Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label edge networking devices. Show all posts
vulnerability scanning
CVE disclosure Cyber Security cybersecurity research edge networking devices GreyNoise Threat Detection vulnerability scanning

Researchers Link Surge in Malicious Scanning to New Vulnerability Disclosures Weeks Ahead

 

A new study suggests that in nearly 80% of cases, unusual spikes in malicious online activity — such as network reconnaissance, targeted scanning, and brute-force attacks on edge networking devices — occur within six weeks before the public disclosure of new security vulnerabilities (CVEs).

The finding comes from threat intelligence company GreyNoise, which says these incidents are not random, but instead follow consistent and statistically significant patterns.

GreyNoise analyzed data from its Global Observation Grid (GOG) dating back to September 2024, applying objective statistical measures to filter out noise, ambiguity, and low-quality entries. This process identified 216 significant spike events linked to eight enterprise edge vendors.

"Across all 216 spike events we studied, 50 percent were followed by a new CVE within three weeks, and 80 percent within six weeks," explain the researchers. The correlation was especially strong for products from Ivanti, SonicWall, Palo Alto Networks, and Fortinet, and weaker for MikroTik, Citrix, and Cisco. According to GreyNoise, state-sponsored actors have consistently targeted such systems for initial access and persistence, often probing for older, already-documented flaws.

Researchers believe this scanning activity either aids in uncovering new vulnerabilities or in identifying exposed endpoints that could later be exploited with novel attacks.

Traditionally, defenders act after a CVE is published. However, GreyNoise’s findings indicate that unusual attacker behavior can serve as an early warning system — giving security teams a valuable window to strengthen defenses before a vulnerability becomes public knowledge.

These pre-disclosure spikes allow defenders to bolster monitoring, tighten security controls, and prepare for possible exploits, even if no patch is yet available or the targeted component remains unknown. GreyNoise recommends closely monitoring scanning activity and swiftly blocking source IPs to prevent reconnaissance from progressing to active attacks.

The company also stresses that scans targeting older vulnerabilities shouldn’t be dismissed as harmless, since attackers often use them to catalog internet-facing systems that might be vulnerable to other exploits in the future.

In a related move, Google’s Project Zero announced it will now notify the public within one week of discovering a new vulnerability. The disclosure will include the affected vendor or product, the discovery date, and the standard 90-day patch deadline. No technical details, proof-of-concept code, or exploit information will be released in this early notice, ensuring attackers cannot leverage the information while helping administrators reduce the “patch gap.”
Read more »
Subscribe to: Posts (Atom)