GreyNoise

@[email protected]
2K Followers
30 Following
514 Posts

GreyNoise analyzes Internet background noise. Use GreyNoise to remove pointless security alerts, find compromised devices, or identify emerging threats.

(Yes, it's really us. - Love, GreyNoise )

GreyNoise38m ago

GreyNoise is proud to be sponsoring the CrowdStrike CrowdTour across 8 cities! Weโ€™re excited to highlight how our integration with Falcon Next-Gen SIEM helps SOC teams stop chasing ghosts and start catching real threats.

If youโ€™re attending a tour stop or local to the area, letโ€™s connect to chat about:
- Validating your perimeter in real time.
- Protecting the identity layer from brute-force scanners.
- Filtering out background noise to focus on high-fidelity alerts.

๐Ÿ‘‡Book a meeting with us here:
https://info.greynoise.io/crowdtour-2026-meet

GreyNoise1d ago

Last week, half of all new scanning IPs observed by GreyNoise geolocated to Hong Kong.

A quarter-million of them never completed a TCP handshake.

The ones that did were scanning MySQL, SSH, SMB, and RDP across 20+ countries.

One of these is the signal. The other is noise.
๐Ÿ”— https://www.greynoise.io/blog/ghost-fleet-half-new-scanning-ips-geolocated-to-hong-kong

GreyNoise2d ago

200,886,675 sessions. 101 unique source IPs. March 16โ€“23, 2026.

GreyNoise At The Edge intelligence brief highlights:

1. The MEVSPACE RDP brute-force operator returned after a 99.8% infrastructure collapse โ€” single IP generated 7,975,241 sessions before deliberately withdrawing after 4 days. GreyNoise has tracked a surge-withdraw-reconstitute cycle since January 2026, reinforcing that well-resourced operators can reconstitute capacity within days.

2. Two coordinated campaigns emerged: VPSVAULT.HOST (IoT worm weaponizing 21+ CVEs against 12+ manufacturers) and Omegatech (TLS fingerprint randomization with 5,854 unique JA3s per node).

3. Sophos CVE-2022-1040 exploitation stabilized at 638,654 sessions in its fifth consecutive week. Enterprise VPN credential pressure reached week 9 across five vendors with 2.9M+ combined sessions.

4. n8n CVE-2026-21858 (CVSS 10.0) reached 118,086 sessions with links to MuddyWater and ZeroBot. ICS/SCADA reconnaissance expanded with new HMI and PLC vulnerabilities trending.

๐Ÿ”— https://www.greynoise.io/resources/at-the-edge-clear-032326

#ThreatIntel #CyberSecurity #InfoSec #GreyNoise

GreyNoiseMar 19

New GreyNoise At The Edge brief: The internet's scanning infrastructure is reorganizing.

UCLOUD (HK) surged +578% to become the #1 scanning ASN โ€” now 15.6% of all observed traffic. Western providers declining simultaneously.

301.8M sessions. 439K IPs. Here's what we found.

๐Ÿ”— https://www.greynoise.io/resources/at-the-edge-clear-031626

GreyNoiseMar 17

Starting at the top of the hour! ๐Ÿšจ

Hope to see you there to break down all things State of the Edge with @morris @hrbrmstr + Nishawn!

There's still time to register ๐Ÿ‘‰ https://info.greynoise.io/webinar/state-of-the-edge-2026

GreyNoiseMar 16
TOMORROW! ๐Ÿšจ Join us for a fast-paced dive into the 2026 GreyNoise State of the Edge Report...from rogue residential botnets to 26-year-old CVEs still getting hammered. Save your spot and see whatโ€™s actually hitting the edge.
๐Ÿ”— https://info.greynoise.io/webinar/state-of-the-edge-2026
GreyNoiseMar 11

๐Ÿš€ New GreyNoise + Google SecOps integrations are live. See which IPs scan everyone vs just you, now directly inside Google SecOps.

๐Ÿงฉ SIEM: Standardized ingestion, dashboards, YARA-L rules, and saved searches
โšก๏ธ SOAR: v7.0 actions, webhooks, and playbooks to automate triage

https://www.greynoise.io/blog/greynoise-google-secops-integration

New GreyNoise Integrations Enhance Detection and Response Capabilities in Google SecOps

GreyNoise's new and improved integration with Google SecOps delivers standardized indicator ingestion, pre-built dashboards, YARA-L detection rules, saved searches, SOAR response actions, webhook support, and ready-to-deploy playbooks.โ€

GreyNoiseMar 11
Show threadDio9sysMar 10

@BSidesLuxembourg

@TindrasGrove

so I work at @greynoise which I'm sure has a more fancy and corporate description but, in a nutshell, I take data from honeypots. I identify exploits being sent to these honeypots. I write suricata signatures to match the exploits and add metadata describing what it is, when it was made, etc. That data is then sent as a data feed to SIEMs to give soc analysts another data point to hopefully make alert triage faster and sent to TIPs for intel teams. It's also put on the website to give a historical graph, geoip info, IPs to add to your firewall, things of that sort. I also conduct research in our logs to find things that are either not being talked about or things that are more niche and blog about them (I wrote this https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/ ).

Whatโ€™s That String? That Time a Weird String Revealed a Whole Operation โ€“ GreyNoise Labs

One weird payload turned out to be a loose thread on an active hacking operation.

GreyNoise Labs
GreyNoiseMar 11
Hey London! We are closing down day 1 at #ecrimecongress today + cant wait to see you tomorrow! If you're around, say hi to the team, watch a demo, and grab some great swag! ๐Ÿ”ฅ
GreyNoiseMar 10

Edge attacks are evolving faster than your playbook. Join @morris, @hrbrmstr + Shawn Smagh next Tuesday for a live breakdown of where edge targeting is concentrating, where defenses are failing, + what 162 days of internet-scale data says about your real exposure.

https://info.greynoise.io/webinar/state-of-the-edge-2026

Webinar - State of the Edge: Where Edge Targeting Concentrated โ€” And Where Defenses Have Measurable Gaps

Join GreyNoise's Founder, VP of Data Science + Research, and Director of Intelligence as they break down key findings from the 2026 GreyNoise State of the Edge Report.