Notices by GreyNoise (greynoise@infosec.exchange)

We observed a 65% drop in global telnet traffic in a single hour on Jan 14, settling into a sustained 59% reduction. 18 ASNs went silent, 5 countries disappeared, but cloud providers were unaffected.

Our analysis of 51.2M sessions points to backbone-level port 23 filtering by a North American Tier 1 transit provider.

🔗 https://www.labs.greynoise.io/grimoire/2026-02-10-telnet-falls-silent/

#GreyNoise #ThreatIntel #CyberSecurity #InfoSec

In 2025, 59 CVEs quietly flipped to “known ransomware use” in CISA’s KEV...no alerts, no fanfare. 🧐

We dug through a year of JSON to catch every silent flip and built an RSS feed so you don’t miss the next one.

Read the blog + grab the feed 🗞️

https://www.greynoise.io/blog/unmasking-cisas-hidden-kev-ransomware-updates

🚨 Palo Alto GlobalProtect scanning surged 40X in 24hrs...a 90-day high.
2.3M login attempts from concentrated infrastructure (AS200373/AS208885).
Block these IPs now: https://www.greynoise.io/blog/palo-alto-scanning-surges-90-day-high

EU sanctioned Stark Industries in May. Leaked docs gave them 12 days warning.

Result: ASN shuffle, rebrand to THE.Hosting. Corporate shells changed, network behavior didn't.

We tracked it: AS44477→AS209847. Packets don't lie.
🔗 https://www.greynoise.io/blog/stark-industries-shell-game

GreyNoise now has coverage for Cisco zero-days CVE-2025-20333 and CVE-2025-20362. Watch for exploit attempts in real-time:CVE-2025-20333
(Net-new): https://viz.greynoise.io/tags/cisco-asa-vpn-input-validation-cve-2025-20333-rce-attempt?days=1CVE-2025-20362
(Updated tag): https://viz.greynoise.io/tags/cisco-asa-directory-traversal-cve-2018-0296-and-cve-2025-20362-attempt

#CiscoASA #Cisco #ZeroDay #CiscoZeroDays #CVE202520333 #CVE202520362 #GreyNoise #ThreatIntel

Two critical Ivanti zero-days (CVE-2025-4427 + CVE-2025-4428) are now being actively exploited after a surge in scanning activity last month. Immediate patching is required. Get more details here ⬇️ https://www.greynoise.io/blog/ivanti-epmm-zero-days-reconnaissance-exploitation
#ZeroDay #CyberSecurity #threatintel

🚨 9X Surge in Scanning for Ivanti Connect Secure. No CVEs are tied to this yet, but patterns like this often precede exploitation. Full analysis + suspicious IPs: https://www.greynoise.io/blog/surge-ivanti-connect-secure-scanning-activity #Ivanti #Cybersecurity #Scanning

🚨 New GreyNoise Tag Alert: We've added a fresh tag tracking CrushFTP Authentication Bypass (CVE-2025-2825) exploitation attempts. Thanks to @horizon3ai for the intel! Dive into the details: https://viz.greynoise.io/tags/crushftp-authentication-bypass-cve-2025-2825-attempt

🚨 March 12 UPDATE: Grafana Exploitation May Signal Multi-Phase SSRF Attacks. Update + original analysis: https://www.greynoise.io/blog/new-ssrf-exploitation-surge #Cybersecurity #GreyNoise #Vulnerability

🚨 Hackers Are Exploiting Fortinet Firewalls 🚨
15k+ FortiGate firewalls were breached via CVE-2022-40684. GreyNoise has spotted 366 compromised devices behaving abnormally. Defenders: Patch now, secure your systems, and check your IPs.

https://www.greynoise.io/blog/hackers-actively-exploiting-fortinet-firewalls-real-time-insights-from-greynoise

We believe the public PoC for for CVE-2020-3580 XSS affecting Cisco ASA and FTD may be being utilized to curate a list of IP's that are likely to be vulnerable to CVE-2020-3259, an unauthenticated memory disclosure vulnerability, recently attributed to Akira ransomware.

https://viz.greynoise.io/tag/cisco-asa-xss-attempt?days=30