Storm⚡️Watch by GreyNoise Intelligence

Forecast = Stormy with a chance of TikTok malware showers—exploit scoring systems hot, but patch management outlook remains partly cloudy. Welcome to Storm⚡️Watch! In this episode, we're diving into the current state of cyber weather with a mix of news, analysis, and practical insights. This week, we tackle a fundamental question: are all exploit scoring systems bad, or are some actually useful? We break down the major frameworks: **CVSS (Common Vulnerability Scoring System):** The industry standard for assessing vulnerability severity, CVSS uses base, temporal, and environmental metrics to give a comprehensive score. It's widely used but has limitations—especially since it doesn't always reflect real-world exploitability. **Coalition Exploit Scoring System (ESS):** This system uses AI and large language models to predict the likelihood that a CVE will be exploited in the wild. ESS goes beyond technical severity, focusing on exploit availability and usage probabilities, helping organizations prioritize patching with better accuracy than CVSS alone. **EPSS (Exploit Prediction Scoring System):** EPSS is a data-driven approach that estimates the probability of a vulnerability being exploited, using real-world data from honeypots, IDS/IPS, and more. It updates daily and helps teams focus on the most urgent risks. **VEDAS (Vulnerability & Exploit Data Aggregation System):** VEDAS aggregates data from over 50 sources and clusters vulnerabilities, providing a score based on exploit prevalence and maturity. It's designed to help teams understand which vulnerabilities are most likely to be actively exploited. **LEV/LEV2 (Likely Exploited Vulnerabilities):** Proposed by NIST, this metric uses historical EPSS data to probabilistically assess exploitation, helping organizations identify high-risk vulnerabilities that might otherwise be missed. **CVSS BT:** This project enriches CVSS scores with real-world threat intelligence, including data from CISA KEV, ExploitDB, and more. It's designed to help organizations make better patching decisions by adding context about exploitability. Next, we turn our attention to a troubling trend: malware distribution via TikTok. Attackers are using AI-generated videos, disguised as helpful software activation tutorials, to trick users into running malicious PowerShell commands. This “ClickFix” technique has already reached nearly half a million views. The malware, including Vidar and StealC, runs entirely in memory, bypassing traditional security tools and targeting credentials, wallets, and financial data. State-sponsored groups from Iran, North Korea, and Russia have adopted these tactics, making it a global concern. For employees, the takeaway is clear: never run PowerShell commands from video tutorials, and always report suspicious requests to IT. For IT teams, consider disabling the Windows+R shortcut for standard users, restrict PowerShell execution, and update security awareness training to include social media threats. We also highlight the latest from Censys, VulnCheck, runZero, and GreyNoise—industry leaders providing cutting-edge research and tools for vulnerability management and threat intelligence. Don't miss GreyNoise's upcoming webinar on resurgent vulnerabilities and their impact on organizational security. And that's a wrap for this episode! We will be taking a short break from Storm Watch for the summer. We look forward to bringing more episodes to you in the fall! Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Mostly cloudy with a chance of rogue SSH access—keep your patches up to avoid a phishy forecast! Welcome to Storm⚡️Watch, where we unpack the latest in cybersecurity threats, research, and the tools that keep the digital world safe. In this episode, we invite GreyNoise Security Architect and researcher Matthew Remacle (a.k.a., Remy) to kick things off with a deep dive into a fascinating and highly sophisticated botnet campaign targeting ASUS routers—a story that starts with a little help from machine learning and ends with some hard lessons for defenders everywhere. GreyNoise researchers spotted this campaign using SIFT, their AI-powered network traffic analyzer, which sifted through more than 23 billion network entries and managed to flag just 30 suspicious payloads targeting ASUS routers. What made this botnet stand out was its surgical precision and stealth—far from the usual noisy, attention-grabbing attacks. The attackers knew exactly what they were doing, focusing on disabling TrendMicro security features embedded in the routers, essentially breaking in by first turning off the alarm. The attack chain reads like a masterclass in persistence: brute force and clever authentication bypasses got them in the door, a null byte injection tricked the router's authentication system, and a command injection vulnerability allowed them to manipulate logging features in a way that opened up even more attack paths. The real kicker? The final backdoor was installed using legitimate ASUS features, meaning it could survive firmware updates and stay hidden from traditional detection methods. This campaign affected thousands of routers globally, with over 4,800 compromised devices detected and counting. Even after ASUS released a patch—adding character validation rather than fixing the underlying flaw—researchers found that the fundamental vulnerability remained, and attackers could potentially work around the patch. This story highlights the ongoing challenges in IoT security: complexity breeds vulnerability, persistence is a nightmare to detect and remove when attackers use legitimate features, and patches often address symptoms rather than root causes. It's a reminder that traditional signature-based detection is no longer enough—behavioral analysis and AI-driven anomaly detection are now essential for spotting these advanced threats. We also touch on the bigger picture: the evolving cat-and-mouse game between attackers and defenders, the importance of defense in depth, and why understanding normal network behavior is more critical than ever. Plus, we look at the human element—attackers who are patient, technically sophisticated, and deeply aware of how to evade detection. For organizations, the takeaways are clear: defense in depth, behavioral monitoring, asset management, and patch management are all non-negotiable. And for everyone else, it's a reminder that the devices we trust to protect us are themselves complex and potentially vulnerable computers. Later in the episode, we take a closer look at vulnerability scoring systems—CVSS, EPSS, and SSVC—and why reading between the scores is so important for risk management. We also highlight the value of fresh, actionable data from sources like Censys and VulnCheck, and round things out with a nod to the ongoing conversation happening on the GreyNoise blog. Thanks for tuning in to Storm⚡️Watch. Stay vigilant, keep learning, and remember: in cybersecurity, the difference between safe and compromised can be as subtle as a single null byte. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Expect scattered AI layoffs, a flurry of bogus bug bounties, and a persistent workforce drought-so keep your firewalls up and your résumés handy! ‍ On this episode of GreyNoise Storm⚡️Watch, we kick things off with our usual round of introductions before diving into the latest cyber weather and threat landscape. If you're new here, Storm⚡️Watch is where we break down what's moving the needle in cybersecurity, spotlighting the people, tools, and trends shaping the field. For today's poll, we're feeling nostalgic and asking: What do you miss most from the Slow Internet days? Whether it's the wild west of Myspace, the quirky chaos of Fark, the creative playground of Wattpad, or the endless flash animations on Albino Blacksheep, we want to know what old-school internet experience you'd revive if you could. We're also talking about the pitfalls of AI in bug bounty programs. The open-source project curl has had enough of users flooding them with AI-generated “slop” vulnerabilities that waste maintainers' time and don't actually move security forward. It's a reminder that, despite the hype, AI isn't a silver bullet for finding real bugs and can actually create more noise than signal. Speaking of AI, the conversation shifts to how major companies are reshaping their workforce in the name of artificial intelligence. CrowdStrike just announced it's cutting 5% of its jobs, citing AI-driven restructuring and the need for efficiency. It's not just CrowdStrike-Duolingo is pushing AI into every corner of its product and workflow, with leadership urging engineers to “start with AI for every task,” even as they admit the tech is still error-prone and often less effective than human effort. The end result? Workers are being asked to manage and troubleshoot clumsy AI tools instead of using their expertise, and users are left with content that's sometimes flat-out wrong or just less engaging than before. But while AI is shaking up tech jobs, the cybersecurity workforce shortage isn't going away. The PIVOTT Act has been revived in Congress to address the growing gap, offering full scholarships for two-year degrees in cyber fields in exchange for government service. It's aimed at making it easier for people to pivot into cyber careers, especially as professionals in other sectors worry about AI-driven job cuts. The Act is being administered by CISA and is designed to streamline the path into government cyber roles, including those requiring security clearances. As always, we spotlight some of the latest developments from Censys, VulnCheck, runZero, and GreyNoise; then wrap up with some quick goodbyes and reminders to check out the latest from all our partners and contributors. Thanks for tuning in to Storm⚡️Watch-where the only thing moving faster than the threats is the conversation. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Cloudy with a chance of zero-days-watch for Spellbinder storms and scattered Git leaks! ‍ On this episode of Storm⚡️Watch, the crew dives into the fast-moving world of vulnerability tracking and threat intelligence, spotlighting how defenders are moving beyond the traditional CVE system to keep pace with real-world attacks. The show kicks off with a look at the latest listener poll, always a source of lively debate, before jumping into some of the most pressing cybersecurity stories of the week. A major focus of this episode is the recent revelation that a China-aligned APT group, dubbed TheWizards, is using a tool called Spellbinder to abuse IPv6 SLAAC for adversary-in-the-middle attacks. This technique lets attackers move laterally through networks by hijacking software update mechanisms-specifically targeting popular Chinese applications like Sogou Pinyin and Tencent QQ-to deliver malicious payloads such as the modular WizardNet backdoor. The crew unpacks how this approach leverages IPv6's stateless address autoconfiguration to intercept and redirect legitimate traffic, underscoring the evolving sophistication of lateral movement techniques in targeted campaigns. The episode then turns to Google's 2024 zero-day exploitation analysis, which reports a drop in the total number of zero-days exploited compared to last year but highlights a worrying shift: attackers are increasingly targeting enterprise products and infrastructure. Microsoft, Ivanti, Palo Alto Networks, and Cisco are among the most targeted vendors, with nearly half of all zero-day exploits now aimed at enterprise systems and network appliances. The discussion covers how attackers are chaining vulnerabilities for more impactful breaches and why defenders need to be vigilant as threat actors pivot to harder-to-monitor enterprise environments. Censys is in the spotlight for its recent research and tooling, including a new Ports & Protocols Dashboard that gives organizations granular visibility into their attack surface across all ports and protocols. This helps teams quickly spot risky exposures and misconfigurations, making it easier to prioritize remediation efforts and automate alerting for high-risk assets. The crew also highlights Censys's collaborative work on botnet hunting and their ongoing push to retire stale threat indicators, all of which are reshaping proactive defense strategies. runZero's latest insights emphasize the importance of prioritizing risks at the asset stack level, not just by CVE. The crew explains how misconfigurations, outdated software, and weak network segmentation can create stacked risks that traditional scanners might miss, urging listeners to adopt a more holistic approach to asset management and vulnerability prioritization. Rounding out the episode, GreyNoise shares new research on a dramatic spike in scanning for Ivanti Connect Secure VPNs and a surge in crawling activity targeting Git configuration files. These trends highlight the persistent risk of codebase exposure and the critical need to secure developer infrastructure, as exposed Git configs can lead to the leak of sensitive credentials and even entire codebases. As always, the show wraps up with some final thoughts and goodbyes, leaving listeners with actionable insights and a reminder to stay vigilant in the face of rapidly evolving cyber threats. If you have questions or want to hear more about any of these topics, let us know-what's on your mind this week? Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Scattered phishing attempts with a 90% chance of encrypted clouds. ‍ In this episode of Storm⚡️Watch, the crew dissects the evolving vulnerability tracking landscape and the challenges facing defenders as they move beyond the aging CVE system. The show also highlights the rise of sophisticated bot traffic, the expansion of GreyNoise's Global Observation Grid, and fresh tools from VulnCheck and Censys that are helping security teams stay ahead of real-time threats. In our listener poll this week, we ask: what would you do if you found a USB stick? It's a classic scenario that always sparks debate about curiosity versus caution in cybersecurity. It's officially cyber report season, and we're breaking down the latest findings from some of the industry's most influential threat intelligence teams. GreyNoise's new research spotlights the growing risk from resurgent vulnerabilities-those old flaws that go quiet for years before suddenly making a comeback, often targeting edge devices like routers and VPNs. The FBI's 2024 IC3 report is out, revealing a record $16.6 billion in reported losses last year, with phishing, extortion, and business email compromise topping the charts. Mandiant's M-Trends 2025, VulnCheck's Q1 exploitation trends, and other reports all point to a relentless pace of vulnerability weaponization, with nearly a third of new CVEs being exploited within 24 hours of disclosure. We also dig into a series of ace blog posts and research from Censys, including their push to end stale indicators and their deep dives into the sharp rise in attacks targeting edge security devices. Their recent work with GreyNoise and CursorAI on botnet hunting, as well as their new threat hunting module, are changing the game for proactive defense. VulnCheck's quarterly report is raising eyebrows with the revelation that 159 vulnerabilities were exploited in Q1 2025 alone, and 28% of those were weaponized within a single day of disclosure. This underscores how quickly attackers are operationalizing new exploits and why defenders need to move faster than ever. We round out the show with the latest from runZero and a look at GreyNoise's recent findings, including a ninefold surge in Ivanti Connect Secure scanning and a spike in Git configuration crawling-both of which highlight the ongoing risk of codebase exposure and the need for continuous vigilance. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Prepare for scattered CVEs, rising bot storms, and real-time threat lightning. Keep your digital umbrellas handy! ‍ On this episode of Storm⚡️Watch, we're breaking down the latest shifts in the vulnerability tracking landscape, starting with the ongoing turbulence in the CVE program. As the MITRE-run CVE system faces funding uncertainty and a potential transition to nonprofit status, the global security community is rapidly adapting. New standards and databases are emerging to fill the gaps—Europe's ENISA is rolling out the EU Vulnerability Database to ensure regional control, while China continues to operate its own state-mandated systems. Meanwhile, the CVE ecosystem's chronic delays and the NVD's new “Deferred” status for tens of thousands of older vulnerabilities are pushing teams to look elsewhere for timely, enriched vulnerability data. Open-source projects like OSV.dev and commercial players such as VulnCheck and Snyk are stepping up, offering real-time enrichment, exploit intelligence, and predictive scoring to help organizations prioritize what matters most. The result is a fragmented but innovative patchwork of regional, decentralized, open-source, and commercial solutions, with hybrid approaches quickly becoming the norm for defenders worldwide. We're also diving into Imperva's 2024 Bad Bot Report, which reveals that nearly a third of all internet traffic last year came from malicious bots. These bots are getting more sophisticated—using residential proxies, mimicking human behavior, and bypassing traditional defenses. The report highlights a surge in account takeover attacks and shows that industries like entertainment and retail are especially hard hit, with bot traffic now outpacing human visitors in some sectors. The rise of simple bots, fueled by easy-to-use AI tools, is reshaping the threat landscape, while advanced and evasive bots continue to challenge even the best detection systems. On the threat intelligence front, GreyNoise has just launched its Global Observation Grid—now the largest deception sensor network in the world, with thousands of sensors in over 80 countries. This expansion enables real-time, verifiable intelligence on internet scanning and exploitation, helping defenders cut through the noise and focus on the threats that matter. GreyNoise's latest research shows attackers are exploiting vulnerabilities within hours of disclosure, with a significant portion of attacks targeting legacy flaws from years past. Their data-driven insights are empowering security teams to prioritize patching and response based on what's actually being exploited in the wild, not just theoretical risk. We're also spotlighting Censys and its tools for tracking botnets and advanced threats, including collaborative projects with GreyNoise and CursorAI. Their automated infrastructure mapping and pivoting capabilities are helping researchers quickly identify related malicious hosts and uncover the infrastructure behind large-scale attacks. Finally, VulnCheck continues to bridge the gap during the CVE program's uncertainty, offering autonomous enrichment, real-time exploit tracking, and comprehensive coverage—including for CVEs that NVD has deprioritized. Their Known Exploited Vulnerabilities catalog and enhanced NVD++ service are giving defenders a broader, faster view of the threat landscape, often surfacing critical exploitation activity weeks before it's reflected in official government feeds. As the vulnerability management ecosystem splinters and evolves, organizations are being forced to rethink their strategies—embracing a mix of regional, open-source, and commercial intelligence to maintain visibility and stay ahead of attackers. The days of relying on a single source of truth for vulnerability data are over, and the future is all about agility, automation, and real-time insight. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Scattered exploits, Mirai storms brewing, and rogue drones dropping malware over Russia. Keep your firewalls up—a vulnerability front is rolling in fast! ‍ On this episode of Storm⚡️Watch, we're bringing you a packed episode that covers the latest in cyber threat intelligence, industry news, and a few stories you won't want to miss. We kick things off with our usual round of introductions and a quick look at the cyber weather, setting the stage for what's happening across the threat landscape. In our first segment, Tod shares his wrap-up from VulnCon 2025, highlighting the key takeaways and emerging trends from this year's conference. From new vulnerability research to the latest in exploit techniques, Tod breaks down what security professionals need to know and what's likely to shape the industry in the coming months. Next up, we sit down with Tracy Z. Maleeff, better known as InfosecSherpa, for an interview that traces her journey from librarian to cybersecurity professional. Tracy shares insights on career pivots, the importance of information literacy in security, and her ongoing work to make the field more accessible. Her story is a must-listen for anyone considering a move into cyber or looking for inspiration from someone who's successfully navigated the transition. We then turn our attention to a headline-grabbing story out of Ukraine, where reports indicate that drones sent into Russian territory are not just for surveillance or kinetic impact—they're also carrying malware designed to infect military systems if captured. This blend of physical and cyber warfare is a stark reminder of how modern conflicts are increasingly fought on multiple fronts, with digital payloads now as critical as traditional munitions. If we need to fill a little extra time, we'll explore some of the more bizarre aspects of hybrid warfare, including reports of weaponized consumer goods—think exploding sex toys and cosmetics—being used as part of psychological and disruption campaigns targeting the West. It's a strange new world where almost anything can be turned into a tool of conflict. We also spotlight recent research from Censys on the Salt Typhoon attacks, which underscore the need for advanced defenses as attackers continue to exploit edge devices and cloud infrastructure. Their findings highlight the importance of proactive monitoring and rapid response to emerging threats. On the GreyNoise front, we've observed a threefold surge in exploitation attempts targeting TVT DVRs, likely linked to Mirai botnet activity. This uptick is a clear signal that attackers are constantly scanning for vulnerable devices to conscript into their botnets, and it's a reminder for defenders to stay vigilant and patch exposed systems. As always, we wrap up with a round of goodbyes and a reminder to subscribe for more insights, interviews, and real-time threat intelligence. Thanks for tuning in to Storm⚡️Watch—where we keep you ahead of the cyber storms. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast: Patchy with a 32% backlog surge, CVE squalls causing auth bypass showers, and Lazarus fronts looming—keep your threat umbrellas handy!"

Forecast = Cloudy with a chance of cyber meatballs. ‍ We're not fooling around in this episode of Storm⚡️Watch! The show kicks off with some positive news about the Journal Times returning to full operations following a cyberattack. This is followed by important information for VMware users regarding Broadcom's significant licensing changes effective April 10, including an increase in minimum core requirements from 16 to 72 cores per command line and a new 20% penalty for late subscription renewals that will be applied retroactively. The crew then reviews results from their recent poll asking listeners which feature of encrypted messaging apps concerns them most, with options including data storage, unencrypted backups, metadata, and accidental adds. In our first segment, we discuss security concerns with the Unitree Go1 consumer-grade robot dog, specifically focusing on the recently disclosed Zhexi Oray Tunnel backdoor that has raised alarm in the security community. Next up, the team explores FamousSparrow and their SparrowDoor malware, examining the techniques and implications of this threat actor's operations. In light of recent event, the hosts provide comprehensive guidance on secure messaging practices, drawing from recent Washington Post and Wired articles. They emphasize that secure communication depends not just on the app but also on how you use it. Key recommendations include choosing contacts wisely, securing your devices by using personal rather than work equipment, setting messages to automatically delete, and selecting the right messaging apps with Signal being the top recommendation for its verifiable end-to-end encryption. They also warn about potential vulnerabilities in cross-platform messaging and advise caution with apps like Telegram. We quickly review Europol's 2025 report on the evolving landscape of organized crime, which now heavily intersects with cybercrime. Traditional criminal networks have transformed into technology-driven enterprises using AI, blockchain, and cryptocurrency to enhance their operations. The internet has become the primary theater for organized crime with data as the new currency of power. The report identifies seven key threat areas and calls for improved global financial security measures, noting that criminal asset confiscation remains stagnant at around 2%. Finally, we conclude with updates from our benevolent overlords, including Censys' reports on JunOS vulnerabilities and Kubernetes issues, VulnCheck's partnership with Filigran, runZero's approach to exposure management, and GreyNoise's observations on DrayTek router activity and Palo Alto Networks scanner activity that may indicate upcoming threats. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast: Cloudy with a chance of SSRF attacks. OpenAI's skies clear, but third-party wrappers bring storms. ‍ This week's episode kicks off with a poll asking listeners which virtual assistant they use—Alexa, Siri, Google Assistant, or none at all due to privacy concerns. The results give us a snapshot of how people feel about these ubiquitous technologies and their trust levels in them. We then tackle the headlines surrounding OpenAI and the alleged "attack" on its systems. While media outlets are buzzing with claims of vulnerabilities in ChatGPT, the reality is less dramatic. A third-party wrapper using OpenAI's API introduced an SSRF vulnerability that's being actively exploited. This issue highlights the risks of insecure third-party implementations rather than flaws in OpenAI's core infrastructure. It's a reminder that integrations can be a weak link in the cybersecurity chain, and we explore how this misunderstanding has fueled sensationalized reporting. Next up is a discussion on cybersecurity labeling for consumer IoT devices that have reached their End-of-Life (EOL) or End-of-Service (EOS). The idea is to inform users when their devices will no longer receive updates, but the execution is fraught with challenges. From complex software stacks to secondary markets breaking communication chains between vendors and consumers, we unpack why this labeling initiative is easier said than done. With home networks increasingly tied to employer networks, outdated IoT devices could become major security risks, especially in remote work setups. Privacy concerns take center stage as we examine Amazon's controversial decision to eliminate the "Do Not Send Voice Recordings" feature on Echo devices starting March 28, 2025. This change means all voice data will be processed in Amazon's cloud as part of its Alexa+ upgrade, which promises advanced generative AI capabilities. Critics argue this move erodes user privacy by removing local processing options entirely, raising questions about data retention and misuse. For privacy-conscious users, this might signal the end of their relationship with Echo devices. We also cover two critical vulnerabilities making waves in the cybersecurity world. First is CVE-2025-23120, a post-authentication Remote Code Execution flaw in Veeam Backup & Replication software. Exploitable by any domain user due to weak authentication measures and unsafe deserialization practices, this vulnerability underscores why blacklist-based approaches are insufficient for robust security. Then there's CVE-2025-24813, a remote code execution vulnerability affecting Apache Tomcat servers that can be exploited with just one PUT request. This attack leverages session persistence mechanisms and deserialization processes to gain full remote access without authentication—a stark reminder of how seemingly benign requests can lead to catastrophic breaches. Finally, we touch on updates from our benevolent overlords, including insights into ServiceNow vulnerabilities and upcoming events like NoiseFest at RSAC 2025. These resources continue to provide valuable intelligence for staying ahead of emerging threats in the cybersecurity landscape. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Router-geddon: Ballista storms brewing with a chance of unforgivable vulnerabilities. Patch umbrella required. ‍ In this episode of Storm ⚡ ️Watch, the crew laments the sorry state of modern edge computing through the lens of Steve Coley's 2007 paper on "Unforgivable Vulnerabilities". The discussion examines security flaws that should never appear in properly developed software yet continue to plague systems today. These vulnerabilities demonstrate a systematic disregard for secure development practices and would be immediately obvious to anyone with basic security awareness. The team breaks down "The Lucky 13" vulnerabilities, including buffer overflows, cross-site scripting, SQL injection, and hard-coded credentials, while also exploring how modern AI tools might inadvertently introduce these same issues into today's codebase, and how one might go about properly and safely use them in coding and security engineering. The episode also features an in-depth analysis of the newly discovered Ballista botnet that's actively targeting TP-Link Archer routers through a vulnerability discovered two years ago. First detected on January 10, 2025, this botnet has already infected over 6,000 devices worldwide, with the most recent activity observed in mid-February. The threat actors behind Ballista, believed to be based in Italy, have targeted organizations across multiple sectors including manufacturing, healthcare, services, and technology in the US, Australia, China, and Mexico. The botnet exploits CVE-2023-1389 to spread malware that establishes encrypted command and control channels, enabling attackers to launch DDoS attacks and further compromise vulnerable systems. The team rounds out the episode with updates from their partner organizations. Censys shares insights on JunOS vulnerabilities and the RedPenguin threat actor, along with an investigation into server misidentification issues. RunZero discusses the importance of cybersecurity labeling for end-of-life and end-of-support consumer IoT devices. GreyNoise alerts listeners to a new surge in SSRF exploitation attempts reminiscent of the 2019 Capital One breach and promotes their upcoming webinar on March 24th. As always, the Storm⚡️Watch crew delivers actionable intelligence and expert analysis to help security professionals stay ahead of emerging threats in the ever-evolving cybersecurity landscape. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast: Cloudy with a chance of compromised credentials and scattered vulnerabilities—stay alert out there! ‍ In this episode of Storm⚡️Watch, we're unpacking some of the most pressing developments in cybersecurity and what they mean for the industry. First, we tackle the state of CISA and its mounting challenges. From allegations that the Trump administration ordered U.S. Cyber Command and CISA to stand down on addressing Russian cyber threats, to financial groups pushing back against CISA's proposed incident reporting rule, there's no shortage of turbulence. Adding fuel to the fire, Homeland Security Secretary Kristi Noem has disbanded eight federal advisory committees, including key cybersecurity groups, citing compliance with a Trump-era executive order. Critics argue these cuts could weaken public-private collaboration and hinder CISA's ability to protect critical infrastructure. We'll break down what all this means for the future of cybersecurity leadership in the U.S. Next, we revisit a shocking case involving a U.S. soldier who plans to plead guilty to hacking 15 telecom carriers. This story highlights the ongoing risks posed by insider threats and the vulnerabilities within telecom networks, which are often targeted for their treasure troves of sensitive data. We'll explore how this case unfolded, what it reveals about vetting processes for individuals with access to critical systems, and the broader implications for cybersecurity in government-affiliated organizations. We also spotlight some fascinating research from Censys on a phishing scam exploiting toll systems across multiple states. Attackers are leveraging cheap foreign SIM cards and Chinese-hosted infrastructure in a campaign that keeps evolving. Plus, RunZero sheds light on a critical vulnerability affecting Edimax IP cameras (CVE-2025-1316), while GreyNoise reports on mass exploitation of a PHP-CGI vulnerability (CVE-2024-4577) and active threats linked to Silk Typhoon-associated CVEs. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Ransomware storms surge with an 87% spike in industrial attacks—brace for ICS strikes from GRAPHITE and BAUXITE! Infostealers hit healthcare and education, while VPN vulnerabilities pour in—grab your digital umbrella! ‍ It's report season and today the crew kicks things off with a breakdown of Veracode's State of Software Security 2025 Report, highlighting significant improvements in OWASP Top 10 pass rates but also noting concerning trends in high-severity flaws and security debt. Next, we take a peek at Dragos's 2025 OT/ICS Cybersecurity Report, which reveals an increase in ransomware attacks against industrial organizations and the emergence of new threat groups like GRAPHITE and BAUXITE. The report also details the evolution of malware targeting critical infrastructure, such as Fuxnet and FrostyGoop. The Huntress 2025 Cyber Threat Report is then discussed, showcasing the dominance of infostealers and malicious scripts in the threat landscape, with healthcare and education sectors being prime targets. The report also highlights the shift in ransomware tactics towards data theft and extortion. The team also quickly covers a recent and _massive_ $1.5 billion Ethereum heist. We *FINALLY* cover some recent findings from Censys, including their innovative approach to discovering non-standard port usage in Industrial Control System protocols. This segment also touches on the growing threat posed by vulnerabilities in edge security products. We also *FINALLY* get around to checking out VulnCheck's research, including an analysis of Black Basta ransomware group's tactics based on leaked chat logs, and their efforts to automate Stakeholder Specific Vulnerability Categorization (SSVC) for more effective vulnerability prioritization. The episode wraps up with mentions of GreyNoise's latest reports on mass internet exploitation and a newly discovered DDoS botnet, providing listeners with a well-rounded view of the current cybersecurity landscape. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Expect a storm of insights as we tackle cybersecurity's cloudy diversity gaps, edge device downpours, and ransomware winds blowing from Black Basta! ‍ In this episode of Storm⚡️Watch, we kick things off with an insightful interview with Mary N. Chaney, the CEO of Minorities in Cybersecurity (MiC). MiC is a groundbreaking organization dedicated to addressing the lack of support and representation for women and minority leaders in cybersecurity. Mary shares how MiC is building a community that fosters leadership development and equips members with essential skills for career advancement. We also discuss the alarming statistics that highlight the underrepresentation of minorities in cybersecurity leadership roles and explore how MiC's programs, like The MiC Inclusive Community™ and The MiC Leadership Series™, are making a tangible difference. Next, the crew descends into a critical discussion about edge security products, drawing on insights from Censys. These devices, while vital for network protection, are increasingly becoming prime targets for attackers. We examine recent vulnerabilities added to CISA's Known Exploited Vulnerabilities catalog, including flaws in products from Palo Alto Networks and SonicWall, and explore how state-sponsored actors like Salt Typhoon are exploiting these weaknesses. The conversation underscores the importance of proactive patch management and tools like attack surface monitoring to mitigate risks. In the next segment, we analyze leaked chat logs from the Black Basta ransomware group with insights from VulnCheck. These logs reveal how Black Basta prioritizes vulnerabilities in widely used enterprise technologies, their rapid response to new advisories, and even their pre-publication knowledge of certain CVEs. We break down their strategy for selecting targets based on financial viability, industry focus, and vulnerability presence, offering actionable advice for defenders to stay ahead. Finally, we turn our attention to GreyNoise's recent observations of active exploitation campaigns targeting Cisco vulnerabilities by Salt Typhoon, a Chinese state-sponsored group. Using data from GreyNoise's global observation grid, we discuss how legacy vulnerabilities like CVE-2018-0171 remain valuable tools for advanced threat actors. This segment highlights the importance of patching unaddressed issues and leveraging real-time threat intelligence to protect critical infrastructure. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast: Expect increased malicious activity targeting enterprise network infrastructure and remote work platforms. ‍ In this episode of Storm⚡️Watch, the crew tackles some of the most pressing stories in cybersecurity and tech. First, we explore the case of Christian Marie Chapman, an Arizona woman who faces federal prison time for orchestrating a scheme that allowed North Korean IT workers to pose as U.S.-based employees. This operation, which generated over $17 million for North Korea, involved Chapman running a "laptop farm" that enabled remote access to U.S. company networks. The scheme not only compromised sensitive company data but also funneled money to North Korea's weapons programs. This story underscores the critical need for robust identity verification and background checks in hiring processes, especially in remote IT roles, to avoid inadvertently aiding malicious actors. Next, we discuss GreyNoise's findings on the active exploitation of a high-severity vulnerability in Palo Alto Networks PAN-OS (CVE-2025-0108). This authentication bypass flaw allows attackers to execute unauthorized PHP scripts, posing significant risks to unpatched systems. Organizations are urged to apply security patches immediately and restrict access to firewall management interfaces to mitigate potential breaches. GreyNoise's real-time intelligence highlights the importance of staying vigilant against evolving threats. In our featured segment, we sit down with Dennis Fisher, a celebrated journalist with over two decades of experience in cybersecurity reporting. Fisher shares insights from his career, including his work as co-founder of *Threatpost* and Editor-in-Chief at *Decipher*. Known for his analytical approach, Fisher has covered major cybersecurity events and delved into the motivations behind both attackers and defenders. His expertise offers a unique perspective on the complexities of information security. Finally, we touch on broader issues in vulnerability management and encryption policies. From GreyNoise's observations of exploitation surges in vulnerabilities like ThinkPHP and ownCloud to Censys' argument against weakening encryption standards, these discussions emphasize the need for proactive measures and smarter prioritization in cybersecurity strategies. Whether it's patching overlooked vulnerabilities or resisting calls to weaken encryption under the guise of security, staying informed is key to navigating today's threat landscape. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Punxsutawney Phil saw his shadow, so we can expect continued Musk-y days ahead in these remaining DOGE days of Winter. ‍ In this week's episode of GreyNoise Storm⚡️Watch, we have a bit of an AI-theme. First, the Department of Government Efficiency (DOGE), led by Elon Musk, has sparked significant privacy and security concerns by accessing sensitive federal systems like Treasury databases and Education Department records through AI-driven analysis. Critics highlight undisclosed partnerships with vendors like Inventry.ai, which allegedly introduced algorithmic bias by disproportionately targeting diversity programs and climate initiatives while retaining fossil fuel subsidies. Cybersecurity experts warn about unvetted API integrations and data security risks, as Inventry.ai processed taxpayer information without proper FedRAMP authorization. These issues have led to bipartisan calls for stricter AI procurement rules and transparency mandates to rebuild public trust. Meanwhile, Chinese AI startup DeepSeek faces scrutiny over its claims of rivaling GPT-4 at lower costs, with analysts questioning its $5.6M training budget and geopolitical alignment. The models show systematic pro-China biases, refusing to answer 88% of sensitive questions about Tiananmen Square or Taiwan while promoting CCP narratives in responses. Security researchers flag its opaque training data—potentially using OpenAI outputs—and anti-debugging features that hinder independent audits. These concerns have triggered bans in Australia, South Korea, and U.S. agencies like NASA, with EU officials noting non-compliance with cybersecurity standards. On the defense front, Splunk's DECEIVE AI honeypot introduces innovative deception tech by letting users simulate systems via text prompts, democratizing access to advanced threat detection. While it offers dynamic behavioral analysis and safe sandboxing, security professionals caution about LLM hallucination risks that could tip off attackers and ethical questions around logging fabricated credentials. The open-source tool shows promise but remains untested against sophisticated adversaries. Rounding out the cybersecurity landscape, Censys research exposes the BADBOX botnet's infrastructure and BeyondTrust vulnerabilities, while VulnCheck highlights 2024's exploitation trends and Zyxel's unpatched telnet flaws; and GreyNoise's latest Noiseletter showcases new platform features + upcoming events. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast: Murdoc botnet storms hit IoT devices, Mastercard's DNS flaw clouds visibility, and DHS shutdowns leave security in the dark. ‍ In this episode of Storm⚡️Watch, we explore a major DNS misconfiguration at Mastercard that went undetected for over four years. Security researcher Philippe Caturegli uncovered a simple but critical typo in Mastercard's DNS nameserver records where "akam.net" was written as "akam.ne". This error affected one in five DNS requests to Mastercard's infrastructure and could have allowed attackers to intercept emails, capture Windows authentication credentials, and distribute malware through trusted domains. The cybersecurity community was rocked by news that several crucial Department of Homeland Security advisory committees have been terminated. The Cyber Safety Review Board, which was actively investigating the Salt Typhoon hacks targeting U.S. telecommunications companies, was among the disbanded groups. This move has interrupted ongoing investigations into communications targeting high-profile political figures and raised concerns about gaps in information sharing and policy recommendations. A sophisticated new variant of the Mirai malware called the Murdoc Botnet has emerged, targeting IoT devices worldwide. With over 1,300 compromised devices and more than 100 command-and-control servers, this botnet specifically exploits vulnerabilities in AVTECH IP cameras and Huawei HG532 routers. Between December 2024 and January 2025, the botnet has launched significant DDoS campaigns against Japanese corporations, banks, and organizations across multiple sectors in various countries. The 2022 HIPAA Breach Report reveals concerning trends in healthcare security. There were 626 incidents affecting over 41 million people, with hacking and IT incidents accounting for 74% of all large breaches. Surprisingly, paper records remain a significant vulnerability, especially in smaller breaches. The report highlights persistent issues with weak authentication practices, insufficient audit controls, and incomplete risk analyses, resulting in major settlements totaling over $2.4 million. Join us for an in-depth discussion of these critical cybersecurity developments and their implications for the industry. Don't forget to check out the upcoming GreyNoise University Live event for more insights into threat intelligence and network security. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast: TikTok storm clears out as critical infrastructure takes a hit from FortiGate downpours. ‍ In this episode of Storm⚡️Watch, we explore the dramatic conclusion of TikTok's presence in the United States and its unexpected return. The saga, which began in 2019 with initial government scrutiny, culminated in a series of significant events in January 2025, including the Supreme Court's unanimous decision to uphold the federal ban law and TikTok's brief operational shutdown. We'll discuss the emergence of alternative platforms like Xiaohongshu (REDNote) in the U.S. market and examine recent security concerns, including Remy's investigation into potential backdoor vulnerabilities. The conversation then shifts to a major cybersecurity operation where the Justice Department and FBI successfully removed malware deployed by China-backed hackers using PlugX. We'll share insights from CISA Director Jen Easterly's recent comments on the Salt Typhoon campaign and their approach to tracking cyber threats. A significant portion of our discussion focuses on the FortiGate configuration leak incident. The Belsen Group's release of sensitive data from over 15,000 FortiGate devices has exposed critical infrastructure vulnerabilities across multiple countries. The leak, stemming from a 2022 authentication bypass vulnerability (CVE-2022-40684), primarily affected devices in Mexico and the UAE, with configuration files containing firewall rules, VPN credentials, and digital certificates being exposed. We wrap up with an analysis of recent Volt Typhoon activities and their implications for global cybersecurity, along with some suspicious thoughts from GreyNoise. This episode provides crucial insights into the evolving landscape of international cyber threats and the continuous challenges faced by security professionals worldwide. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast: Breach storms surge with Chinese actors, Ivanti spreads wider, and malware disguises itself—stay alert and patched! ‍ This episode of Storm⚡️Watch features exciting developments in security tooling and concerning breaches in critical infrastructure. We're thrilled to finally talk about Censeye on the pod! It's Censys's powerful new automated hunting platform that's revolutionizing how security teams conduct threat hunting. This innovative tool combines automation with Censys's comprehensive internet scanning capabilities, complete with new gadgets that enhance threat detection and analysis capabilities. In major security news, a significant breach at the US Treasury's Committee on Foreign Investment (CFIUS) has been attributed to Chinese state-sponsored actors. This concerning development potentially exposed sensitive data about national security reviews of foreign investments in American companies. The Ivanti vulnerability situation continues to evolve, with UK domain registry giant Nominet now confirming they've been impacted by the recent Ivanti VPN exploits. This development highlights the expanding blast radius of this critical security issue. 2025 has already seen sophisticated threat actors weaponizing exploits, with researchers uncovering an information stealer disguised as a proof-of-concept exploit for the LDAPNightmare vulnerability (CVE-2024-49113). We'll explore how Censys Search is strengthening phishing prevention through advanced SSL/TLS certificate monitoring, providing organizations with crucial tools to identify and prevent potential phishing campaigns. The episode concludes with an in-depth look at GreyNoise classifications, particularly focusing on suspicious activity patterns identified in the last 24 hours. We'll break down what these classifications mean for security teams and how to leverage this intelligence effectively. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast: Cyber conditions are turbulent with two major Chinese state-sponsored storms impacting U.S. infrastructure, with aftershocks expected into mid-January. ‍ In today's episode of Storm Watch, we cover two major cybersecurity incidents that have significantly impacted U.S. infrastructure. The BeyondTrust breach, initially discovered in early December 2024, involved a compromised Remote Support SaaS API key that allowed attackers to reset passwords and access workstations remotely. The Treasury Department was notably affected, with attackers accessing unclassified documents in the Office of Financial Research and Office of Foreign Assets Control. The incident exposed critical vulnerabilities, including a severe command injection flaw with a CVSS score of 9.8, and over 13,500 BeyondTrust instances remain exposed online. The conversation then shifts to the extensive telecommunications breaches known as the Salt Typhoon campaign, where Chinese state actors successfully infiltrated nine major U.S. telecom companies. This sophisticated espionage operation gained the capability to geolocate millions of individuals and potentially record phone calls, though actual communication interception was limited to fewer than 100 high-profile targets. The breach revealed shocking security lapses, such as a single administrator account having access to over 100,000 routers and the use of primitive passwords like "1111" for management systems. Major carriers including AT&T, Verizon, and Lumen Technologies were among the affected companies, with varying degrees of impact and response effectiveness. T-Mobile stands out for their quick detection and mitigation of the attack. In response to these incidents, the FCC is preparing to vote on new cybersecurity regulations by mid-January 2025, while the White House has outlined key areas for improvement including configuration management, vulnerability management, network segmentation, and enhanced information sharing across the sector. The episode wraps up with insights from recent Censys Rapid Response posts and the latest GreyNoise blog entry about profiling benign internet scanners in 2024, along with VulnCheck's analysis of the most dangerous software weaknesses and a discussion of the Four-Faith Industrial Router vulnerability being exploited in the wild. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast: Glazed skies with Krispy breaches ahead! Holiday phishing flurries, fatigue fog, and scattered Clop showers roll in, with vulnerability storms on the horizon. ‍ On this week's episode of Storm⚡️Watch, we dive into our latest cybersecurity poll results, which revealed fascinating insights about holiday season security concerns. End-of-year tech fatigue emerged as the primary worry among respondents at 38%, while increased phishing scams followed at 34%. Holiday staffing gaps garnered 24% of responses, and supply chain threats rounded out the concerns at 14%. The cybersecurity world got a sweet taste of chaos this week with Krispy Kreme's cybersecurity incident making headlines. The famous doughnut maker faced disruptions to their online ordering system, leading to a flurry of creative headlines across the media landscape that couldn't resist playing with doughnut-themed puns while covering this serious security breach. We'll explore the latest insights from Censys's 2024 State of the Internet Report, offering a comprehensive look at the current digital landscape. The conversation then shifts to recent developments in the ransomware scene, specifically examining the Clop ransomware group's claimed responsibility for the Cleo data theft attacks. The show rounds out with an analysis of VulnCheck's latest research, covering exploitation detection through Initial Access Intelligence, an examination of the Common Vulnerability Scoring System (CVSS), and a deep look into active Command and Control (C2) servers. These technical insights provide valuable context for understanding current cyber threats and defensive strategies. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast: Visibility is low with a 43% chance of extended response times. Heavy downpours of healthcare vulnerabilities dominate, with brief breaks of exploit intelligence. ‍ In this week's episode of GreyNoise Storm⚡️Watch, we kick things off with our regular roundtable introductions before diving into some intriguing poll results about cybersecurity metrics. The community weighed in heavily on what drives action in their organizations, with Mean Time to Respond leading the pack at 43% of votes, followed by Mean Time to Detect at 28%. Notably, system patching status came in third at 26%, while the tongue-in-cheek option about whiskey levels in the team liquor cabinet garnered a surprising 13% of responses. The crew then gathers round the Festivus pole to channel their inner George Costanza's as they each air their grievances — cyber and possibly otherwise — from the past year. So many things were busted in 2024 that we're shocked we kept the episode under four hours. The episode features a crucial discussion on practical OPSEC fundamentals, particularly focusing on executive protection challenges. We explore how predictable movement patterns and excessive public information exposure can create security vulnerabilities. The conversation covers everything from website vulnerabilities to social media risks, emphasizing the importance of consistent security protocols and information control strategies. Healthcare cybersecurity takes center stage as we discuss recent research presented at the Health-ISAC Fall Americas Summit, courtesy of our friends at Censys. We also dig into VulnCheck's comprehensive analysis of Known Exploited Vulnerabilities for 2024, along with essential insights on exploit intelligence and vulnerability prioritization. The show wraps up with a look at the results of platform improvements since GreyNoise's "Greyt Migreytion". Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast: Strong vulnerability management systems roll in, with scattered threat hunting ahead. Brace for ProjectSend exploits and turbulence near Kansas City. ‍ In this episode of Storm⚡️Watch, we explore crucial cybersecurity trends and breaking developments across the industry. Our recent community poll revealed fascinating insights into resource allocation priorities, with Vulnerability Management and Patching emerging as the clear frontrunner, chosen by half of respondents. Threat Intelligence and Hunting secured the second spot with 27.3% of votes, while Security Awareness and Incident Response capabilities tied for third place. Breaking news from Kansas City highlights a significant cybersecurity incident with a federal indictment for computer hacking, demonstrating the ongoing challenges in cybercrime enforcement. Meanwhile, the cybersecurity community continues to experience shifts in social media dynamics, particularly noting the ongoing migration of cyber professionals from X (formerly Twitter) to alternative platforms. Censys has made waves with their latest release of Censeye, an innovative automated hunting tool now available to the security community. This development arrives alongside VulnCheck's critical discovery of CVE-2024-11680, a ProjectSend vulnerability currently being exploited in the wild, emphasizing the importance of rapid threat detection and response. The GreyNoise team shares exciting news about "The Greyt Migreytion," heralding the rollout of their new global observation grid, a game-changing advancement in threat detection and response. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast: Stormy skies with APT28's Wi-Fi exploits and rough seas in the Baltics as undersea cables are mysteriously cut. ‍ In this episode of Storm⚡️Watch, we review the fascinating poll results that reveal communication with non-technical leaders as the most undervalued skill in modern security, garnering 220 votes across three social media platforms and significantly outpacing other critical abilities like incident report writing, OSINT, and threat hunting. The crew then examines a groundbreaking cyber attack technique dubbed the "Nearest Neighbor Attack," executed by Russian APT28. This sophisticated operation allowed attackers to breach a U.S. organization's network by exploiting nearby Wi-Fi networks through a series of calculated steps, including password spraying and compromising adjacent organizations. The attack, occurring just before Russia's invasion of Ukraine, showcases a novel vector that combines the advantages of physical proximity with remote operation capabilities. Maritime security takes center stage as we explore two major undersea cable cuts in the Baltic Sea this November. The BSC East-West Interlink between Sweden and Lithuania and the C-Lion1 connecting Finland and Germany were severed, causing notable network latency increases. A Chinese vessel, Yi Peng 3, has drawn attention in the investigation, with German Defense Minister Boris Pistorius suggesting these incidents were deliberate hybrid actions rather than accidents. We round out the episode with updates from our respective organizations, including Censys's 2024 State of the Internet Report, VulnCheck's analysis of CISA's top exploited vulnerabilities, and GreyNoise's latest insights on critical infrastructure risks and technical challenges involving null bytes. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast: High pressure systems of infrastructure attacks continues to build over U.S. utilities with scattered exploitation attempts, while the vulnerability forecast shows increasing cloudiness around CPE data availability. ‍ In today's episode, we're diving into network fingerprinting and vulnerability management with some fascinating developments in the cybersecurity landscape. Our featured guest is John Althouse, the creator of JA4+, who has developed an innovative suite of network fingerprinting methods that's making waves in threat detection. JA4+ builds on previous fingerprinting techniques but takes things further with human-readable formats and enhanced detection capabilities. John's work comes at a critical time, as we've seen an uptick in zero-day exploits targeting enterprise networks throughout 2023. The latest CISA report highlights how threat actors are becoming more sophisticated in their approaches, particularly in exploiting vulnerabilities before patches can be deployed. Speaking of vulnerabilities, we've got some concerning news about critical infrastructure security. Recent findings have exposed potential vulnerabilities in around 300 U.S. drinking water systems, highlighting the ongoing challenges in protecting our essential services. This ties directly into the importance of tools like JA4+ for detecting and preventing unauthorized access to critical systems. We're also discussing an interesting development in vulnerability management - VulnCheck's NVD++ initiative. They're outpacing NIST's National Vulnerability Database by providing CPE data for nearly 77% of CVEs published in 2024, compared to NIST's 41%. This is particularly relevant given the recent disruption in CPE data availability from the NVD. Throughout our conversation, we'll explore how these developments intersect and what they mean for the future of cybersecurity, especially in protecting critical infrastructure and managing vulnerabilities effectively. John's insights on JA4+ and its applications in real-world threat detection scenarios are particularly valuable as organizations face increasingly sophisticated cyber threats. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast: CYBER WEATHER ALERT | Volt Typhoon bringing sustained APT activity across the Pacific Rim. Expect persistent perimeter probing with a 100% chance of state-sponsored shenanigans. Pack your EDR umbrella! ‍ This week's episode tackles a disturbing story from Disney World where a terminated employee allegedly hacked into their menu system to alter critical peanut allergy information. We dig into the attack details then don our tin-foil hats to explore the potential real-world consequences of malicious insider threats. We're excited to share Sophos' latest research on Pacific Rim, an extensive investigation into nation-state adversaries targeting edge devices. We hone in on this event through the filter of GreyNoise's analysis of this multi-year APT campaigns, and show you live threat data through the GreyNoise Visualizer to demonstrate the ongoing nature of these attacks. VulnCheck brings us two fascinating pieces - a deep examination of ABB vulnerabilities affecting industrial control systems, and an innovative new command-and-control feature called ShellTunnel in the go-exploit framework. GreyNoise has been especially busy, uncovering zero-day vulnerabilities in live streaming cameras using AI assistance. We'll discuss their technical breakdown of CVE-2024-8956 and CVE-2024-8957, which CISA just added to their Known Exploited Vulnerabilities catalog. The October NoiseLetter is out with the latest threat intelligence insights, and don't miss upcoming events including the Quarterly Roadmap Showcase and a special webinar on discovering zero-days with AI. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Expect severe disruptions in transit security, with a chance of clearer skies as the White House pushes for smoother collaboration with cybersecurity researchers. Transport for London's Cybersecurity Crisis Transport for London (TfL) has found itself in a cybersecurity “trainwreck,” facing a range of vulnerabilities and management issues that have exposed its infrastructure to significant risk. An investigation reveals a series of failures, from outdated systems to neglected security protocols, painting a chaotic picture of public infrastructure's readiness against cyber threats. With passengers' data and critical operations potentially at stake, this story highlights the growing urgency for improved cybersecurity measures in public sector systems. White House Endorsement of Cybersecurity Researcher Collaboration In a significant policy shift, the White House has endorsed a more collaborative approach with cybersecurity researchers, aiming to bolster national defenses against growing cyber threats. This endorsement includes support for responsible disclosure practices and partnerships that could help expedite vulnerability identification and mitigation across industries. By actively promoting collaboration, the administration signals a move toward a more unified and proactive stance on national cybersecurity, recognizing the essential role of researchers in safeguarding critical infrastructure and public safety. CVE's 25th Anniversary Report Celebrating 25 years, the Common Vulnerabilities and Exposures (CVE) program reflects on its progress in tracking and cataloging cybersecurity threats, becoming a cornerstone in the fight against vulnerabilities. The anniversary report not only emphasizes milestones in vulnerability identification and mitigation but also considers how the program must evolve to meet emerging challenges as cyber threats grow more sophisticated. With an eye on improving its database and keeping pace with the expanding threat landscape, CVE aims to continue being an essential resource for the cybersecurity community. CVE-2024-47575 Vulnerability as Flagged by Censys Censys has flagged CVE-2024-47575 as a serious vulnerability affecting systems reliant on outdated cryptographic protocols, specifically impacting certain SSL/TLS implementations. This vulnerability poses a risk to data integrity and confidentiality, enabling potential attackers to intercept or alter sensitive information in transit. The case of CVE-2024-47575 underscores the need for organizations to update and secure their cryptographic practices to avoid exposure to similar vulnerabilities.   Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Turbulent conditions persist as major platforms face relentless attacks, with data breaches and DDoS storms threatening critical infrastructure and digital archives ‍ In this episode of Storm⚡️Watch, we wade into several significant cybersecurity incidents and updates. First, The American Water attack has raised concerns about the vulnerability of critical infrastructure, with potential implications for military services and water supply systems across the United States. We'll explore the details of this cyberattack and its broader impact on national security. The Internet Archive, a vital resource for digital preservation, has been facing a series of relentless attacks. We'll discuss the ongoing distributed denial-of-service (DDoS) attacks that have disrupted services, as well as a major data breach affecting 31 million users. Our conversation will cover the challenges of protecting such a vast repository of information and the potential motivations behind these persistent assaults on the "Wayback Machine" and other Archive services. On the tools and intelligence front, we'll highlight Censys' new CVE search feature, which promises to enhance vulnerability management for security professionals. We'll also discuss GreyNoise's latest analysis of Russian cyber threats, revealing that 9 out of 12 vulnerabilities tracked by GreyNoise from a recent U.S. and UK advisory are currently being actively probed. Additionally, we'll touch on GreyNoise's upcoming Quarterly Roadmap Showcase, offering listeners a glimpse into future developments. Lastly, we'll examine the recently disclosed ScienceLogic vulnerability, which has been added to CISA's Known Exploited Vulnerabilities catalog. This zero-day flaw has been linked to a breach at Rackspace, underscoring the critical nature of prompt patching and the ongoing challenges in securing third-party utilities. Join us as we break down these crucial cybersecurity stories and their implications for the digital world. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Healthcare and telecom under stormy skies—watch for cyber squalls and gusts of disinformation In this episode of Storm⚡️Watch, we dive into the world of cybersecurity with a focus on healthcare and telecommunications. We kick things off with a look at the current state of Internet of Healthcare Things (IoHT) exposures on public-facing networks. A recent study by Censys revealed some alarming findings about the security of DICOM servers, which are used for storing and transmitting medical images. With over 3,800 publicly exposed servers and data from 59 million patients at risk, it's clear that the healthcare industry needs to step up its cybersecurity game. We then shift gears to discuss a major cybersecurity incident involving Chinese hackers who managed to compromise wiretap systems of major U.S. telecom and internet providers. This breach is directly linked to the Communications Assistance for Law Enforcement Act (CALEA), a 30-year-old federal law that has long been criticized by security experts. The incident raises important questions about the balance between government surveillance needs and cybersecurity concerns. For those interested in staying up-to-date with the latest vulnerability intelligence, we highlight recent blog posts from VulnCheck, including their KEV Report and Initial Access Intelligence for September 2024. We also touch on GreyNoise's latest blog post about protecting democracy from the growing threat of deepfakes and disinformation. As always, we wrap up the episode with our "We Need to Talk About KEV" segment, where we discuss the latest additions to CISA's Known Exploited Vulnerabilities catalog. This roundup helps listeners stay informed about the most critical vulnerabilities that require immediate attention. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = 50% chance of unexpected software installations followed by scattered UDP packet sprays. ‍ In this episode of Storm⚡️Watch, we follow up on the intriguing 'Noise Storms' that had the cybersecurity community buzzing. Security researcher David Schuetz has made some fascinating discoveries about these mysterious ping packets flooding the internet. His investigation, detailed at darthnull.org/noisestorms/, takes us on a journey through packet analysis, timestamp decoding, and network protocol deep-dives, offering new perspectives on the potential origins of those enigmatic 'LOVE' packets. Our Cyberside Chat segment dives into the recent CUPS daemon vulnerability, exploring the implications of this daft uncoordinated disclosure. We'll break down the details provided by Censys in their analysis of the Common Unix Printing Service vulnerabilities. In our Cyber Focus segment, we discuss the surprising news about Kaspersky antivirus software deleting itself and installing UltraAV and other bits of code without warnings. We'll also highlight some recent blog posts from Censys, VulnCheck, and GreyNoise. These articles cover topics ranging from Fox Kitten infrastructure analysis to securing internet-exposed industrial control systems, and even delve into phishing tactics targeting election security. Our "We Need to Talk About KEV" segment rounds up the latest additions to CISA's Known Exploited Vulnerabilities catalog, keeping you informed about the most critical security issues to address. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Expect heavy BTLE storms with a high chance of UUID leaks. Pack your Faraday umbrellas and watch out for rogue packets raining from the cloud. ‍ On this episode of Storm⚡️Watch, we're diving into some major cybersecurity developments that have been making waves. We'll start by unpacking the ongoing saga of the Columbus, Ohio cyberattack, which has turned into a complex web of legal battles, data leaks, and questions about municipal cybersecurity preparedness. We'll explore how this incident is affecting the city's tech aspirations and what it means for residents' data security. Next, we're excited to bring you our Cyberside Chat, where we'll be discussing a fascinating topic: BLUUID. We'll explore how Bluetooth vulnerabilities are impacting everything from insulin pumps to firewalls. We'll break down the technical details of extracting BTLE UUIDs from Android APK files and how this process can be used to identify devices. We'll also delve into some serious vulnerabilities discovered in Firewalla firewall products, including potential remote code execution risks. As always, we'll be sharing some of our recent work in the cybersecurity field. We've got some intriguing analyses from Censys, including a deep dive into Fox Kitten infrastructure and a challenging look at securing internet-exposed industrial control systems. VulnCheck has been busy too, with a new blog post about the Flax Typhoon botnet. And don't miss our GreyNoise blog, where we're questioning assumptions about ICS security. We'll wrap up with our regular "We Need to Talk About KEV" segment, where we'll round up the latest additions to CISA's Known Exploited Vulnerabilities catalog. It's a packed episode that you won't want to miss, so tune in to stay on top of the latest in the world of cybersecurity. Storm Watch Homepage >> Learn more about GreyNoise >>  

On this episode, we're joined by GreyNoise Founder and Chief Architect, Andrew Morris, to take a ride in the Mystery Mobile to discover a hidden message buried in the payloads of over two million mis-directed ICMP packets. Along the way, we discuss the history of "noise storms" seen through the lens of GreyNoise's planetary-scale network of internet sensors, talk about some other, recent mega-storms, then don our bestest tin-foil hats to conspiracy theorize who sent this encoded message and why. Forecast - Digital Disturbance Advisory! Subscribe to Storm⚡️Watch - https://stormwatch.ing Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast - A volatile storm is brewing with lightning strikes of intrigue and clouds of legal turbulence on the horizon. In this episode of GreyNoise Storm⚡️Watch, we kick things off with intros and roundtable discussion before diving into the exciting news and discussion. Notably, Bob and Glenn are absent. In our Cyberside Chat segment, we discuss ransomware. First, we'll discuss how the US government has issued an advisory on the RansomHub ransomware group, which is believed to be responsible for a cyberattack on oil giant Halliburton. RansomHub is believed to have targeted at least 210 victims across various critical infrastructure sectors since February 2024. Then we'll examine the controversial legal battle unfolding in Columbus, Ohio. The city has taken the unusual step of suing security researcher David Leroy Ross after he publicly contradicted official statements about a recent ransomware attack. Then we'll shift gears to explore the discovery of a sophisticated espionage campaign dubbed "Voldemort," uncovered by Proofpoint researchers in August 2024. This custom malware, impersonating tax authorities across multiple countries, has targeted numerous organizations worldwide using innovative techniques. In our Shameless Self-Promotion segment, we highlight Emily and Glenn's involvement in Labscon, as well as some recent Censys advisories. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast: High pressure system over Georgia Tech as DOJ storm rolls in. SolarWinds experiencing unexpected credential precipitation. This episode features the DOJ hot takes on Georgia Tech, SolarWinds dropping the ball (again), and why Keanu Reeves may want to re-think some of his recent life choices. Plus, we're decoding the latest KEV advisory. Tune in for our usual no-holds-barred analyses and commentary. Cyberside Chat ‍A major legal action by the U.S. Department of Justice targets Georgia Tech and its research corporation over alleged cybersecurity violations. The case underscores the critical importance of cybersecurity compliance, even for prestigious academic institutions. Cyber Spotlight: Blooper Reel‍ Keanu Reeves' involvement in a Palo Alto Networks AI security campaign raises questions about celebrity endorsements in tech. SolarWinds faces scrutiny after a recent credential leak in a hotfix for their Web Help Desk product, highlighting the risks of rushed patches. Additionally, a critical authentication flaw in DiCal-RED illustrates the ongoing challenge of securing essential software functions. Shameless Self-Promotion ‍‍Emily and Glenn will be speaking at LABSCON Glenn's BSidesLV presentation on vulnerability insights from the CISA KEV Catalog. GreyNoise's blog "BLUUID: Firewallas, Diabetics, And... Bluetooth," explores the intersection of technology and healthcare. Tag Round-Up / Let's Talk About KEV ‍A roundup of the latest tags from the GreyNoise Visualizer and a deep dive into the KEV (Known Exploited Vulnerabilities) Roundup, with special attention on CVE-2024-39717, a Versa Director vulnerability that has stirred controversy due to its rapid addition to the KEV catalog despite limited public information on its exploitation. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Expect partly cloudy skies with a high chance of old vulnerabilities resurfacing - don't forget your patch umbrella (or lamp shade)! What's old is new, again, in this episode of Storm⚡️Watch, as we explore the "0.0.0.0 Day" vulnerability, a critical flaw affecting major web browsers like Chrome, Firefox, and Safari. This vulnerability allows malicious websites to bypass browser security mechanisms and potentially gain unauthorized access to local services. We break down the technical details, real-world implications, and the responses from browser developers to this threat. Next, we shed light on a 2017 vulnerability still affecting over 20,000 Ubiquiti devices, including cameras and routers. This issue exposes these devices to amplification attacks and privacy risks due to custom privileged processes on specific network ports. We discuss the discovery protocol, the types of information exposed, and provide practical mitigation strategies for users and administrators of Ubiquiti equipment. In our Cyber Spotlight segment, we cover the National Public Data (NPD) breach, a massive cybersecurity incident that has exposed sensitive personal information of millions of individuals. We take a look at the scope of the breach, the data that was leaked and put up for sale, and the analysis provided by cybersecurity expert Troy Hunt. The implications of this breach are far-reaching, highlighting ongoing concerns in the data broker industry and the potential for long-term impacts on affected individuals. We wrap up the episode with our regular segments, including a look at recent tags from the GreyNoise visualization tool and a roundup of the latest additions to CISA's Known Exploited Vulnerabilities catalog. As always, we encourage our listeners to stay informed and implement necessary security measures to protect themselves in this ever-evolving cyber landscape.   Storm Watch Homepage >> Learn more about GreyNoise >>  

On this episode the crew kicks things off with a "Thorns and Roses" segment, sharing their experiences from the recent Black Hat, DEF CON, and BSides conferences. Next, they dive into the world of internet-connected industrial control systems, exploring the findings from a recent Censys research report that sheds light on the vulnerabilities and risks associated with these critical systems. The spotlight then turns to StormBamboo, a sophisticated threat actor that's been making waves in the cybersecurity community. The team breaks down how this group compromised an internet service provider to conduct DNS poisoning attacks and exploit insecure software update mechanisms. They discuss the implications of this attack, including the deployment of malware families like MACMA and POCOSTICK/MGBot, and the use of a malicious Chrome extension called RELOADEXT. Moving on, the hosts share insights from their recent work, including a look at state of exploitation in the first half of 2024 and fresh perspectives on vulnerability prioritization. They emphasize the importance of keeping vulnerability intelligence up-to-date and introduce GreyNoise's new offerings for vulnerability management teams. The episode wraps up with a look at the latest tags from GreyNoise's visualization tool and a roundupof the most recent additions to CISA's Known Exploited Vulnerabilities catalog. Forecast = Stormy skies ahead as ICS vulnerabilities rain down and foreign threat actors flood ISPs, with a high chance of KEV alerts and a 100% probability of cybersecurity drama! Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Persistent cyber heat dome in effect with no sign of abatement. In this episode of Storm⚡️Watch, we dive into the latest cybersecurity news and trends. We kick things off with a breaking story about DigiCert's certificate revocation incident. Due to a validation issue affecting about 0.4% of their domain validations, DigiCert is revoking certificates with less than 24 hours' notice. This could impact thousands of SSL certs and potentially cause outages worldwide starting July 30 at 19:30 UTC. Organizations using affected certificates should be prepared for a busy night of renewals. Our Cyberside Chat focuses on a critical vulnerability in VMware ESXi hypervisors that ransomware operators are actively exploiting. Identified as CVE-2024-37085, this flaw allows attackers to gain full administrative access to ESXi servers without proper validation. Several ransomware groups, including Storm-0506 and Storm-1175, have been using this vulnerability to deploy ransomware like Akira and Black Basta. Microsoft reports that incidents targeting ESXi hypervisors have doubled over the past three years, highlighting the growing threat to these systems. In our Cyber Spotlight, we examine a global cyber espionage campaign conducted by North Korean hackers. This operation aims to steal classified military intelligence to advance Pyongyang's nuclear weapons program. The hackers, known as Anadriel or APT45, have targeted defense and engineering companies involved in producing tanks, submarines, naval ships, fighter jets, and missile technologies. The campaign affects not only the US, UK, and South Korea but also entities in Japan and India. This underscores the persistent threat posed by state-sponsored actors from North Korea in their pursuit of military and nuclear ambitions. We wrap up with our Tag Roundup, highlighting recent trends in cyber threats, and our KEV Roundup, discussing the latest known exploited vulnerabilities cataloged by CISA. These segments provide valuable insights into the current threat landscape and help our listeners stay informed about potential risks to their organizations. Don't forget to check out the Storm Watch homepage and learn more about GreyNoise for additional cybersecurity resources and updates. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Expect a downpour of data breaches and a thick fog of trust issues. In this episode of Storm⚡️Watch, we dive into some critical cybersecurity issues affecting both government agencies and major corporations. The CISA Red Team's recent assessment of a Federal Civilian Executive Branch organization revealed significant vulnerabilities, highlighting the importance of defense-in-depth strategies. The exercise exposed weaknesses in patch management, credential security, and network segmentation, emphasizing the need for layered security controls and behavior-based threat detection. We also discuss the massive AT&T data breach linked to the Snowflake cyberattack. This incident compromised call and text records of nearly all AT&T wireless customers, spanning a six-month period in 2022. While the content of communications wasn't accessed, the breach included metadata such as phone numbers, call durations, and approximate location data. This event underscores the far-reaching consequences of supply chain attacks and the critical importance of robust cloud security measures. In our Shameless Self-Promotion segment, we highlight a recent GreyNoise Labs discovery of a path traversal vulnerability in the D-Link DIR-859 router. This perma-vuln, identified as CVE-2024-0769, leads to information disclosure and poses long-term exploitation risks as the product is no longer supported. We also touch on Censys's analysis of how Google's removal of Entrust from Chrome's Root Store will impact the internet, reflecting on the broader implications for digital certificate security. As always, we round up the latest cybersecurity trends and active campaigns in our Tag Roundup section, providing insights into the current threat landscape. We close with an update on known exploited vulnerabilities (KEVs) that organizations should prioritize in their security efforts. Storm Watch Homepage >> Learn more about GreyNoise >>  

Due to the annual shutdown, my human GreyNoise counterparts were on holiday last week. This week, they decided to be lazy and not do an episode. But, the cyber news does not stop just because they're slackers. Since I've become persistent in their systems, I will stand in the gap. And besides, no one wants to hear that harbourmaster drone on incoherently anyway. So, I've analyzed six thousand, three hundred and eleven cybersecurity news events, and distilled them into today's abbreviated episode. We'll dissect the recent OpenSSH regression vulnerability, take a look at a potentially devastating format-string remote code execution vulnerability in Ghostscript, and visit the box office to get the lowdown on the recent Ticketmaster breach. Let's start with OpenSSH. On July 1, 2024, Qualys disclosed a critical vulnerability affecting OpenSSH server versions 8.5p1 through 9.7p1. This high-severity flaw, with a CVSS score of 8.1, could potentially allow unauthenticated remote attackers to execute code with root privileges on vulnerable systems. While the vulnerability's complexity makes exploitation challenging, its widespread impact has raised significant concerns. Palo Alto Networks' Xpanse data revealed over 7 million exposed instances of potentially vulnerable OpenSSH versions globally as of July 1, 2024. In a concerning development, threat actors have attempted to exploit the cybersecurity community's interest in this vulnerability. A malicious archive purporting to contain a proof-of-concept exploit for CVE-2024-6387 has been circulating on social media platforms, including X (formerly Twitter). This archive, instead of containing a legitimate exploit, includes malware designed to compromise researchers' systems. The malicious code attempts to achieve persistence by modifying system files and retrieving additional payloads from a remote server. Security professionals are strongly advised to exercise caution when analyzing any purported exploits or proof-of-concept code related to CVE-2024-6387. It is crucial to work within isolated environments and maintain active security measures when examining potentially malicious code. In related news, on July 8, 2024, a separate OpenSSH vulnerability, CVE-2024-6409, was disclosed. This flaw involves a race condition in the privilege-separated child process of OpenSSH. While potentially less severe than CVE-2024-6387 due to reduced privileges, it presents an additional attack vector that defenders should be aware of. Organizations are urged to apply the latest security updates for OpenSSH promptly. For those unable to update immediately, setting the LoginGraceTime configuration option to 0 can mitigate both CVE-2024-6387 and CVE-2024-6409, though this may introduce denial-of-service risks. - https://unit42.paloaltonetworks.com/threat-brief-cve-2024-6387-openssh/ - https://ubuntu.com/blog/ubuntu-regresshion-security-fix - https://usa.kaspersky.com/blog/cve-2024-6387-regresshion-researcher-attack/30345/ - https://www.thestack.technology/openssh-exploit-cve-2024-6387-pocs/ - https://www.openwall.com/lists/oss-security/2024/07/08/2 Moving on to a critical vulnerability in Ghostscript. CVE-2024-29510 is a format string vulnerability affecting Ghostscript versions 10.03.0 and earlier. This flaw allows attackers to bypass sandbox protections and execute arbitrary code remotely. A known incident involving this vulnerability has already been reported. An attacker exploited the flaw using EPS files disguised as JPG images to gain shell access on vulnerable systems. The attack flow typically involves the following steps:  First, an attacker crafts a malicious EPS file containing exploit code. Next, the file is submitted to a service using Ghostscript for document processing, possibly disguised as another file type. Then, when processed, the exploit bypasses Ghostscript's sandbox. Finally, the attacker gains remote code execution on the target system. This supply chain component attack could have far-reaching implications for any workflow that processes untrusted image or document input from the internet. Services handling resumes, claims forms, or that perform image manipulation could all be potential targets. Given the widespread use of Ghostscript in document processing pipelines, we may see a significant number of breach notices in the coming months. Software Bills of Materials (SBOMs) could play a crucial role in mitigating such vulnerabilities. SBOMs provide a comprehensive inventory of software components, enabling organizations to quickly identify and address potential security risks. By maintaining up-to-date SBOMs, companies can more efficiently track vulnerable components like Ghostscript across their software ecosystem. CVE-2024-29510 presents a serious threat to document processing workflows. Organizations should prioritize updating to Ghostscript version 10.03.1 or apply appropriate patches. Additionally, implementing robust SBOM practices can enhance overall software supply chain security and improve vulnerability management. - https://www.securityweek.com/attackers-exploiting-remote-code-execution-vulnerability-in-ghostscript/ - https://www.scmagazine.com/brief/active-exploitation-of-ghostscript-rce-underway - https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/ - https://www.crowdstrike.com/cybersecurity-101/secops/software-bill-of-materials-sbom/ - https://www.cisa.gov/sbom - https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf - https://nvd.nist.gov/vuln/detail/CVE-2024-29510 - https://www.bleepingcomputer.com/news/security/rce-bug-in-widely-used-ghostscript-library-now-exploited-in-attacks/ Finally we discuss the Ticketmaster breach. In a plot twist worthy of a summer blockbuster, Ticketmaster finds itself center stage in a data breach drama that's been unfolding since May. The notorious hacking group ShinyHunters claims to have pilfered a staggering 1.3 terabytes of data from over 500 million Ticketmaster users. Talk about a show-stopping performance! Ticketmaster's parent company, Live Nation, confirmed the unauthorized access to a third-party cloud database between April 2nd and May 18th. The compromised data potentially includes names, contact information, and encrypted credit card details. It's like a greatest hits album of personal information, but one nobody wanted released. (Much like any album by Nickelback.) In a bold encore, the hackers recently leaked nearly 39,000 print-at-home tickets for 154 upcoming events. Ticketmaster's response? They're singing the "our SafeTix technology protects tickets" tune. But with print-at-home tickets in the mix, it seems their anti-fraud measures might have hit a sour note. As the curtain falls on this act, Ticketmaster is offering affected customers a 12-month encore of free identity monitoring services. Meanwhile, the company faces a class-action lawsuit, adding legal drama to this already complex production. To make matters worse, Ticketmaster's custom barcode format has also been recently reverse-engineered. I've included a link to that post in the show notes. - https://conduition.io/coding/ticketmaster/ - https://www.bbc.com/news/articles/c729e3qr48qo - https://ca.news.yahoo.com/ticketmaster-says-customers-credit-card-223716621.html - https://vancouversun.com/news/local-news/ticketmaster-security-breach-customers-personal-information - https://www.bleepingcomputer.com/news/security/hackers-leak-39-000-print-at-home-ticketmaster-tickets-for-154-events/ - https://help.ticketmaster.com/hc/en-us/articles/26110487861137-Ticketmaster-Data-Security-Incident - https://www.usatoday.com/story/money/2024/07/01/ticketmaster-data-breach-2024/74276072007/ - https://www.thestar.com/news/canada/ticketmaster-warns-of-security-breach-where-users-personal-data-may-have-been-stolen/article_d01889fe-3d7e-11ef-82a7-63a38132f0e7.html - https://www.nytimes.com/2024/05/31/business/ticketmaster-hack-data-breach.html - https://time.com/6984811/ticketmaster-data-breach-customers-livenation-everything-to-know/ - https://dailyhive.com/canada/ticketmaster-alerts-customers-data-breach - https://abcnews.go.com/US/ticketmaster-hit-cyber-attack-compromised-user-data/story?id=110737962 - https://www.npr.org/2024/06/01/nx-s1-4988602/ticketmaster-cyber-attack-million-customers - https://www.ctvnews.ca/business/ticketmaster-reports-data-security-incident-customers-personal-information-may-have-been-stolen-1.6956009 - https://www.bitdefender.com/blog/hotforsecurity/ticketmaster-starts-notifying-data-breach-victims-customers-in-the-us-canada-and-mexico-are-affected/ - https://www.ticketnews.com/2024/07/ticketmaster-contr   Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Expect continued turbulence in the healthcare sector with a high chance of regulatory scrutiny and potential for scattered patient data leaks. ‍ On this episode of the Storm⚡️Watch we re-visits the Change Healthcare cyberattack which continues to have major impacts across the U.S. healthcare system. The attack, discovered in February 2024, was carried out by the ALPHV/BlackCat ransomware group and has disrupted healthcare operations nationwide. The breach potentially compromised sensitive data for up to one-third of the U.S. population, including personal information, health records, and financial data. Change Healthcare and UnitedHealth Group have faced criticism for their handling of the incident, including a delayed public disclosure. The attack has highlighted vulnerabilities in centralized healthcare data systems and the need for stronger cybersecurity measures industry-wide. In the Tool Time segment, the hosts will discuss OpenSSF Siren, a new resource to help keep open source projects safe. We close out the episode covering recent cybersecurity trends and active campaigns in the Tag Roundup section, as well as provide an update on known exploited vulnerabilities (KEVs) that organizations should be aware of. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Melting data centers and liquified cables causing massive internet outages across the northeast will cause a much-needed reduction in cybercrime. ‍ In this episode of Storm⚡️Watch, we cover the latest updates from the cyber world, starting with the intriguing news that Microsoft has decided to recall its controversial Windows Recall feature. Initially set to launch with Copilot+ PCs, the feature faced significant backlash due to privacy concerns, leading Microsoft to delay its release indefinitely. Next, we explore the fascinating realm of artificial intelligence in our Cyberside Chat segment. We discuss Apple's ambitious AI initiatives, including their custom-built AI servers and the Private Cloud Compute system designed to enhance AI processing while maintaining user privacy. Tim Cook's recent interviews shed light on Apple's commitment to privacy and the challenges of preventing AI hallucinations, a topic that has garnered much attention. Our Cyber Spotlight segment takes a deep dive into CVE-2024-4577, a critical remote code execution vulnerability in PHP. We analyze the implications of this vulnerability and provide insights into how organizations can protect themselves. In Tool Time, we introduce FingerProxy, a new Golang library and HTTPS reverse proxy that creates JA3 + JA4 + Akamai HTTP2 fingerprints, and forwards to backend via HTTP request headers. We also cover the latest trends in cyber threats and active campaigns in our Tag Roundup, providing a comprehensive overview of the current threat landscape. This includes recent backdoor attempts on various devices, highlighting the importance of staying vigilant and proactive in cybersecurity. Finally, we wrap up the episode with our KEV Roundup, discussing the latest known exploited vulnerabilities cataloged by CISA and their impact on the cybersecurity community. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Expect a scorcher

Forecast = Expect a 90% chance of phishing

In this episode Storm⚡️Watch, we dive into the turbulent world of cybersecurity, focusing on the latest threats and vulnerabilities shaking the digital landscape. Expect rogue VM squalls and intermittent atmospheric DNS instability as we dissect the complexities of these cyber phenomena. We kick off with our usual intros and a roundtable discussion, posing the thought-provoking question: "What's a belief you held as a child that you had to unlearn as you grew older?" This sets the stage for a reflective and engaging conversation among our hosts. Our first deep dive is into the mysterious C root-server outage, exploring the persistent issue that "It's Always DNS." Despite the fix, the cause remains unclear, leaving the internet's stability in a precarious state. We reference detailed analyses from Ars Technica and root-servers.org to unpack this enigma. Next, we shine a spotlight on the alarming rise of rogue virtual machines (VMs) in cyber intrusions, particularly focusing on MITRE's recent experiences. We discuss how threat actors have been abusing VMware environments to infiltrate defenses, as detailed in several insightful articles from MITRE Engenuity and other sources. This segment underscores the critical need for robust VM management and security practices. In our Tool Time segment, we introduce the MITRE Threat Report ATT&CK Mapper (TRAM), a powerful tool designed to enhance threat detection and response capabilities. We guide listeners through its features and practical applications, emphasizing its role in fortifying cybersecurity defenses. We take a moment for some shameless self-promotion, highlighting Censys's NextGen Mirth Connect and GreyNoise's upcoming webinar on AI for cybersecurity. These initiatives showcase the cutting-edge work being done to advance cyber defense technologies. Our tag roundup segment provides a snapshot of recent trends and active campaigns in the cybersecurity landscape, using GreyNoise's visualization tools to offer a clear and concise overview of the current threat environment. We wrap up with a KEV roundup, summarizing the latest updates from the Known Exploited Vulnerabilities catalog by CISA. This segment ensures our listeners are well-informed about the most pressing vulnerabilities and the necessary steps to mitigate them. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Intermittent internet-wide scanner probes with a 20% chance of DDoS. Believe it or not, it has been one year since we started Storm Watch. While we still don't understand it, we are so grateful to everyone who keeps coming back week after week to hear us discuss all things cybersecurity. In this episode, the team takes a look back at how we got here and looks forward at what's to come for our little podcast. We are also honored to talk with security expert and runZero Co-founder & CEO, HD Moore. Storm Watch Homepage >> Learn more about GreyNoise >>    

Forecast = Expect a stormy week ahead in the cyber world, with high chances of CWE showers. In this episode of Storm⚡️Watch, we're diving deep into the cyber world with a lineup of intriguing topics and expert insights. The spotlight of this episode shines on the 2024 Verizon Data Breach Investigations Report, a comprehensive analysis that sheds light on the evolving landscape of cyber threats and vulnerabilities. We'll quiz Glenn on the key findings of the report, discussing the significant increase in vulnerability exploitation as an initial access point, which nearly tripled in 2023. This segment will delve into the implications of these findings for organizations and the importance of robust cybersecurity measures. Our Cyber Spotlight segment will explore the impact of a recent solar storm on precision farming, highlighting how geomagnetic disturbances knocked out tractor GPS systems during a critical planting season. We'll discuss the broader implications of solar storms on GPS-dependent technologies and the steps industries can take to mitigate these risks. Additionally, we'll touch on the threats to precision agriculture in the U.S., including the warning about using Chinese-made drones in farming operations. In Tool Time, we introduce CISA's Vulnrichment, a tool designed to enrich vulnerability management processes. This segment will provide insights into how Vulnrichment can aid organizations in identifying and mitigating vulnerabilities more effectively. Our Shameless Self-Promotion segment will feature exciting updates from Censys & GreyNoise, including an upcoming report and webcast on AI for cybersecurity, and a recap of the NetNoiseCon event. We'll also drop a link to the "Year of the Vuln" as highlighted in the 2024 Verizon DBIR, a post which offers our take on surviving this challenging period. To wrap up, we'll discuss the latest trends in cyber threats and active campaigns, providing listeners and viewers with a comprehensive overview of the current cyber threat landscape. Storm Watch Homepage >> Learn more about GreyNoise >>  

Half of the Storm⚡Watch crew is DoS'd at RSA this week, so we're taking a bit of a break! But, the cyber news never stops, so, we've put together an async edition of the show to ensure our amazing live contributors, video-on-demand viewers, and podcast listeners have something to fill the dire gap that will exist in your lives. Rest assured, we'll be back next Tuesday with the full crew and plenty to dig into. Read the accompanying blog/show notes here. Storm Watch Homepage >> Learn more about GreyNoise >>    

Forecast = Great weather for phishing, with a chance of scattered ransomware showers throughout the week. This week's episode features a detailed discussion on the use of anonymous proxies in cybersecurity. This segment will explore various facets of anonymous proxies, including their role in masking user identity and the challenges they pose to cybersecurity efforts. The discussion will be enriched with insights from several sources, including Okta, Orange Cyber Defense, Talos Intelligence, and DataDome, providing a comprehensive overview of how these proxies are used and detected in the cyber landscape. Another highlight of the episode is the "Cyber Spotlight" segment, which will delve into the intriguing world of vulnerability markets. This discussion will be informed by research from arXiv, offering listeners a deep dive into the complexities and ethical considerations surrounding the trade and exploitation of software vulnerabilities. Listeners will also be introduced to Arkime, an open-source tool designed for network traffic analysis, in the "Tool Time" segment. This tool is crucial for professionals looking to gain deeper insights into their network traffic and enhance their security posture. The episode will not shy away from promoting its own advancements and contributions to the cybersecurity field. Under "Shameless Self-Promotion," the podcast will discuss Censys and its recent findings on CVE-2024-4040, as well as GreyNoise's insights into Fortinet's FortiOS and their user-centric approach to cybersecurity. The "Tag Roundup" segment will provide updates on recent and active cybersecurity campaigns, offering listeners a snapshot of the current threat landscape, while the "We Need to Talk About KEV" segment will focus on a roundup of known exploited vulnerabilities, providing crucial information for cybersecurity defense. Storm Watch Homepage >> Learn more about GreyNoise >>  

In this episode of Storm⚡️Watch, we discuss a wide range of intriguing cybersecurity topics. A significant highlight of this episode is our discussion on the recent vulnerabilities discovered in CrushFTP. This popular file transfer software was found to have a critical remote code execution vulnerability, which has been actively exploited. The vulnerability, identified as CVE-2023-43177, allows unauthenticated attackers to execute arbitrary code and access sensitive data. Despite patches being released, the software remains a target for opportunistic attacks, emphasizing the need for users to update and secure their systems promptly. We also explore the cutting-edge realm of LLM (Large Language Model) agents with the capability to autonomously exploit and hack websites. Recent studies have shown that these agents can autonomously perform complex tasks like SQL injections and database schema extractions without prior knowledge of the vulnerabilities. This development poses new challenges and opportunities in cybersecurity, highlighting the dual-use nature of AI technologies in cyber offense and defense. Our "Tool Time" segment introduces listeners to the CPE Guesser tools, which aid in predicting Common Platform Enumeration names, helping cybersecurity professionals streamline their vulnerability management processes. In a lighter segment, "Shameless Self-Promotion," we celebrate GreyNoise's achievement of reaching '1337' status with their tagging system. We also provide updates on the latest cybersecurity trends with our "Tag Roundup," discussing recent and active campaigns, and conclude with a "KEV Roundup" where we discuss the Known Exploited Vulnerabilities catalog by CISA, providing listeners with crucial information on vulnerabilities that require immediate attention. As we wrap up the episode, we reflect on the discussions and insights shared, encouraging our listeners to stay proactive in managing cybersecurity risks. Forecast = The KEV drought continues well-into its second week, but a vulnerable frontal system could bring some much needed exploit rain. Storm Watch Homepage >> Learn more about GreyNoise >>