GreyNoise At The Edge Intel Brief | June 1-8, 2026

This week's story: credential attacks on the front door of remote access, not new vulnerabilities.
🔗 https://www.greynoise.io/resources/at-the-edge-clear-060826

1. A single Netherlands host (94.102.49.82, malicious) produced more than a quarter of all RDP crawling we observed — a 48-hour burst across a wide port range, then silence.

2. Every major SSL VPN vendor — Fortinet, Cisco, SonicWall, and Palo Alto — drew sustained credential brute-forcing and login scanning.

3. A two-node MikroTik RouterOS brute-force campaign (NL + BR) continued for a third week on TCP/8728.

4. Nine of the top ten source IPs trace to rented hosting — apply GreyNoise dynamic blocklists for the relevant tags — the IPs rotate, the tag-based coverage does not.

The actionable intelligence is the specific IPs, ASNs, and GreyNoise tags — not generic hardening advice.

#ThreatIntel #CyberSecurity #InfoSec #GreyNoise

NoiseFest is BACK 🎉
We're throwing our 4th annual party during Black Hat / DEF CON 2026 with a 60s and 70s theme 🏵️🎸✌️. Cold drinks, new connections, and stories from the front lines of cybersecurity at House of Blues B-Side in Las Vegas.

🔗RSVP: https://info.greynoise.io/events/blackhat-noisefest-2026

#BlackHat #DEFCON #NoiseFest #GreyNoise #cybersecurity

GreyNoise At The Edge (May 19–26, 2026): a week of rented-infrastructure reconnaissance against the internet's edge — routers, VPN gateways, container planes, and embedded devices, probed in parallel.

1. A long-running MikroTik RouterOS brute-force operation (VPSVAULT, AS215925) reversed a multi-week decline, adding a second node and climbing back to ~1.9M sessions against TCP/8728.

2. A fingerprinted Netherlands cluster cataloged Fortinet, Ivanti, Pulse Secure, Sophos, and F5 appliances, running auth-bypass checks including Palo Alto PAN-OS GlobalProtect (CVE-2020-2034).

3. Telnet dominated volume; low-level probing continued for the tracked GNU telnetd out-of-bounds write watch item CVE-2026-32746 (CVSS 9.8).

4. Kubernetes and Docker control-plane recon now runs from a compromised consumer broadband host.

The infrastructure rotates constantly — detect on behavior, not addresses.

https://www.greynoise.io/resources/at-the-edge-clear-052526

#ThreatIntel #CyberSecurity #InfoSec #GreyNoise

📢 Pic de scan SonicWall en mai 2026 : signal précurseur d'une nouvelle CVE ?
📝 ## 📡 Contexte

Le 21 mai 2026, GreyNoise publie un signal d'alerte basé sur les données de son tag **SonicWall SonicOS API Scan...
📖 cyberveille : https://cyberveille.ch/posts/2026-05-21-pic-de-scan-sonicwall-en-mai-2026-signal-precurseur-d-une-nouvelle-cve/
🌐 source : https://www.greynoise.io/blog/sonicwall-scanning-spike-echoes-pattern-preceded-cve-2026-0400
#CVE_2026_0400 #GreyNoise #Cyberveille

A scanning pattern similar to the one preceding CVE-2026-0400 in February is active again. May 12 saw the largest single-day session volume on this SonicWall tag in 90 days.

🔗 https://www.greynoise.io/blog/sonicwall-scanning-spike-echoes-pattern-preceded-cve-2026-0400

#GreyNoise #ThreatIntel #SonicWall

GreyNoise At The Edge — April 13–20, 2026. Four themes dominated activity on the GreyNoise sensor network this week — spanning reconnaissance, exploitation attempts, credential brute-forcing, and botnet recruitment.

1. A broad credential and configuration discovery campaign ran at ~6.2M sessions across hundreds of IPs — ENV files, .git/config, AWS metadata, path traversal, sensitive file access. The biggest real story, distributed rather than concentrated.

2. VNC scanning surged to the third-most-targeted port on the internet — port 5900 at 17.4M sessions. Not in prior briefs.

3. A new multi-cloud Masscan framework activated this week. Shared JA3 across a new Poland IP and an existing DigitalOcean Singapore cluster.

4. VPSVAULT IoT worm weaponized CVE-2025-54322 (Xspeeder SXZOS, CVSS 10.0). CVE-2026-24061 (GNU telnetd, CVSS 9.8, CISA KEV) also in payload.

Full Report: https://www.greynoise.io/resources/at-the-edge-clear-042026

#ThreatIntel #CyberSecurity #InfoSec #GreyNoise

See you in Glasgow for #CyberUK! 🇬🇧

Find GreyNoise at Booth D2 + catch our talks:
🗓 Apr 22, 12:20 – Nishawn Smagh
🗓 Apr 23, 14:30 – Glenn Thorpe III

Happy Hour @ Golf Fang on Apr 22 ⛳️

Book 1:1 time: https://info.greynoise.io/cyberuk-meet-with-us

#CyberSecurity #ThreatIntelligence #GreyNoise

NEW: GreyNoise At The Edge Intel Brief (March 23-30)

187,998,900 sessions from 100 top source IPs observed by GreyNoise sensors between March 23-30, 2026. Daily volumes surged 4x mid-week — from 8.5M to 36.6M in 72 hours.

1. VPSVAULT IoT botnet recruitment across 22 CVEs — 3,347,443 sessions from 4 Brazilian IPs targeting Hikvision, MikroTik, TP-Link, D-Link devices. Includes CVE-2026-24061, now on CISA KEV.

2. VisionHeight fleet of 6 AWS IPs generated 5,892,055 sessions mapping enterprise perimeters across Palo Alto, Sophos, Ivanti, Citrix, F5, and ConnectWise — probing CVE-2024-1709 (CVSS 10.0).

3. React/Next.js exploit chaining (CVE-2025-55182 + CVE-2025-29927) produced 1,338,336 sessions, with attackers spoofing GoogleBot user-agents to bypass detection.

4. At least 4 new scanning operations activated simultaneously mid-week, driving the sharp volume surge across the observation period.

Here's what we found: 🔗 https://www.greynoise.io/resources/at-the-edge-clear-033026

#ThreatIntel #CyberSecurity #InfoSec #GreyNoise

200,886,675 sessions. 101 unique source IPs. March 16–23, 2026.

GreyNoise At The Edge intelligence brief highlights:

1. The MEVSPACE RDP brute-force operator returned after a 99.8% infrastructure collapse — single IP generated 7,975,241 sessions before deliberately withdrawing after 4 days. GreyNoise has tracked a surge-withdraw-reconstitute cycle since January 2026, reinforcing that well-resourced operators can reconstitute capacity within days.

2. Two coordinated campaigns emerged: VPSVAULT.HOST (IoT worm weaponizing 21+ CVEs against 12+ manufacturers) and Omegatech (TLS fingerprint randomization with 5,854 unique JA3s per node).

3. Sophos CVE-2022-1040 exploitation stabilized at 638,654 sessions in its fifth consecutive week. Enterprise VPN credential pressure reached week 9 across five vendors with 2.9M+ combined sessions.

4. n8n CVE-2026-21858 (CVSS 10.0) reached 118,086 sessions with links to MuddyWater and ZeroBot. ICS/SCADA reconnaissance expanded with new HMI and PLC vulnerabilities trending.

🔗 https://www.greynoise.io/resources/at-the-edge-clear-032326

#ThreatIntel #CyberSecurity #InfoSec #GreyNoise

Il 14 gennaio qualcuno ha staccato la spina a Telnet. Il traffico globale è crollato del 65% in un'ora, sei giorni prima che il mondo sapesse perché. Taiwan ha filtrato il 77%, l'India il 70%, il Giappone il 65%.

Un protocollo nato nel 1969, una vulnerabilità nascosta per 11 anni, 52 IP da 16 paesi che hanno tentato l'exploit, e un mistero che sembra un thriller. La storia completa nel nuovo episodio del buongiornirondirondello.

https://youtu.be/vVQuEC0Py3s?si=-xV2PRSFLz9mbURb

#telnet #security #arpanet #protocolli #greynoise