Episode Summary: "Sponsored: GreyNoise on 2024's Mass Internet Scan Trends"

Risky Bulletin presents an insightful discussion with Andrew Morris, founder of GreyNoise, hosted by Katalin Campano. This episode delves into the escalating challenges in cybersecurity, particularly focusing on mass internet scan trends, the proliferation of vulnerabilities in edge devices, and the sophisticated tactics employed by threat actors in 2024.

1. The Growing Threat Landscape

Andrew Morris opens the conversation by painting a concerning picture of the current cybersecurity environment. He emphasizes the alarming increase in both new and existing vulnerabilities targeting edge devices. "We're seeing an increase in the volume of net new vulnerabilities that are being disclosed against edge devices," he states (00:24). This surge is compounded by the rapid exploitation of zero-day vulnerabilities, often within days of their disclosure—or even before—signifying a critical lag in defensive measures.

Furthermore, Morris highlights the troubling trend of vulnerabilities being exploited in security products themselves. "The products that are supposed to be tasked with protecting users... bad guys are exploiting those," he explains (00:24). This underscores a paradox where the very tools designed to safeguard systems are becoming attack vectors.

2. Impact on Customers and GreyNoise's Role

Katalin Campano probes into how these threats affect GreyNoise's clientele. Morris confirms that the rise in edge device attacks has driven increased demand for GreyNoise's services. "Our customers are still coming to you because of edge device attacks. So that would be a resounding yes," he affirms (02:01). GreyNoise assists security operations centers (SOCs), incident response teams, and vulnerability management units in navigating this complex threat landscape.

3. Insights from the Annual Threat Report

Anticipation builds as Morris provides a preview of GreyNoise's upcoming annual threat report. The report is set to offer comprehensive statistics and analyses, including:

• Exploitation Timelines: Detailed metrics on the average time from vulnerability disclosure to exploitation.
• Vulnerability Preferences: Insights into the types of vulnerabilities that adversaries favor, such as path traversal and OS command injection.
• Device and Botnet Analysis: Information on which devices are most targeted and the botnets facilitating these attacks.

Morris elaborates, "We've seen certain campaigns coming out of a large network of hacked Android devices... a lot of value to attackers in weaponizing old vulnerabilities" (02:11). This indicates a persistent exploitation of both new disclosures and longstanding, unresolved vulnerabilities.

4. Evolving Exploitation Tactics

The discussion shifts to the specific methodologies employed by attackers. Morris outlines that attackers are leveraging simple yet effective tactics to compromise devices. "Path traversal is one of them for sure. Lots of OS command injection... yes, exactly," he confirms (05:05). He further explains how combining seemingly minor vulnerabilities can lead to full device takeover, enhancing the attackers' ability to infiltrate networks seamlessly.

5. Acceleration of Exploitation Processes

A pivotal point in the conversation is the accelerated pace at which vulnerabilities are being exploited. Morris reveals a stark reduction in the window between vulnerability disclosure and exploitation: "It's down to same day at this point. And then in certain cases, sometimes even before disclosure" (06:20). This rapid exploitation is attributed to:

• Automation: Attackers are increasingly using automated tools to scan for and exploit vulnerabilities swiftly.
• Advanced Techniques: The integration of AI for vulnerability triage and exploitation planning, although Morris notes, "I don't think that the one sole answer is AI, but I do think that that could be a component of it" (07:13).

6. Exploitation of End-of-Life Devices

Morris sheds light on the vulnerability of end-of-life (EOL) devices, particularly routers, modems, and Network Attached Storage (NAS) systems. "We're seeing a lot of stuff against NAS's like QNAP devices, things like that, Synology... home and business network routers," he notes (08:16). These devices often lack ongoing security updates, making them low-hanging fruit for attackers seeking to maintain persistent access within networks.

7. Increasing Volume of Exploitation Activities

Addressing the overall trend, Morris confirms a significant uptick in exploitation activities. "The Internet is definitively noisier than it was a few years ago," he states (08:55). This increase is partly due to improved detection capabilities but largely driven by attackers intensifying their focus on edge devices, which offer lucrative entry points compared to the more fortified Windows systems.

8. GreyNoise's Customer Base and Feedback Loop

GreyNoise serves a diverse clientele, including large enterprises with dedicated SOCs, global government agencies, and other security firms integrating GreyNoise data into their offerings. "Our primary customer group is SOC teams... we also work with incident response teams, threat hunting teams, and vulnerability management teams," Morris explains (10:13).

The feedback from these customers is instrumental in shaping GreyNoise's strategies and offerings. "We get a lot of asks from our customers about... strategic trends... gaps in things that we're not providing," he adds (11:52). This collaborative approach ensures that GreyNoise remains responsive to the evolving needs of the cybersecurity community.

9. Conclusion and Report Release

As the conversation wraps up, Morris announces the imminent release of GreyNoise's mass exploitation report. "We're releasing it early next week... there’s going to be a link on our website where you can access it," he confirms (12:18). This report is poised to be a valuable resource for cybersecurity professionals aiming to stay ahead of emerging threats.

Notable Quotes:

• Andrew Morris (00:24): "We're seeing an increase in the volume of net new vulnerabilities that are being disclosed against edge devices."

• Andrew Morris (05:05): "Path traversal is one of them for sure. Lots of OS command injection... lots of insufficient access controls."

• Andrew Morris (06:20): "It's down to same day at this point. And then in certain cases, sometimes even before disclosure."

• Andrew Morris (08:55): "The Internet is definitively noisier than it was a few years ago."

• Andrew Morris (11:52): "We get a lot of asks from our customers about... strategic trends... gaps in things that we're not providing."

Key Takeaways:

• Rapid Exploitation: The time from vulnerability disclosure to exploitation has drastically decreased, sometimes occurring within the same day.

• Focus on Edge Devices: Attackers are increasingly targeting edge devices like routers, modems, and NAS systems due to their widespread use and often limited security.

• Automation and AI: The use of automated tools and AI is enhancing attackers' ability to identify and exploit vulnerabilities swiftly.

• End-of-Life Device Vulnerabilities: Devices no longer supported by manufacturers remain significant targets, posing ongoing risks to network security.

• GreyNoise's Strategic Role: By providing detailed threat reports and analytics, GreyNoise aids cybersecurity teams in understanding and mitigating emerging threats.

This episode of Risky Bulletin underscores the escalating challenges in cybersecurity, highlighting the need for continuous vigilance and advanced defensive strategies to combat the sophisticated tactics of modern threat actors.