GreyNoise Intelligence

New BeyondTrust pre-auth RCE (CVE-2026-1731). PoC dropped, and recon began within 24 hours. GreyNoise is already seeing a dominant VPN-backed scanner, non-standard port targeting, and multi-exploit actors probing BeyondTrust alongside SonicWall, MOVEit, Log4j, Sophos firewalls, SSH, and IoT. If you’re running BeyondTrust Remote Support or Privileged Remote Access on-prem, update to RS v25.3.2+ or PRA v25.1.1+. 🔗 https://lnkd.in/gChKQ4jn

Three campaigns hit Ivanti this week. One already has Cobalt Strike staged. RDP attacks nearly quadrupled. A workflow automation CVE is being exploited from a purpose-built Kubernetes cluster. And a known botnet just picked up a new weapon. Here's a preview of what GreyNoise customers received this week. The full brief includes complete IOCs, infrastructure attribution, and the analysis behind each finding. 🔗 https://lnkd.in/eW8QgHJP #ThreatIntelligence #InfoSec #GreyNoise #CyberSecurity #Ivanti #RDP #CVE

GreyNoise Intelligence on the front page of hacker news. Excellent work boB Rudis.

On January 14th at 21:00 UTC, global telnet traffic observed by GreyNoise fell off a cliff — a 65% drop in a single hour, settling into a sustained 59% reduction. We analyzed 51.2 million sessions to understand what happened. 18 ASNs went completely silent. 5 countries disappeared from telnet traffic entirely. Major US ISPs dropped to zero — yet cloud providers with direct IXP peering were unaffected. AWS actually increased 78%. The evidence points to one or more North American Tier 1 transit providers implementing port 23 filtering on backbone links. Full analysis on the blog. 🔗 https://lnkd.in/esyX-QiN #GreyNoise #ThreatIntelligence #NetworkSecurity #Telnet #CyberSecurity #InfoSec

We tracked 417 exploitation sessions targeting CVE-2026-1281 (Ivanti EPMM, CVSS 9.8). 83% came from a single bulletproof-hosted IP absent from every published IOC list. The IPs that are on those lists? VPN exits and a residential router with zero Ivanti exploitation. Full breakdown of who's actually behind this and what to block: https://lnkd.in/gZu9NUk6 #ThreatIntelligence #Ivanti #CVE20261281 #InfoSec #GreyNoise

On January 14th, 2026 between 20:00 UTC and 21:00 UTC global telnet traffic dropped significantly (about 50%) in our sensor fleet at GreyNoise Intelligence. I believe this was a coordinated effort by at least one major ISP to reduce the blast radius of CVE-2026-24061, which is an authentication bypass for GNU inetutils telnetd. The bug is trivial to exploit and is very much being exploited in the wild by malicious actors. I assume it affects many end-of-life'd devices, which essentially makes them permanently vulnerable to literally everyone. This is *extremely good* and the Right Thing™️ to do. I want to take a step back and explain *why* this is good and why we need more ISP intervention. There is simply no one in the world more equipped to have a positive impact on the safety and security of networks than the tier 1 ISPs. Not the government, not the firewall vendors, not threat intel vendors, nobody. There are only FOURTEEN tier 1 ISPs. All packets that cross the internet are virtually guaranteed to transit at least one of them. I understand that their business model is to transit packets, not inspect them and not drop them. And I understand that they are fighting fights of their own to keep adversaries out of their innards. But if half of them pledge to drop as much malicious traffic as possible the internet would be a QUANTIFIABLY safer place, virtually overnight. This is not a pipe dream. This is *extremely* achievable. Good work.

Attackers are operating at machine speed + so should defenders. 🤖 Check out the Government Technology Insider article, where our Principal Intelligence Liaison, Nishawn Smagh, shares what we’re seeing in the data and 4️⃣ steps to get to active defense at machine speed. https://lnkd.in/dMewiE2p

This was a fun undertaking. It's always great to learn a new ecosystem and see how we can get our data into the places our customers need.

Check out this month's NoiseLetter for the latest on Ghostie + all things GreyNoise!

React Server Components exploitation has consolidated. 🐚 Two months post-disclosure, two IPs now account for 56% of all CVE-2025-55182 traffic we observe. Different payloads. Different objectives. Same vulnerability. When we pivoted on the staging infrastructure, we found a trail back to 2020 — and some interesting neighbors. Full analysis, IOCs, and the infrastructure connections on the blog. 🔗 https://lnkd.in/gqf5xM6X