Lightnews — Scholar-powered news

Glenn

@ntkramer.bsky.social

2.6K followers 260 following 140 posts

Experienced InfoSec | Elder Millennial | 💼 @GreyNoiseIO | I ask 'why?' a lot | Pro Oxford Comma | Fix it! | He/Him | #BLM | Views are my own. https://linktr.ee/glennthorpe

Posts Media Videos Starter Packs

Glenn @ntkramer.bsky.social · 15d

It’s time for many folks’ annual cultural learning session. 🤣

Reposted by Glenn

GreyNoise @greynoise.io · 15d

On 28 September, GreyNoise observed a sharp one-day surge in attempts to exploit Grafana CVE-2021-43798. Full analysis & malicious IPs ⬇️
#Grafana #GreyNoise #ThreatIntel

Coordinated Grafana Exploitation Attempts on 28 September

GreyNoise observed a sharp one-day surge of exploitation attempts targeting CVE-2021-43798 — a Grafana path traversal vulnerability that enables arbitrary file reads. All observed IPs are classified a...

www.greynoise.io

Glenn @ntkramer.bsky.social · Aug 1

We all know that @hrbrmstr.dev is a mad scientist, and when you give him the amazing telemetry our new fleet has been collecting lately, you get knowledge drops like this! Super proud of our @greynoise.io team’s work on the deception capabilities we now have! hashtag#threatintel

GreyNoise @greynoise.io · Jul 31

🚨 New Research: GreyNoise identifies an early warning signal, spikes in attacker activity tend to precede new CVE disclosures within six weeks. Which vendors show the strongest signal and more, all in our latest report ⬇️

Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities

GreyNoise’s new research reveals a recurring pattern: spikes in malicious activity often precede the disclosure of new CVEs — especially in enterprise edge technologies like VPNs and firewalls.

www.greynoise.io

Reposted by Glenn

GreyNoise @greynoise.io · Jul 24

An unexpected cluster of malicious IPs in a remote U.S. town led GreyNoise researchers to uncover a 500+ device botnet. Full analysis ⬇️
#Cybersecurity #ThreatIntel #Botnet #VoIP #GreyNoise #Cyber #Tech

A Spike in the Desert: How GreyNoise Uncovered a Global Pattern of VOIP-Based Telnet Attacks

A spike in botnet traffic from a single utility in a rural part of New Mexico led to the discovery of a global botnet. Explore how human-led, AI-powered analysis exposed compromised devices, uncovered...

www.greynoise.io

Glenn @ntkramer.bsky.social · Jul 16

📝 CVE-2017-18370 (Zyxel P660HN)

Oldie but goodie.

viz.greynoise.io/tag...
4/4

GreyNoise Visualizer | GreyNoise Visualizer

At GreyNoise, we collect and analyze untargeted, widespread, and opportunistic scan and attack activity that reaches every server directly connected to the Internet.

viz.greynoise.io

Glenn @ntkramer.bsky.social · Jul 16

⚡ CVE-2024-20439 (Cisco Smart Licensing Utility) (9.8/10, KEV)

Hardcoded credentials have been known since late last year.

viz.greynoise.io/tag...
3/4

GreyNoise Visualizer | GreyNoise Visualizer

At GreyNoise, we collect and analyze untargeted, widespread, and opportunistic scan and attack activity that reaches every server directly connected to the Internet.

viz.greynoise.io

Glenn @ntkramer.bsky.social · Jul 16

🔥 CVE-2025-49132 (Pterodactyl Panel RCE) (10/10 RCE)

Active exploitation observed within days of disclosure.

viz.greynoise.io/tag...
2/4

GreyNoise Visualizer | GreyNoise Visualizer

At GreyNoise, we collect and analyze untargeted, widespread, and opportunistic scan and attack activity that reaches every server directly connected to the Internet.

viz.greynoise.io

Glenn @ntkramer.bsky.social · Jul 16

🫖 & #threatintel - noticing a few other spikes orgs should be mindful of:
🔥 CVE-2025-49132 (Pterodactyl Panel RCE) (10/10 RCE)
⚡ CVE-2024-20439 (Cisco Smart Licensing Utility) (9.8/10, KEV)
📝 CVE-2017-18370 (Zyxel P660HN)
1/4

Glenn @ntkramer.bsky.social · Jul 16

The main takeaway is we, first hand, observed exploitation almost two weeks before the POC was released, so ensure all retro threat hunting goes back at LEAST a month, but ideally further.
2/2

Glenn @ntkramer.bsky.social · Jul 16

🩸& #threatintel | We (GreyNoise) just published a quick note (www.greynoise.io/blo...) regarding CVE-2025-5777 - CitrixBleed 2
1/2

Exploitation of CitrixBleed 2 (CVE-2025-5777) Began Before PoC Was Public

GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 — nearly two weeks before a public proof-of-concept was released on July 4.

www.greynoise.io

Glenn @ntkramer.bsky.social · Jul 7

...here: viz.greynoise.io/tag...
2/2

GreyNoise Visualizer | GreyNoise Visualizer

At GreyNoise, we collect and analyze untargeted, widespread, and opportunistic scan and attack activity that reaches every server directly connected to the Internet.

viz.greynoise.io

Glenn @ntkramer.bsky.social · Jul 7

🥜 & #threatintel - Thanks to @horizon3ai.bsky.social, we pushed a tag out today for CitrixBleed 2 CVE-2025-5777 and are backfilling. Currently, we see 233 hits starting on July 1 from:
64.176.50[.]109
38.154.237[.]100
102.129.235[.]108
121.237.80[.]241
45.135.232[.]2
Follow along...

1/2

Glenn @ntkramer.bsky.social · Jun 12

Just a totally normal trip home from the airport last night… passing the national guard rolling down the highway as they prepare for NO KINGS DAY protests. F this administration. About 3 more months before they start trying to censor social media via tech controls.

Glenn @ntkramer.bsky.social · May 29

Seems like a lot of work when you could have found 200 year old brain proteins in the US Congress rn.

phys.org/news/2025-0...

Paleoproteomic profiling recovers diverse proteins from 200-year-old human brains

A new method developed by researchers at the Nuffield Department of Medicine, University of Oxford, could soon unlock the vast repository of biological information held in the proteins of ancient soft ...

Glenn @ntkramer.bsky.social · May 28

It's hard to beat good deception. :)

GreyNoise @greynoise.io · May 28

GreyNoise Discovers Stealthy Backdoor Campaign Targeting ASUS Routers. Attacker tradecraft reflects APT-like behavior: quiet, durable, and designed for long-term access. Full blog ⬇️

#Cybersecurity #ThreatIntel #GreyNoise #ASUS

GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers

GreyNoise uncovers a stealth campaign exploiting ASUS routers, enabling persistent backdoor access via CVE-2023-39780 and unpatched techniques. Learn how attackers evade detection, how GreyNoise disco...

www.greynoise.io

Glenn @ntkramer.bsky.social · May 27

If you're ever feeling lonely, just close Zoom.
This works because a funny thing always happens: a random last-minute Zoom will appear if you close it completely.

Glenn @ntkramer.bsky.social · May 15

🥤& #threat-intel: CISA added Langflow Code Injection CVE-2025-3248 to the KEV on May 5. Recently, it has garnered considerable attention, with South Korea leading the pack. This vuln enables unauthenticated attackers to execute arbitrary code via /api/v1/validate/code

viz.greynoise.io/tag...

Glenn @ntkramer.bsky.social · May 15

The number of times I've murmured, "This wouldn't have happened with a PM," is too damn high.

Glenn @ntkramer.bsky.social · May 13

Good news everyone! www.cisa.gov/news-events/...

"Update May 13: (...) As such, we have paused immediate changes while we re-assess the best approach to sharing with our stakeholders."

Update to How CISA Shares Cyber-Related Alerts and Notifications | CISA

CISA is changing how we announce cybersecurity updates and the release of new guidance.

Glenn @ntkramer.bsky.social · May 12

www.cisa.gov/news-ev...

The only beneficiary here is, checks notes, X.
2/2

Update to How CISA Shares Cyber-Related Alerts and Notifications | CISA

CISA is changing how we announce cybersecurity updates and the release of new guidance

Glenn @ntkramer.bsky.social · May 12

This change legitimately pisses me off.

TL;DR—They appear to be removing RSS for KEV alerts and moving them to email or X.
They gave orgs 0 days to prepare. RSS is already a thing. The emails arrive many hours later. X is NOT a gov website(!); it even warns you when you click their link!
1/2

Glenn @ntkramer.bsky.social · Apr 15

Join us live! Or later? Looking forward to chatting with Tracy!

GreyNoise @greynoise.io · Apr 14

🎙️ Tomorrow on Storm⚡️Watch we’re joined by the one and only @infosecsherpa.bsky.social! 🧗‍♀️

Catch it live Tuesday at 1030 AM ET: stormwatch.ing

Storm⚡️Watch

Storm⚡️Watch is a weekly podcast and livestream that digs deep into various cybersecurity topics and internet exploitation trends. Our goal is simple: to deliver insightful analyses, thought-provoking...

Glenn @ntkramer.bsky.social · Apr 7

Hi yes. Help your local cybersecurity researchers. If you blog a thing, please date the blog. kthx.

Reposted by Glenn

GreyNoise @greynoise.io · Mar 27

🚨 New GreyNoise Tag Alert: We've added a fresh tag tracking CrushFTP Authentication Bypass (CVE-2025-2825) exploitation attempts. Thanks to @horizon3ai.bsky.social for the intel! Dive into the details: viz.greynoise.io/tags/crushft...

Glenn @ntkramer.bsky.social · Mar 27

🔮 clearly! 🙃