hrbrmstr 🇺🇦 🇬🇱 🇨🇦EPIC new GN Labs post by @Dio9sys that reads better than any spy novel/murder mystery you've consumed in years.
The real question is…"Who is Aobrej?" 🧐
https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/
| @ntkramer |
Glenn 📎
- 646 Followers
- 280 Following
- 1,099 Posts
Experienced InfoSec | Elder Millennial | 💼 Security Research @greynoise | I ask 'why?' a lot | Pro Oxford Comma | Fix it! | He/Him | #BLM | Views are my own.
KEV Ransomware Flip MonitorCVE-2026-23760 - Changed to Known Ransomware Status
SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel VulnerabilityVendor: SmarterToolsProduct: SmarterMailSmarterTools SmarterMail contains an authentication bypass using an alternate path or channel vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token whenhttps://nvd.nist.gov/vuln/detail/CVE-2026-23760
RE: https://infosec.exchange/@kev_Stalker/116099613343152330
Got one today.
Looking forward to sharing the stage at [un]prompted with the wizard himself, @hrbrmstr, as we showcase "Orbie" (a custom-built AI agent that analyzes internet-scale honeypot data to surface emerging threats and even identify campaigns).
We’ll share what works, what doesn’t, and the specific campaigns we caught that traditional methods missed. You’ll see how domain expertise embedded in tooling enables LLMs to operate on billions of network sessions, and why that matters more than the model you choose.
Excited to share that I've been asked to speak at the Minorities in Cybersecurity Conference this March!
I’ll be on a panel “How Do You Define Cybersecurity Experience? A Change in Perspective” where we’ll dig into what really counts as cybersecurity experience beyond job titles, traditional career paths, and gatekeeping checklists.
If you’re passionate about broadening who gets seen, heard, and valued in this field, attend and lets continue the conversation in person. https://www.mincybsec.org/annual-conference
Fun how MSFT doesn't share any identifiable information about what their scanning looks like. (https://internetscans.microsoft.com/). While it appears to be just a user agent, since it's spoofable, we can't mark it benign.
If anyone there wants to confirm the list of 240+ IPs we're observing/suspecting, LMK.
RE: https://infosec.exchange/@kev_Stalker/116020576227249969
So, based on my work of digging into the KEV Ransomware flips, the RSS feed will now auto-toot here, if interested. There was a flip Tuesday (before the bot) and another just now.
RE: https://infosec.exchange/@greynoise/116002702711084624
My latest pet project, an RSS feed to alert you to the silent KEV knownRansomwareCampaignUse flips!
(Did you know there were four CVEs flipped last week?) #threatintel
🍩 & #threatintel - Since its disclosure 11 days ago, 95% of the exploitation attempts of CVE-2026-20045, a critical vulnerability in Cisco Unified Communications Manager, have used a distinctive user-agent: Mozilla/5.0 (compatible; CiscoExploit/1.0) and are heavily targeted against our Cisco Unified Communications Manager (UCM) sensors.
We're tracking it here: https://viz.greynoise.io/tags/cisco-unified-communications-manager-input-validation-cve-2026-20045-rce-attempt?days=10
Appears to be from https://github.com/Ashwesker/Ashwesker-CVE-2026-20045
