit. This incident underscores the growing threats to the healthcare sector and the importance of robust cybersecurity measures. The episode also touches on the ominous implications of the I-SOON initiative, suggesting a bleak outlook for global cybersecurity. We wrap up with insights into the latest cybersecurity trends, active campaigns, and a roundup of known exploited vulnerabilities, courtesy of CISA.‍ Episode Slides >> Storm Watch Homepage >> Learn more about GreyNoise >>

Forecast = Advanced Persistent Thunderstorms In this episode of Storm⚡️Watch, we dive deep into the evolving landscape of cybersecurity in 2024. The episode kicks off with a thought-provoking roundtable discussion, pondering the potential theme song of 2024, setting the tone for a year that's already shaping up to be full of significant cybersecurity developments. We then transition into a comprehensive analysis of recent cybersecurity events and trends that are shaping the digital world. First on the agenda is the international police operation that successfully disrupted the notorious Lockbit cybercrime gang, a significant victory in the ongoing battle against cybercrime. This is followed by an exploration of the Justice Department's court-authorized disruption of a botnet controlled by the Russian GRU, highlighting the global efforts to combat state-sponsored cyberthreats. The episode also delves into the discovery of new vulnerabilities within SolarWinds' software, some of which are unauthorized, underscoring the persistent challenges in securing widely used software platforms. The discussion then shifts to a series of high-profile hacks and leaks, including the Shanghai Anxun/I-SOON hack/leak and a significant state government leak and hack, illustrating the diverse nature of cyber threats facing organizations today. The episode emphasizes the critical need for security vendors to adopt Software Bill of Materials (SBOMs) and a resilient Software Development Life Cycle (SDLC), through the lens of Eclypsium's teardown of Ivanti. Additionally, the episode features Rezonate's guide to hardening Okta's security posture, offering practical advice for enhancing cybersecurity defenses. In company news, GreyNoise celebrates the appointment of a new CEO and shares insights from the Grimoire blog on CVE-2021-44529, further demonstrating the company's commitment to advancing cybersecurity knowledge. The episode concludes with a roundup of recent tags, active campaigns, and a discussion on the Known Exploited Vulnerabilities (KEV) catalog from CISA, providing listeners with a comprehensive overview of the current cybersecurity landscape and actionable insights for enhancing their security posture. Episode Slides >> Storm Watch Homepage >> Learn more about GreyNoise >>

In this episode of Storm⚡️Watch, we explore the captivating toothbrush scandal that's been stirring discussion within the infosec community. We dissect the narrative surrounding three million malware-infected smart toothbrushes allegedly manipulated into orchestrating a Swiss DDoS attack, an incident that has gained traction on platforms like InfoSec Exchange and Tom's Hardware. We then delve into the serious implications of Google's latest Spyware Report and the subsequent joint statement from various governments on the efforts to counter the proliferation and misuse of commercial spyware. These documents shed light on the alarming state of surveillance and the actions being taken at the highest levels to address these concerns. The episode continues with an analysis of the Volt Typhoon and a critical infrastructure blog post by Censys, highlighting the vulnerabilities in critical infrastructure security. This discussion is particularly timely given the recent compromise of U.S. critical infrastructure by state-sponsored actors, as reported by CISA and Lawfare Media. Canon's recent security update is also on our radar, with the company patching seven critical vulnerabilities in small office printers. This serves as a reminder of the ever-present need for vigilance in the realm of cybersecurity. We also cover CISA's guidance on 'Living Off The Land' tactics and the innovative 'Living Off The False Positives' project, which offers a fresh perspective on managing false positives in security monitoring. For those interested in malware tracking, we discuss Censys' Beginner's Guide to Tracking Malware Infrastructure, a valuable resource for anyone looking to enhance their threat intelligence capabilities. GreyNoise's contributions to the fight against ransomware are highlighted through their blog post detailing the tagging system used to battle these threats. Additionally, we touch upon the Flipper Zero controversy in Canada and the open-source SDR tech debate, as well as the latest happenings in the GreyNoise Community Forum and the Centripetal webcast. We wrap up the episode with a look at the recent tags and active campaigns visualized on GreyNoise's platform and a roundup of the Known Exploited Vulnerabilities (KEV) catalog by CISA. Episode Slides >> Storm Watch Homepage >> Learn more about GreyNoise >>

In this episode of Storm⚡️Watch, we delve into a variety of pressing cybersecurity topics, starting with a light-hearted roundtable discussion on our dream locations for the next DEFCON conference. We then move on to applaud Cloudflare for their exemplary response to a recent security breach, highlighting the importance of transparency and swift action in the face of cyber threats. The episode also covers the AnyDesk breach, shedding light on the incident and the company's response, underscoring the ever-present need for robust security measures. The conversation takes a serious turn as we discuss the CISA directive for Ivanti, mandating the shutdown of systems to mitigate vulnerabilities, a move that emphasizes the critical nature of software security in maintaining national cybersecurity. The episode also explores the alarming rise of deepfake technology, illustrated by a recent scam that defrauded a company of $25 million, and the clandestine world of fake ID creation by AI neural networks on the site OnlyFake. We delve into the technical with a look at the ICANN .internal proposal, a significant development that could impact the structure of the internet's domain name system. The episode also highlights recent vulnerabilities in Jenkins reported by Censys, providing listeners with crucial information to protect their systems. GreyNoise's contributions to the cybersecurity community are showcased through discussions on our latest blog posts, an open forum event, and a joint webcast with Centripetal, offering insights and opportunities for engagement with cybersecurity experts. The episode wraps up with a look at recent tags and active campaigns on the GreyNoise platform, providing a snapshot of the current cybersecurity landscape. Episode Slides >> Storm Watch Homepage >> Learn more about GreyNoise >>

In the latest episode of Storm⚡️Watch, we delve into the pressing issue of ransomware payments, which are on a notable decline as victims increasingly choose not to pay. The conversation then turns to the alarming frequency of cyberattacks that often go unnoticed by the public, and highlights one recent breach in the municipality where a major U.S. court case is occurring. We highlight several incidents at organizations across the globe, emphasizing the pervasive nature of these security breaches. We also dissect the sobering findings from the Dragos Industrial Ransomware Report for Q4, which reveals the increasing number of groups involved in ransomware attacks. This report underscores the challenges faced by industries in safeguarding their operations against such threats. A surprising revelation comes from Germany, where a job posting for a Windows 3.11 administrator for a rail line brings to light the outdated and insecure systems still in use, which pose significant security risks. The episode doesn't shy away from discussing major breaches, including the recent attacks on HPE and Microsoft, and the potential spillover effects these could have on the broader tech ecosystem. We also explore Cert Spotter, a Certificate Transparency log monitor from SSLMate that alerts you when an SSL/TLS certificate is issued for one of your domains. The team covers two recent blogs by Censys researchers, and takes a look at GreyNoise tags that are linked to ransomware gang activity. Lastly, we briefly note CISA's new Water and Wastewater Sector Incident Response Guid,e and touch upon the latest trends and active campaigns in the cybersecurity landscape, as well as a roundup of known exploited vulnerabilities, providing listeners with a comprehensive overview of the current state of cyber threats. Episode Slides >> Join our Community Slack >> Learn more about GreyNoise >>

In the latest episode of GreyNoise Labs Storm⚡️Watch, we delve into a variety of cybersecurity topics that are crucial for professionals to stay abreast of. We kick off with a discussion on the World Economic Forum's Cybersecurity Outlook for 2024, providing insights into the anticipated challenges and strategies for the coming year. This is followed by an analysis of the Allianz Global Risk Barometer Redux 2024, which highlights the evolving landscape of cyber threats and their implications for global risk management. The episode also introduces LogBoost, a tool designed to enhance log analysis, which is essential for identifying and mitigating security incidents. We then shift our focus to a recent vulnerability in VMware's VCenter, as reported by Censys, and discuss its potential impact on virtual infrastructure security. GreyNoise's own research is featured prominently, with a deep dive into the F5 Big IP Remote Code Execution (RCE) vulnerabilities. We also revisit the last GreyNoise Tag Webinar, which offers a comprehensive understanding of GreyNoise tags and their application in cybersecurity. Additionally, we review the 2023 GreyNoise Retrospective Internet Exploitation Report, which provides a retrospective look at the past year's internet exploitation trends. To keep our listeners informed on the latest cyber threats, we cover the most recent tags and active campaigns as observed by GreyNoise, offering a real-time perspective on the threat landscape. Lastly, we round up the episode with a discussion on the Known Exploited Vulnerabilities (KEV) catalog from CISA, which is an essential resource for cybersecurity professionals to prioritize their defensive efforts. Episode Slides >> Join our Community Slack >> Learn more about GreyNoise >>

In this episode of Storm⚡️Watch, we delve into a variety of cybersecurity topics, with a running theme of the vital need for Multi-Factor Authentication (MFA). We kick off with introductions and a roundtable discussion, followed by an exploration of a mass crypto-miner takedown, with insights drawn from reports by the Ukrainian Cyber Police and Bleeping Computer. We then discuss the Ivanti debacle, referencing a blog post by Volexity. This is followed up by the note of two X account hacking events (SEC & Mandiant), as reported by The Register and Security Affairs. The NSA's warning about AI-enhanced phishing is also on our agenda, with sources from NBC News and Infosec Exchange. We tap back to ancient Stuxnet news, the malware that cost a billion dollars, based on an article by Graham Cluley (there are some new twists to this tale). We also delve into the broad implications of the Orrick breach, as reported by Security Week. In our tool spotlight, we feature Cyberwatch, a GitHub project by Casualtek. We also discuss a blog posts from Censys, about a Juniper vulnerability and encourage folks to attend the "Stop Predicting, Start Protecting" lunch-and-learn. From GreyNoise, we highlight the second 2024 Tag Webinar and 2023 GreyNoise Internet Exploitation Retrospective Report. We wrap up with a roundup of known exploited vulnerabilities from CISA. Episode Slides >> Join our Community Slack >> Learn more about GreyNoise >>

In this episode of Storm⚡️Watch podcast, we kick off the new year with a lively roundtable discussion. Our special guest for this episode is Andrew Morris, who brings a unique perspective to our conversation (given that he's, like, our CEO & Founder). Given Morris' propensity for "hot takes", this should be a doozy of an interview. A significant part of our post-interview discussion revolves around the loanDepot breaches that occurred in 2023 and the start of 2024. We delve into the details of these incidents, providing insights into the cybersecurity implications and the broader impact on the industry. We also discuss the odds that little Suzie is homeless at this point. As we look ahead to the rest of 2024, we discuss several key topics. We examine the controversial stance of 23andMe, who blamed negligent breach victims for their own misfortune. We also discuss a thought-provoking article from The Economist, which suggests that ransomware could cripple entire countries, not just companies. Furthermore, we explore the disinformation landscape in the US political sphere for 2024, highlighting the potential for global disinformation and misinformation campaigns. Tool Time shows how you, too, can be a cyber reporter by surfing the SEC EDGAR website for required breach reporting. We engage in our usual shameless self-promption as we discuss the latest blog posts from Censys and GreyNoise, including a deep dive into the SnakeYAML deserialization vulnerability. We also discuss our first 2024 Tag Webinar, which offers a detailed exploration of GreyNoise tags. We wrap up the episode by discussing recent tags, active campaigns, and anomalies. We also highlight the wealth of information available on the CISA website, particularly focusing on the catalog of known exploited vulnerabilities and the massive KEV Drop this week. Episode Slides >> Join our Community Slack >> Learn more about GreyNoise >>

In this episode of Storm⚡️Watch, we kick off with our usual intros and roundtable discussion between co-hosts Kimber Duke, Emily Austin, Glenn Thorpe, and boB Rudis. ​ The show continues with a celebration of the FBI's confirmation that ALPHV has, indeed, been taken down. ​ Moving on, a significant development this week is the effective implementation date of new SEC cyber reporting rules. These rules mandate that companies report "material cybersecurity incidents" to their investors. The rules went into effect this week, and VF Corporation was one of the first to report under these new guidelines. VF Corporation suffered a significant cyberattack on December 13, 2023, which has had a major impact on its operations, particularly its ability to fulfill orders during the holiday rush. We also discuss the hot-off-the-presses Xfinity breach announcement. ​ Looking ahead, we delve into our predictions for the cybersecurity landscape in 2024 (make sure to check out our companion blog post, "Weathering 2024: Storm Watch Predictions for the Year Ahead"). ​ In Tool Time, we also discuss ZOOM's Vulnerability Impact Scoring System (VISS), a resource that helps organizations assess their vulnerability to cyber threats. ​ In the realm of recent vulnerabilities, we review Censys's blog post about the JetBrains TeamCity Remote Code Execution (RCE) vulnerability (CVE-2023-42793). We also showcase a deep dive into the Apache Struts2 RCE vulnerability (CVE-2023-50164) in our blog post, "A Day in the Life of a GreyNoise Researcher." ​ In another deep dive, Ron Bowes of GreyNoise Labs digs deep into F5 BIG-IP systems, where he explored how threat actors are baiting these systems. You can read all about those findings in our blog post, "Mining the Undiscovered Country with GreyNoise EAP Sensors: F5 BIG-IP Edition." We note three new tags, including a WordPress Backup Migration RCE (CVE-2023-6553), the 3CX CRM SQL Injection (CVE-2023-49954), and the WuzhiCMS SQL Injection (CVE-2018-11528). ​ Finally, we wrap up with a discussion on the CISA's recent advisories. The first is a design alert urging manufacturers to eliminate default passwords, aptly titled "NO KEV!" The second is a joint advisory on Play Ransomware, providing crucial information to help organizations protect themselves against this threat. Episode Slides >> Join our Community Slack >> Learn more about GreyNoise >>

In this episode of Storm⚡️Watch by GreyNoise Intelligence, we discuss the rumored takedown of the ALPHV/BlackCat ransomware site, which has been offline for days, fueling speculation that law enforcement may have finally caught up with the prolific ransomware group. ​ We then delve into the North Korea-linked Lazarus Group's exploitation of the Log4j vulnerability in a global campaign targeting companies in the manufacturing, agriculture, and physical security sectors. This deep-dive Breaking News segment will shed some light on why attackers are still going after this two-year old weakness, and also discuss how attackers are using modern programming languages to gain efficiencies and thwart detections. ​ In our Tool Time segment, we explore the AWS Kill Switch, an open-source incident response tool for quickly locking down AWS accounts and IAM roles during a security incident. ​ Our Shameless Self-Promotion segment drops details on upcoming GreyNoise webinars, Censys' new service tier, and a GreyNoise Labs blog on use of GreyNoise EAP sensors for novel exploitation discovery for CVE-2023-47246. ​ Along with our CISA KEV roundup we provide a short readout on their Fourth Quarter Cybersecurity Advisory Committee Meeting and new CISA, jointly published guide on "The Case for Memory Safe Roadmaps". ​ Episode Slides >> Join our Community Slack >> Learn more about GreyNoise >>

Welcome to the latest episode of Storm⚡️Watch, where we delve into the most recent cybersecurity events and trends. We are also joined by our friends at Trinity Cyber. In this episode, we're excited to announce the arrival of TAGSMAS! This is a special event where we celebrate the power of tags in cybersecurity and how they can help us better understand and respond to threats. We start the show with the team over at Trinity Cyber, with an in-depth discussion about what they do and how they and GreyNoise partner to keep organizations (and humans) safe. The episode continues with a security bulletin from New Relic, who recently identified unauthorized access to their staging environment. This environment provides insights into customer usage and certain logs, but does not store customer telemetry and application data. The unauthorized access was due to stolen credentials and social engineering related to a New Relic employee account. The unauthorized actor used the stolen credentials to view certain customer data within the staging environment. Customers confirmed to be affected by this incident have been notified and given recommended next steps. Importantly, there is no evidence of lateral movement from the staging environment to customer accounts in the separate production environment or to New Relic's production infrastructure. Next, we discuss a phishing campaign targeting WordPress users. The campaign tricks victims into installing a malicious backdoor plugin on their site. The phishing email claims to be from the WordPress team and warns of a Remote Code Execution vulnerability on the user's site with an identifier of CVE-2023-45124, which is not currently a valid CVE. The email prompts the victim to download a "Patch" plugin and install it. If the victim downloads the plugin and installs it on their WordPress site, the plugin is installed with a slug of wpress-security-wordpress and adds a malicious administrator user with the username wpsecuritypatch. The malicious plugin also includes functionality to ensure that this user remains hidden. In our shameless self-promotion segment, we highlight some of our recent work at GreyNoise Labs. We've been busy analyzing and documenting various cybersecurity threats and trends, and we're excited to share our findings with you. Be sure to check out our latest posts on the GreyNoise blog and sign up for our Noiseletter to stay up-to-date with our latest research. We also discuss some recent vulnerabilities, including a Google Skia Integer Overflow Vulnerability (CVE-2023-6345), an ownCloud graphapi Information Disclosure Vulnerability (CVE-2023-49103), and two Apple Multiple Products WebKit vulnerabilities (CVE-2023-42917 and CVE-2023-42916). These vulnerabilities highlight the ongoing need for robust cybersecurity measures and the importance of staying informed about the latest threats. Finally, we discuss a recent CISA alert about the Iranian military organization IRGC. IRGC-affiliated cyber actors using the persona "CyberAv3ngers" are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare. The PLCs may be rebranded and appear as different manufacturers and companies. The authoring agencies urge all organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors. Thank you for joining us for this episode of Storm⚡️Watch. We look forward to bringing you more insights into the world of cybersecurity in our next episode. Episode Slides >> Join our Community Slack >> Learn more about GreyNoise >>

In this episode of Storm Watch, we delve into a range of cybersecurity topics that have made headlines recently. We kick off with a discussion on the recent agreement inked by the US, Britain, and other countries to make AI 'secure by design'. This landmark decision underscores the growing importance of cybersecurity in the era of artificial intelligence and the collective effort to ensure its safe implementation. Next, we turn our attention to the disruption of a Cyber Scam Organization through the seizure of nearly $9M in cryptocurrency. This case highlights the increasing use of digital currencies in cybercrime and the efforts by law enforcement to curb such activities. We then discuss a critical vulnerability in ownCloud, a top file-sharing service. The security bug, which reveals admin passwords, was quickly exploited in the wild, underscoring the need for swift action in addressing such vulnerabilities. The episode also covers the spread of the InfectedSlurs Botnet, which is disseminating Mirai via zero-days. This development is a stark reminder of the persistent threat posed by botnets and the importance of staying abreast of the latest cybersecurity threats. We also delve into the recent ransomware 'catastrophe' at Fidelity National Financial that caused panic among homeowners and buyers. This incident underscores the far-reaching implications of ransomware attacks and the urgent need for robust cybersecurity measures. In the automotive sector, we discuss the warning issued by auto parts giant AutoZone about a MOVEit data breach. This incident serves as a reminder of the pervasive nature of cyber threats across various industries. Celebrating its 10th anniversary, Microsoft's bug bounty program is another topic of discussion. Over the past decade, the program has awarded more than $60M, highlighting the tech giant's commitment to cybersecurity. We also touch on the intriguing topic of the 'Internet of Insecure Cows', a study that explores the vulnerabilities of IoT devices in the agricultural sector. The episode also includes discussions on Vidar tracking, a technique used to monitor the infrastructure of this notorious malware, and the concept of 'Living off the land', a stealthy cyberattack strategy. We wrap up with a look at the 'Have I Been Squatted?' service, an overview of the latest GreyNoise Tags, a roundup of Known Exploited Vulnerabilities (KEV), and a review of CISA's Ransomware Response Checklist. These resources provide valuable insights and tools for cybersecurity professionals and enthusiasts alike. Episode Slides >> Join our Community Slack >> Learn more about GreyNoise >>

Welcome to the latest episode of Storm Watch by GreyNoise Intelligence, hosted by Emily Austin, Kimber Duke, Glenn Thorpe, and boB Rudis. In this episode, we're excited to share some good news about the takedown of the IPStorm Botnet, a significant victory in the fight against cybercrime. The Russian and Moldovan national behind the illegal botnet proxy service has pleaded guilty, marking a significant step forward in international cybersecurity efforts. In breaking news, we discuss the recent SEC complaint filed by AlphV against MeridianLink for not disclosing a breach to the SEC. The breach was linked to Confluence, and we delve into the details of this incident and its implications. We also focus on the CrushFTP RCE. In our regular programming segment, we discuss how Clorox is cleaning house after a cyberattack, with the company's cyber chief leaving as recovery efforts continue. We also talk about Rackspace's hefty $11M ransomware recovery bill, which was linked to an OWASSRF vulnerability. Toyota also makes headlines with a breach confirmed after the Medusa ransomware group threatened to leak data, an incident tied to the CitrixBleed vulnerability. We also discuss the upcoming IRISSCON cybersecurity conference, where Russian cybersecurity experts are expected to present. We reflect on the 20th anniversary of Patch Tuesday, a monthly event that has become a staple in the cybersecurity world. We also give a nod to the upcoming CAMLIS conference, which we'll cover in more detail next week. In our tool time segment, we introduce MaxCVE, a useful tool for cybersecurity professionals, and discuss the importance of container vulnerability scanning awareness. In our self-promotion segment, we share some of the latest updates and discoveries from Censys and GreyNoise, including the introduction of Censys Search Teams, the discovery of NTC Vulkan infrastructure, and how to get a leg up on initial access ransomware with CISA KEV and GreyNoise tags. We also showcase UX and feature improvements in Sift. Finally, we discuss the latest trends in GreyNoise tags and the importance of the Known Exploited Vulnerabilities Catalog from CISA. We also cover CISA's new initiative to expand scalable cybersecurity services to protect broader critical infrastructure and their recently released Health Sector Guidance Document. Episode Slides >> Join our Community Slack >> Learn more about GreyNoise >>

Before we got the podcast going, we sent some love to Iceland, which is currently experiencing significant seismic activity. The Icelandic Meteorological Office has detected about 900 earthquakes in the region between Grindavík and Sundhnúkur, leading to the evacuation of the coastal town of Grindavík. The likelihood of a volcanic eruption is deemed considerable. In good news, an international syndicate involved in cybercrime has been busted with the arrest of eight people. This is a significant step in the fight against cybercrime and a testament to the hard work of law enforcement agencies worldwide. Breaking news from Maine involves a rant about MOVEit, a global data security incident that has raised concerns about data protection and privacy. We'll delve into this topic and discuss its implications. In tech news, a new cutting-edge attack has been discovered that can steal SSH cryptographic keys. This vulnerability occurs during the signature generation when a client and server are establishing a connection and affects keys using the RSA cryptographic algorithm. This discovery underscores the importance of constant vigilance and innovation in cybersecurity. In regular news, Sumo Logic has disclosed a security breach after discovering unauthorized access to its AWS account. The company has advised customers to rotate their API access keys and other credentials as a precautionary measure. Hive ransomware is back, and a new offspring, Hunters International, has taken the stage. We'll discuss this development and its potential impact on cybersecurity. We also talked about NotCVE, a new initiative in the cybersecurity world, and introduce you to a useful tool, the CVE Half Day Watcher. In our shameless self-promotion segment, we discussed the SLP Tag Blog and the new addition of PCAPs in Analysis. We also did the usual roundup of the latest tags on GreyNoise. Finally, we discussed the latest updates from KEV, including the ACSC BCiB and the CISA Software Supply Chain Guide. Episodes Slides >> Join our Community Slack >> Learn more about GreyNoise >>

In this episode of Storm Watch our hosts discuss a variety of topics, including the top cyber conflicts, vulnerability remediation, and the latest issues with Confluence, F5, ApacheMQ, and VMware. The episode began with a brief introduction and some casual banter among the hosts. They discussed their Halloween experiences and a Glenn's obsession with Wordle. They also mentioned a movie called "Clown" that Kimber recommended for those with a fear of clowns. The hosts then moved on to discuss cybersecurity topics including: -Interview with Konstantin of CVECrowd.com - Good News: UK CVD legislation - Confluence Viz Activity - ActiveMQ Viz Activity - F5 Viz Activity - Okta breach update - QNAP vulns - Myth of the long-tail vulnerability - The release of CVSS4 - Quick FYI for the Microsoft/Foreign Policy "Digital Front Lines" magazine - Quick FYI on a Wiz blog - News about the joint Censys/GreyNoise workshop - Mention of the new GreyNoise Honeypots/honeytokens blog - Mention of the new GreyNoise Summary Stats Observable notebook - GreyNoise Tag roundup - KEV roundup - Notes that November is Critical Infra Security & Resilience Month The episode concluded with a discussion on the myth of the long tail vulnerability, a topic covered in a blog post by Ben from Cisco. The hosts agreed that the hype cycle for vulnerabilities is real and predictable, and there is no long tail vulnerability. This Episodes Slides >> Join our Community Slack >> Learn more about GreyNoise >>

The StormWatch podcast episode from October 31, 2023, began with the hosts in a light-hearted mood, donning costumes for Halloween. The hosts discussed the latest happenings in the cybersecurity world, focusing on the latest phones, developments at Censys and GreyNoise, and important cybersecurity news. They also touched on conspiracy theories. The hosts were in costumes, with one host dressed as the Invisible Man, another as Louise Belcher from Bob's Burgers, and another as Cozy Bear, a reference to APT 29, a cyber espionage group. They also discussed their "scariest vulnerabilities," with one host mentioning the mercenary spyware like Pegasus as a significant concern. The hosts then discussed the recent security breaches involving Okta, Beyond Trust, and 1Password. They praised 1Password for their transparent and detailed response to the incident. They also discussed the recent vulnerabilities found in SolarWinds and the subsequent charges filed by the SEC against SolarWinds and their Chief Information Security Officer for fraud and internal control failures. The hosts also discussed a tool called cvecrowd.com, which tracks CVE mentions on Mastodon, a social network. They praised the tool for its usefulness in tracking cybersecurity vulnerabilities and incidents. They also mentioned an upcoming event at a brewery where they would discuss threat hunting techniques and tips. The hosts then discussed the recent vulnerabilities found in Cisco IOS, with one host sharing her findings from her investigation into the vulnerabilities. They also discussed the importance of patching and updating systems to protect against these vulnerabilities. This Episodes Slides >> Join our Community Slack >> Learn more about GreyNoise >>

This episode of Storm Watch begins with introductions of the hosts - Bob, Emily (Censys), Glenn, Remy, and guest Jake Baines (VulnCheck). The hosts discuss two ransomware groups being taken down - the Ukrainian Cyber Alliance taking down Trigona, and RagnarLocker ceasing operations. However, they note ransomware attacks often continue in new forms. The increase in Bitcoin value is also concerning, as it tends to correlate with more ransomware attacks. A significant portion of the podcast focuses on the vulnerabilities in Cisco routers and Citrix systems. The hosts explain the vulnerabilities, provide background, and detail the work done by their teams to analyze the issues. They are critical of Cisco's disclosure and patching process. The hosts discuss the recent Okta breach, criticizing their response time and communication process. They explain how the breach occurred via access to support systems, and compromised session tokens and HAR files. The hosts emphasize the sensitivity of HAR files. Other topics covered include: Recent Citrix vulnerability Attackers targeting exposed Jupyter notebooks MGM Resorts data breach notification letters finally reaching Maine residents New open source tool Precursor for payload analysis The hosts close out with recommendations for tabletop incident response exercises, favorite Halloween candies, and a plea for better security awareness and coordination across the industry. This Episode's Slides >> Join our Community Slack >> Learn more about GreyNoise >>

This "Breaking News" edition of the Storm Watch podcast begins with the hosts introducing themselves and their guest, Mark from Censys. The hosts discuss the recent surge in activity around a new Cisco IOS vulnerability and the subsequent system implants. Censys has published a blog post on the topic and discovered that approximately 41,983 hosts had this implant installed, an increase of about 5,000 to 6,000 from the previous day. The hosts discuss the unique nature of this implant, noting that it does not persist through reboots or maintenance. However, attackers can establish a more permanent threshold or entry point post-implant pre-reboot. The hosts also discuss the development of a scan profile for this vulnerability, which was facilitated by information provided by Talos in their blog post. Then they discuss the distribution of the affected hosts, noting that they are spread across many different autonomous system organizations. They speculate that many of the affected systems are likely small businesses or residential users who received their devices from their Internet Service Providers (ISPs). The hosts also note that many different entities are scanning for this vulnerability, some of which are unknown, indicating that many people are opportunistically jumping on this issue. The hosts conclude the podcast by discussing the severity of this vulnerability, noting that it provides top-tier, or "God mode," access to people's networks. They encourage listeners to stay informed and safe, and they express hope that they won't have to report on another breaking news issue before their next scheduled episode. Be sure to check out the GreyNoise blog for more details and updates on this active vulnerability. Episode Slides >> Join our Community Slack >> Learn more about GreyNoise >>

On this episode of Storm Watch the hosts discuss a recent vulnerability in the Cisco IOS software, which they describe as a "legit terrible vulnerability". This vulnerability can be triggered to place an implant on a Cisco device, granting the attacker full access to the device. They emphasize that this is a serious issue and encourage listeners to look into it further. They also discuss a vulnerability in WordPad, which they find surprising given that WordPad is often forgotten about. They note that Microsoft has claimed to have updated WordPad to address this vulnerability and also that Microsoft is abandoning WordPad (though they made an update for this vuln). The hosts also discuss the importance of blocking outbound NTLM over SMB in Windows, with Glenn emphasizing that organizations should not allow SMB outbound from their perimeter. They discuss the challenges of restricting outbound internet access for the general user base, noting that it would require an application firewall and could potentially lead to a large number of help desk tickets. Another topic of discussion is a recent blog post by Vulncheck, which reveals that many devices have already been compromised due to the iOS software vulnerability. They note that the compromised devices were found in Digital Ocean, which they find amusing. Finally the team reviews recent GreyNoise Tags, additions to CISA KEV, a new "KEV API" open-source tool, and the new KEV "ransomware" field, with a daily-updated visualization by GreyNoise. Episode Slides >> Join our Community Slack >> Learn more about GreyNoise >>

In this episode of Storm Watch, the hosts were joined again by Emily Austin, a senior researcher from Censys, and Daniel Grant, a principal data scientist at GreyNoise. They discussed the SIFT tool, a new product from GreyNoise, and its potential applications in the field of cybersecurity. The hosts began by discussing a recent Microsoft report that suggested basic security hygiene could protect against 99% of attacks. They highlighted the importance of multi-factor authentication, zero trust, and patching as key elements of this basic security. The hosts also noted that 80% of ransomware compromises occur via unmanaged devices, emphasizing the need for organizations to prioritize their security efforts. Next, they discussed a recent vulnerability in Confluence, a popular team collaboration software. The vulnerability, which was exploited as a zero-day, allowed remote attackers to create new users. The hosts stressed the importance of auditing user accounts, even after patching, to ensure that no unauthorized users were created during the exploit. The hosts then turned their attention to the impact of a cyber attack on Clorox. The company has predicted a significant drop in sales due to the attack, which the hosts speculated might have been timed to coincide with flu season, a high-demand period for Clorox products. The episode also covered a new vulnerability in the HTTP/2 protocol, which could potentially be exploited for a denial-of-service (DoS) attack. The hosts noted that currently, the best protection against this type of attack is a DDoS mitigation service. Finally, the hosts discussed the addition and removal of certain devices from the Known Exploitable Vulnerabilities (KEV) list. They noted that the MeetingOwl, a device they had previously discussed, had been removed from the list. The hosts concluded the episode by emphasizing the importance of basic security measures and the role of cybersecurity professionals in protecting against threats. View Episode Slides >> Join our Community Slack >> Learn more about GreyNoise >>

Welcome to Storm Watch by GreyNoise Intelligence, where the hosts discuss the latest cybersecurity topics and news. In this episode, the hosts are joined by special guest Emily Austin, a security researcher at Censys. Censys is a company that scans the entire IPV4 space, providing fast internet-wide scan data for researchers, threat hunters, and others who need to understand the internet landscape. They also offer an attack surface management platform to help organizations identify and protect their assets. Emily is a senior researcher and leads the research team at Censys, focusing on new vulnerabilities and internet measurement analytics. During the podcast, the hosts discuss the challenges of analyzing scan data and the importance of being informed about potential threats. They also touch on the topic of threat hunting and the debate between the terms "threat hunting" and "thrunting." Emily then does a deep dive on the WS_FTP exposure situation. The hosts mention the upcoming nationwide test of the emergency alert system by FEMA, which will send alerts to cell phones, radios, and televisions. They emphasize the importance of being aware of this test and the potential for disruptions. The conversation then shifts to the recent libwebp debacle, which has made every Chromium instance vulnerable. The hosts express concern about the lack of attention this issue is receiving and the confusion caused by the changing CVEs. Along with other cyber news, the show announces a new GreyNoise Early Access Program (EAP) feature: Sift. Sift lets users with GreyNoise accounts access the same early attack triage tools the internal GreyNoise Detection Engineering team uses. GreyNoise Labs is releasing it now to get feedback from customers and the community to help make Sift as useful as possible when applied to the PCAP data coming from the GreyNoise Early Access Program new sensors. View Episode Slides >> Join our Community Slack >> Learn more about GreyNoise >>

In this episode of Storm Watch, the hosts discuss their recent experiences and updates in the cybersecurity world. The podcast begins with Kimber sharing her experience at LabsCon, a small conference organized by Sentinel One's labs team, focused on threat intelligence information sharing. Next, the hosts discuss GreyNoise's sensor workshop at LabsCon, where they demonstrated the deployment of a sensor and the possibilities it opens up for information gathering. Sensors are points on the internet that passively collect data, waiting for interactions and storing the information in a database for further analysis. The team is working on new sensor profiles and personas, allowing them to pretend to be anything in ways they have never been able to do before. The conversation then shifts to the ongoing MoveIt vulnerability saga, with two new CVEs being announced in the past week. The hosts emphasize the importance of staying on top of these vulnerabilities and practicing responsible disclosure. They also briefly mention JetBrains' new beta Rust IDE, which is currently available for testing. Lastly, the hosts touch upon GreyNoise trends, noting that it has been a relatively calm week in terms of botnet activity. However, they point out an increase in open proxy scanners, advising listeners to educate themselves on the topic. Overall, the episode covers a range of cybersecurity topics, from conferences and workshops to vulnerabilities and trends. View Episode Slides >> Join our Community Slack >> Learn more about GreyNoise >>

In this episode of Storm Watch, the hosts discuss a recent noise storm, which is an event where a capable attacker group sends out massive amounts of TCP packets without three-way handshakes. These noise storms can cause problems for data processing pipelines and are sometimes used to distract security professionals from other malicious activities. The hosts also mention that some early noise storms were in close proximity to large-scale military engagements, leading to speculation about their purpose. The podcast also covers a recent ransomware attack by the AlphaV group, which targeted MGM via Okta, a popular identity and access management platform. The hosts discuss the group's articulate statement and snarky tone, as well as the fact that the group seems to be based in the US, which may contribute to their proficiency in English. They also mention that GreyNoise has coverage for this emergent threat and provides advice for security professionals on how to handle it. Additionally, the hosts announce the launch of GreyNoise Labs, a platform for deep technical dives and research. Labs is designed for ultra-nerds who want to know the nitty-gritty details of various security topics. The hosts also discuss the potential for predicting security events by correlating anomalies with news articles and breaches. Finally, the hosts touch on the "jet stream" of the internet, which consists of always-on threats like Mirai and SSH brute force attacks. They mention that these threats behave differently over time and are accompanied by smaller pockets of thunderstorms and systems moving in. Overall, the episode covers a wide range of cybersecurity topics, from noise storms and ransomware attacks to the launch of GreyNoise Labs and the ever-present threats on the internet.

In the Storm Watch podcast episode from September 12, 2023, the host discusses the value of private group chats and the resurgence of IRC. They mention the creation of a new Discord server for their community and express concerns about Salesforce's ownership of Slack. The conversation then shifts to the recent Apple vulnerabilities, emphasizing the importance of patching devices and staying informed about security issues. The host also talk about the LastPass breach, in which the company was hacked, and the subsequent poor handling of the situation. They advise listeners to switch to two-factor authentication and change their passwords in response to the breach. The episode also covers the theft of $35 million from crypto accounts, which may be linked to the LastPass breach. The podcast touches on the topic of known exploited vulnerabilities, expressing frustration with the lack of timely information about such incidents. The host and guests then engage in a discussion about their predictions for the number of vulnerabilities to be discovered in the coming week. In conclusion, the host encourages listeners to stay safe, be cautious when interacting with strangers, and reach out to the Storm Watch community through various platforms, including Slack, social media, and Discord.

In this episode of Storm Watch, the hosts discuss various topics related to cybersecurity and the internet. They begin by comparing the unpredictability of weather patterns to the challenges of predicting internet activity and cyber threats. The hosts suggest that perhaps they should consider using a "cone of uncertainty" model, similar to hurricane forecasting, to help visualize potential internet threats. The conversation then shifts to the recent North Korean cyberattacks targeting security researchers. The hosts express disappointment at not being targeted themselves and discuss the importance of being aware of potential threats and evaluating one's own risk factors. They also mention Google's efforts to raise awareness about the issue and encourage those affected to reach out for assistance. Next, the hosts discuss the recent Apple zero-day vulnerabilities and emphasize the importance of patching devices. They also touch on the broader topic of whether security checkboxes and best practices are still effective in today's rapidly evolving threat landscape. Finally, the episode covers the Microsoft Exchange Server vulnerabilities and the company's response to the issue. The hosts express disappointment in Microsoft's handling of the situation, noting that there seems to be a lack of transparency and detail in their communications. They also discuss the potential consequences of not implementing proper key rotation and the importance of learning from these incidents to improve security practices moving forward.

In the August 28th episode of the Storm Watch podcast, the hosts discussed various cybersecurity topics and welcomed a new guest, Donna, the director of product design at Grey Noise. Donna shared her experience attending Blue Team Con, a conference for cybersecurity defenders. She emphasized the importance of learning directly from the cybersecurity community to improve Grey Noise's overall user experience. Glenn, another host, also attended the conference and praised its organization, variety of talks, and friendly atmosphere. The hosts then discussed a recent Sophos report on cybersecurity trends, highlighting the report's engaging writing style and informative content. They also touched on a misleading headline about Russia hacking Poland's train rail network, clarifying that it was not a cyber attack but rather a simple radio frequency interference that caused the trains to stop. The hosts expressed concern about the vulnerability of modern systems to such basic attacks. The conversation shifted to the impact of ransomware attacks on businesses, with the hosts mentioning two Danish cloud providers that went out of business due to ransomware incidents. They emphasized the importance of taking cybersecurity seriously, as even well-prepared businesses can be affected by unforeseen threats. Lastly, the hosts discussed a recent Capture the Flag (CTF) competition organized by Grey Noise. They praised the event's organization and shared some interesting stories from the participants, including a real-life open-source intelligence gathering situation. The CTF event showcased the creativity and skills of the cybersecurity community and provided valuable learning experiences for the participants. Learn more about GreyNoise >>

In this episode of Storm Watch, the hosts discuss their experiences at Hacker Summer Camp and their excitement about new sensors they've been working with. They consider the possibility of doing a demo in the next episode and mention some sneak peeks available on Andrew's Twitter account. The conversation then shifts to the extreme weather conditions they've been experiencing, including heat domes and "her quakes." The hosts express their disappointment with the lack of progress made by federal departments and agencies in response to the Biden-Harris administration's executive order on cybersecurity. They emphasize the importance of faster reporting and applying basic cybersecurity principles. They also discuss the massive number of victims affected by the "Move It" ransomware, urging cybersecurity professionals to focus on healthcare and other underserved areas. The ARPA-H initiative, or "DigiHeals," is introduced as a government research project aimed at improving healthcare cybersecurity. The hosts share their concerns about the vulnerabilities they've observed in healthcare networks and encourage cybersecurity professionals to dedicate time to helping these critical systems. They also announce the winners of the first annual inaugural Noise Fest CTF of 2023, a Capture the Flag competition organized by the GreyNoise Labs team. Learn more about GreyNoise >>

In this Storm Watch episode the hosts discuss various topics related to cybersecurity, vulnerabilities, and attacker activity. The episode features Kimber, a product manager at GreyNoise, and Glenn Thorpe, the director of security research and detective engineering at Grey Noise. The team shares their experiences and takeaways from attending Black Hat DEF CON, a cybersecurity conference held in Las Vegas. During the conference, the hosts noticed an increased focus on API and supply chain security, particularly among startups. They also observed a growing interest in healthcare security, with discussions centered around protecting hospitals from ransomware attacks and implementing canaries to detect such attacks faster. The hosts also mention the popularity of the AI Village at DEF CON, as well as the Policy Village, which aims to protect the cybersecurity community and researchers. The podcast also covers the GreyNoise Capture the Flag (CTF) event, where participants were challenged to solve various cybersecurity puzzles. The hosts express their admiration for the effort put into designing the challenges and their interest in hearing participants' reactions. They also discuss a new feature in GreyNoise that allows users to set up alerts based on specific tags, making it easier to monitor and receive updates on particular vulnerabilities. Overall, this episode highlights the importance of staying informed about the latest trends and developments in cybersecurity, as well as the value of participating in events like Black Hat DEF CON and Grey Noise CTF to learn and engage with the cybersecurity community. Join our Community Slack >> Learn more about GreyNoise >>

In this episode of Storm Watch, the hosts discuss a variety of topics, including their upcoming trip to Vegas for a cybersecurity event and the challenges they face in staying up-to-date with the latest vulnerabilities and threats. One of the main topics of discussion is the issue of companies hiding vulnerability information behind paywalls or requiring NDAs to access advisories. The hosts argue that this practice is counterproductive, as it slows down awareness and remediation efforts while creating anxiety and anger towards the affected company. The hosts also touch on the upcoming Noise Fest CTF (Capture the Flag) event, which features 22 different challenges for participants to test their skills in various areas of cybersecurity. They encourage listeners of all skill levels to participate and reach out for help if needed, as the event is designed to be both fun and educational. Another topic of discussion is the importance of staying on top of patching and updating systems to protect against vulnerabilities. The hosts praise their own internal team for their quick response to a recent vulnerability in their data science and business analytics software, emphasizing the need for organizations to prioritize security and maintain a proactive approach. Lastly, the hosts discuss a recent ransomware attack against a health network provider that affected multiple states and disrupted patient services. They emphasize that ransomware is still a significant threat and that organizations must remain vigilant in protecting their systems and data. Overall, the episode highlights the importance of staying informed about the latest threats and vulnerabilities and the need for organizations to prioritize security and transparency in their operations. Join our Community Slack >> Learn more about GreyNoise >>

In this episode of Storm Watch, the hosts discuss the recent MOVEit data breach and its impact on various organizations. They mention that around 550 organizations have been affected so far, but this number is likely to increase significantly. One of the victims, National Students Clearinghouse, partners with about 3,600 US post-secondary schools, and it is unclear how many of these institutions have been affected. The hosts also discuss the costs associated with incident response, with one company estimating its recovery and remediation costs at $15 million. Brett Callow from Emsisoft joins the conversation to provide more insight into the MOVEit breach. He explains that his role as a threat analyst involves aggregating data from various sources to shed light on ransomware numbers and trends. The hosts discuss whether the MoveIt breach should be classified as ransomware or simply data theft and extortion. Brett mentions that the attackers have stolen data and are threatening to release it online unless the impacted organizations pay ransoms, which can run into millions of dollars. The hosts also touch on recent vulnerabilities in MobileIron, ColdFusion, and Citrix ShareFile, noting that they have observed malicious activity targeting these vulnerabilities. They praise the efforts of their team in creating numerous tags for July, highlighting the importance of staying informed about potential threats. Finally, the hosts briefly mention the threat hunting guides and encourage listeners to check them out for valuable information on identifying and mitigating potential threats. Join our Community Slack >> Learn more about GreyNoise >>

In the Storm Watch episode the hosts were joined by Matthew Remacle, aka Remy, a detection engineer at GreyNoise. They discussed the recent surge in zero-day vulnerabilities, which they dubbed "zero-day summer," and how it seems to occur every year before the Blackhat conference. Remy shared his role at GreyNoise, where he analyzes network traffic to write tags or signatures for malicious, benign, and unknown network traffic to identify behaviors on the internet. The hosts also talked about recent vulnerabilities in ColdFusion and Citrix ADC servers, emphasizing the importance of patching these systems. They mentioned Mandiant's report on North Korean threat actors leveraging JumpCloud in supply chain compromises and the potential unauthenticated API access in Avanti, a mobile device management platform. Additionally, they discussed GreyNoise's new threat hunting guide, which provides a comprehensive overview of the history, key components, and future of threat hunting. Kimber mentioned the increasing popularity of the term "threat hunting" and how it has evolved into a legitimate job role. The hosts also touched on the use of AI in threat hunting, with Bob mentioning a recently released AI threat hunting platform. The hosts concluded by discussing the steady increase in known exploited vulnerabilities cataloged by CISA, emphasizing the importance of addressing these vulnerabilities and patching systems. Join our Community Slack >> Learn more about GreyNoise >>

In this episode of the Storm Watch podcast, the hosts discuss their recent vacations and the mandatory two-week shutdown at GreyNoise. The conversation then shifts to the MOVEit software and its increasing number of CVEs. Kimber suggests that the surge in CVEs might be due to researchers taking a closer look at MOVEIt for the first time, as it is a critical software used in government entities. The hosts also discuss the possibility that similar software might become a focus for attackers in the coming months. Next, the hosts talk about the lack of new tags due to their vacation and a recent bump in Mirai activity. They mention a double-encoded URL tag that has doubled the number of IP addresses, but they don't have any hypotheses about the reasons behind it. They also touch on the ability of GPT to create Python notebooks on the fly and the potential security risks associated with it. Finally, the hosts discuss NoiseFest, an upcoming event celebrating all things GreyNoise. Kimber shares her excitement about the Capture the Flag (CTF) competition that will take place during the week of Black Hat and DEF CON. Join our Community Slack >> Learn more about GreyNoise >>

In this episode of Storm Watch, the hosts discuss a variety of cybersecurity topics, starting with the discovery of an Android mobile botnet. They note that mobile traffic has been trending upward since the end of March, with a significant increase in April. The botnet is attributed to a banking Trojan, and the hosts emphasize the importance of keeping mobile devices updated and being cautious with app installations and link clicks. The conversation then shifts to recent cyber incidents, including the VMware ARIA vulnerability and the Fortinet and Zyxel pre-auth injection vulnerabilities. The hosts stress the importance of staying on top of updates and considering additional security measures for these devices. They also mention the ongoing "MOVEit" campaign, which has impacted over 100 organizations and exposed over 5 million records. Next, the hosts touch on the Apache Log4j vulnerability, noting a recent spike in activity that has since returned to its previous baseline. They also discuss an advisory on an ICS monitoring device with a hardcoded password vulnerability, emphasizing the potential high value for attackers targeting industrial control systems. Finally, the hosts address a recent UPS data disclosure letter, which has been criticized for its lack of clarity. They emphasize the importance of transparency and straightforward communication when it comes to security incidents and data breach notifications. Join our Community Slack >> Learn more about GreyNoise >>

In this episode of Storm Watch, the hosts discuss various cybersecurity topics, including a Fortinet vulnerability, a DDoS attack on Microsoft Outlook, the ongoing issues with Log4j, and the "MOVEit" vulnerability. The hosts first talk about a new Fortinet vulnerability, expressing their snarky comments about the company's security issues. They then move on to discuss a recent DDoS attack on Microsoft Outlook, which caused significant downtime for users. The attack was attributed to Anonymous Sudan, a hacktivist group that uses open proxy services to launch their attacks. The hosts mention that with the current political climate and upcoming presidential election, more DDoS attacks can be expected. Next, they discuss the "MOVEit" vulnerability, which has been exploited by attackers to target various organizations, including some governments. The hosts emphasize the importance of staying on top of security updates and patches to protect against such attacks. They also mention their community Slack channel, where they encourage users to share information on niche software and research partnerships. Finally, the hosts touch on the resurgence of Log4j scans, suggesting that attackers may be targeting organizations that have restored backups or deployed old images without the necessary patches in place. They also mention a recent Verizon DBIR report that highlighted Log4j vulnerabilities, possibly contributing to the renewed interest in exploiting them. The hosts conclude by emphasizing the importance of staying vigilant and up-to-date with security measures to protect against these ongoing threats. Join our Community Slack >> Learn more about GreyNoise >>

In this episode of Storm Watch, the hosts discuss a variety of cybersecurity topics, including a new CDE (202327997) related to a Fortinet RCE vulnerability in SSL VPNs. The vulnerability was discovered by a French research group and is currently being tracked. Fortinet has already issued patches, so the hosts advise upgrading Fortinet devices as soon as possible. The hosts also discuss the recent issues with Barracuda appliances, advising users to consider replacing them due to security concerns. They mention that Barracuda devices may be falling out of fashion in favor of alternatives like Proofpoint. Reddit's recent API changes and the potential impact on public internet communities are also discussed. The hosts express concern about the loss of open information sharing, especially in the cybersecurity industry, as private communities become more prevalent. They encourage listeners to join GreyNoise's community Slack for information sharing and collaboration. Lastly, the hosts touch on new tags added to GreyNoise, including one related to an older internet scanner that has recently become open source. They also mention the Telerik platform, which has a history of vulnerabilities and is frequently targeted. The hosts emphasize the importance of staying vigilant and keeping an eye on emerging threats. Join our Community Slack >> Learn more about GreyNoise >>

In this episode of Storm Watch, the hosts discuss the recent Moveit vulnerability and its impact on various organizations. Kimber, a GreyNoise product manager, shares her background and role at the company. She started on the research team, now known as GreyNoise Labs, and transitioned to product management, where she focuses on packaging GreyNoise data to help users in their environments. The Moveit vulnerability, which allows for unauthorized access to the database, was first reported in an advisory from Progress, the software vendor. The Grey Noise community quickly raised awareness of the issue, and the company published a blog post with their findings. They discovered scanning activity related to the vulnerability dating back to March, suggesting that organizations should review their systems for signs of compromise since then. Some victims, such as British Airways and Boots, have already disclosed their involvement. The hosts also discuss the collaboration and information sharing among the cybersecurity community in response to the Moveit vulnerability. They highlight the importance of sharing remediation information and the quick response from various groups, including state governments. The GreyNoise community and other information sharing groups have played a crucial role in disseminating information and helping organizations stay safe. Finally, Kimber teases an upcoming feature for GreyNoise users: the Labs Beta API platform. This platform will allow users to query the GreyNoise Labs dataset, including command and control (C2) IP addresses, popular IP address queries, and HTTP requests. While the dataset provided will be less than 10% of the full data, it still offers a significant amount of information for users to explore. The feature is expected to be released within the next two weeks. Join our Community Slack >> Learn more about GreyNoise >>

In this episode of Storm Watch, hosts Bob and Glenn discuss recent cybersecurity events and the ongoing activity of the Mirai botnet. They mention a significant spike in Mirai botnet activity starting around May 10th, which continued to increase throughout the following weeks. The hosts note that Mirai is one of the primary botnets on the internet, with thousands of IP addresses attempting to find new members daily. The hosts also discuss the geographical distribution of Mirai-infected devices, which are spread across the globe, mostly in residential networks. They highlight that Amazon's network has compromised servers that are part of the Mirai botnet. The top 15 autonomous systems account for about 75% of the traffic observed during the spike in Mirai activity. Remy, a researcher, analyzed the binaries of the Mirai botnet and found that it was targeting Tenda, NetLog, LB link, and Zyxel devices. The hosts mention that they have updated their coverage for these devices and will be monitoring the situation closely. They also briefly discuss the recent vulnerability in Barracuda ESG appliances, urging users to keep their devices updated. Join GreyNoise Community Slack >> Learn More About GreyNoise >>

In our 1st episode of Storm Watch, the hosts discuss GreyNoise, a cybersecurity company that operates a large honeypot network to collect data on unsolicited internet traffic. By analyzing this data, GreyNoise can identify attackers, network scanners, and other malicious activities, helping users prioritize and make actionable decisions based on the findings. The hosts also talk about CISA KEV, a known exploited vulnerabilities list that helps organizations prioritize remediation and mitigation efforts. CISA KEV updates are not on a scheduled basis but are added as new information becomes available. GreyNoise partners with SysiCav to provide valuable data for the list. The hosts emphasize the importance of prioritizing older vulnerabilities, as some of the recent additions to CISA KEV date back to 2004. For those new to GreyNoise, the hosts recommend starting with the visualizer at viz.greynoise.io. Users can explore trends, view tags, and see the most recent malicious IPs detected. The hosts emphasize that even a small number of malicious IPs can be significant, given that GreyNoise sensors are unsolicited and the IPs are actively seeking out these assets. Join our Community Slack >> Learn more about GreyNoise >>