We're headed to Philly! Join Glenn 📎 on April 17th as he joins his Storm Watch co-host Emily Austin and her friends at Censys for a Threat Hunting Workshop + Happy Hour! Learn from the pros, meet new friends + walk away with new skills, see you there! 🍷
buff.ly/4aBtGLq

Old but not forgotten! CVE-2023-22527, an Atlassian Confluence vulnerability, is still popular with attackers. Discover what attacker techniques we're observing post-compromise.
buff.ly/3IALYAB

We published a tag today for CVE-2023-48788, a CVSS 9.8 SQL 💉 injection vulnerability in FortiNet FortiClientEMS, thanks to our friends at Horizon3.ai viz.greynoise.io/tags/fortinet-…

🚨We've created two new tags for the authentication bypass vulnerabilities in TeamCity that JetBrains patched today - CVE-2024-27198 and CVE-2024-27199.

We'll be keeping our eyes peeled to see if attackers start incorporating these into their toolkit!
viz.greynoise.io/tags/teamcity-……

Christophe Tafani-Dereeper Ron Bowes ϻг_ϻε The only one I can provide, is that was accidentally found while pentesting perimeter of our client, reported without details and with recommendation to immediately isolate device and wait for vendor's reaction. How Ivanti classified and played the vulnerability - it's their part

'Code injection vulnerability' sure is a curious way to convey 'we used backdoored code.'
But whatever makes you look less worse, I suppose. 🤷‍♂️

Discover the untold story of Ivanti's CVE-2021-44529 – is it a code injection or a backdoor? 🤔 Ron Bowes unearths clues using tools like the Wayback Machine in our latest Grimoire blog.
buff.ly/42JovGR

A couple weeks ago I got nerdsniped by ϻг_ϻε and dug into an old vuln in Ivanti Endpoint Manager. The advisory says 'code injection', but rumours said 'backdoored open source'. I had a look around, and wrote up what I discovered:

labs.greynoise.io/grimoire/2024-…

The day has come, Bluesky is no longer invite-only! I still eagerly await the day that I never have to come back to Twitter

The SSRF, as we found it, is actually an n-day in the xmltooling library, patched out around June 2023 and assigned CVE-2023-36661. The SSRF can be chained to CVE-2024-21887 for unauthenticated command injection with root privileges.

Tag for Fortra GoAnywhere CVE-2024-0204 (based on Horizon3 Attack Team's details) is live. Will be interesting to see what folks try! viz.greynoise.io/tag/goanywhere…

You'd think a company like Fortra - who makes Core Impact - would know that silently patching high-risk vulnerabilities is a bad idea, but apparently not?

rapid7.com/blog/post/2024…

Unravel the mystery of F5 BIG-IP vulnerabilities in our latest Grimoire post! Ron Bowes explores misidentified exploits, historical quirks, and surprising facts. 🔎
greynoise.io/blog/the-confu…

Another incredible GreyNoise blog post by Ron Bowes (@iagox86) on the confusing history of F5 Big-IP vulnerabilities.

greynoise.io/blog/the-confu…

🥪 & #threatintel : We just pushed out this blog post with examples of Ivanti exploitation used for crypto mining. We've also included relevant IOCs and a link to a Gist containing naughty IPs.

greynoise.io/blog/ivanti-co…

GreyNoise blog on ongoing Ivanti exploitation

greynoise.io/blog/ivanti-co…

Ivanti Connect Secure Exploited to Install Cryptominers

In lieu of our oncoming GreyNoise blog post, here's a public gist of the IPs and attack paths of every device we're seeing vuln-check or exploit Ivanti devices over the past few days (CVE-2023-46805 and CVE-2024-21887)

Hat tip to Ron Bowes

gist.github.com/andrew-morris/…