Glenn
@ntkramer.bsky.social
Experienced InfoSec | Elder Millennial | 💼 @GreyNoiseIO | I ask 'why?' a lot | Pro Oxford Comma | Fix it! | He/Him | #BLM | Views are my own.
https://linktr.ee/glennthorpe
https://linktr.ee/glennthorpe
☕ & #threatintel: CISA has moved the due date for mitigating CVE-2025-55182 (Meta React Server Components Remote Code Execution Vulnerability) up by two weeks. It was initially set for December 26, but it is now due on December 12.
1/2
1/2
December 10, 2025 at 2:04 PM
☕ & #threatintel: CISA has moved the due date for mitigating CVE-2025-55182 (Meta React Server Components Remote Code Execution Vulnerability) up by two weeks. It was initially set for December 26, but it is now due on December 12.
1/2
1/2
Ron & my talk from SuriCon 2025 | Abusing HTTP Quirks to Evade Detection
I think it turned out pretty well; pardon the disco effect where a stage light was failing :)
www.youtube.com/watc...
CC: @iagox86.bsky.social @greynoise.io
I think it turned out pretty well; pardon the disco effect where a stage light was failing :)
www.youtube.com/watc...
CC: @iagox86.bsky.social @greynoise.io
SuriCon 2025 | Abusing HTTP Quirks to Evade Detection
Presented at SuriCon 2025 by Ron Bowes and Glenn Thorpe
Network protocols are messy! Sure, there are standards — RFCs, IEEEs, you name it — but there are also multiple ways to do basically everything. If you’re relying on network IDS/IPS tools like Suricata, I have bad news — a sufficiently cl
www.youtube.com
December 9, 2025 at 10:41 PM
Ron & my talk from SuriCon 2025 | Abusing HTTP Quirks to Evade Detection
I think it turned out pretty well; pardon the disco effect where a stage light was failing :)
www.youtube.com/watc...
CC: @iagox86.bsky.social @greynoise.io
I think it turned out pretty well; pardon the disco effect where a stage light was failing :)
www.youtube.com/watc...
CC: @iagox86.bsky.social @greynoise.io
Ron (@iagox86.bsky.social) and I are presenting at #Suricon (Montreal) next month! If you're around, you'll definitely want to find us for some sweet swag (oh, and our talk is pretty cool too!).
suricon.net/agenda-m...
suricon.net/agenda-m...
October 21, 2025 at 2:37 PM
Ron (@iagox86.bsky.social) and I are presenting at #Suricon (Montreal) next month! If you're around, you'll definitely want to find us for some sweet swag (oh, and our talk is pretty cool too!).
suricon.net/agenda-m...
suricon.net/agenda-m...
It’s time for many folks’ annual cultural learning session. 🤣
October 3, 2025 at 12:22 PM
It’s time for many folks’ annual cultural learning session. 🤣
Reposted by Glenn
On 28 September, GreyNoise observed a sharp one-day surge in attempts to exploit Grafana CVE-2021-43798. Full analysis & malicious IPs ⬇️
#Grafana #GreyNoise #ThreatIntel
#Grafana #GreyNoise #ThreatIntel
Coordinated Grafana Exploitation Attempts on 28 September
GreyNoise observed a sharp one-day surge of exploitation attempts targeting CVE-2021-43798 — a Grafana path traversal vulnerability that enables arbitrary file reads. All observed IPs are classified a...
www.greynoise.io
October 2, 2025 at 9:32 PM
On 28 September, GreyNoise observed a sharp one-day surge in attempts to exploit Grafana CVE-2021-43798. Full analysis & malicious IPs ⬇️
#Grafana #GreyNoise #ThreatIntel
#Grafana #GreyNoise #ThreatIntel
We all know that @hrbrmstr.dev is a mad scientist, and when you give him the amazing telemetry our new fleet has been collecting lately, you get knowledge drops like this! Super proud of our @greynoise.io team’s work on the deception capabilities we now have! hashtag#threatintel
🚨 New Research: GreyNoise identifies an early warning signal, spikes in attacker activity tend to precede new CVE disclosures within six weeks. Which vendors show the strongest signal and more, all in our latest report ⬇️
Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities
GreyNoise’s new research reveals a recurring pattern: spikes in malicious activity often precede the disclosure of new CVEs — especially in enterprise edge technologies like VPNs and firewalls.
www.greynoise.io
August 1, 2025 at 3:24 PM
We all know that @hrbrmstr.dev is a mad scientist, and when you give him the amazing telemetry our new fleet has been collecting lately, you get knowledge drops like this! Super proud of our @greynoise.io team’s work on the deception capabilities we now have! hashtag#threatintel
Reposted by Glenn
An unexpected cluster of malicious IPs in a remote U.S. town led GreyNoise researchers to uncover a 500+ device botnet. Full analysis ⬇️
#Cybersecurity #ThreatIntel #Botnet #VoIP #GreyNoise #Cyber #Tech
#Cybersecurity #ThreatIntel #Botnet #VoIP #GreyNoise #Cyber #Tech
A Spike in the Desert: How GreyNoise Uncovered a Global Pattern of VOIP-Based Telnet Attacks
A spike in botnet traffic from a single utility in a rural part of New Mexico led to the discovery of a global botnet. Explore how human-led, AI-powered analysis exposed compromised devices, uncovered...
www.greynoise.io
July 24, 2025 at 1:05 PM
An unexpected cluster of malicious IPs in a remote U.S. town led GreyNoise researchers to uncover a 500+ device botnet. Full analysis ⬇️
#Cybersecurity #ThreatIntel #Botnet #VoIP #GreyNoise #Cyber #Tech
#Cybersecurity #ThreatIntel #Botnet #VoIP #GreyNoise #Cyber #Tech
🫖 & #threatintel - noticing a few other spikes orgs should be mindful of:
🔥 CVE-2025-49132 (Pterodactyl Panel RCE) (10/10 RCE)
⚡ CVE-2024-20439 (Cisco Smart Licensing Utility) (9.8/10, KEV)
📝 CVE-2017-18370 (Zyxel P660HN)
1/4
🔥 CVE-2025-49132 (Pterodactyl Panel RCE) (10/10 RCE)
⚡ CVE-2024-20439 (Cisco Smart Licensing Utility) (9.8/10, KEV)
📝 CVE-2017-18370 (Zyxel P660HN)
1/4
July 16, 2025 at 9:45 PM
🫖 & #threatintel - noticing a few other spikes orgs should be mindful of:
🔥 CVE-2025-49132 (Pterodactyl Panel RCE) (10/10 RCE)
⚡ CVE-2024-20439 (Cisco Smart Licensing Utility) (9.8/10, KEV)
📝 CVE-2017-18370 (Zyxel P660HN)
1/4
🔥 CVE-2025-49132 (Pterodactyl Panel RCE) (10/10 RCE)
⚡ CVE-2024-20439 (Cisco Smart Licensing Utility) (9.8/10, KEV)
📝 CVE-2017-18370 (Zyxel P660HN)
1/4
🩸& #threatintel | We (GreyNoise) just published a quick note (www.greynoise.io/blo...) regarding CVE-2025-5777 - CitrixBleed 2
1/2
1/2
Exploitation of CitrixBleed 2 (CVE-2025-5777) Began Before PoC Was Public
GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 — nearly two weeks before a public proof-of-concept was released on July 4.
www.greynoise.io
July 16, 2025 at 9:05 PM
🩸& #threatintel | We (GreyNoise) just published a quick note (www.greynoise.io/blo...) regarding CVE-2025-5777 - CitrixBleed 2
1/2
1/2
🥜 & #threatintel - Thanks to @horizon3ai.bsky.social, we pushed a tag out today for CitrixBleed 2 CVE-2025-5777 and are backfilling. Currently, we see 233 hits starting on July 1 from:
64.176.50[.]109
38.154.237[.]100
102.129.235[.]108
121.237.80[.]241
45.135.232[.]2
Follow along...
1/2
64.176.50[.]109
38.154.237[.]100
102.129.235[.]108
121.237.80[.]241
45.135.232[.]2
Follow along...
1/2
July 7, 2025 at 9:56 PM
🥜 & #threatintel - Thanks to @horizon3ai.bsky.social, we pushed a tag out today for CitrixBleed 2 CVE-2025-5777 and are backfilling. Currently, we see 233 hits starting on July 1 from:
64.176.50[.]109
38.154.237[.]100
102.129.235[.]108
121.237.80[.]241
45.135.232[.]2
Follow along...
1/2
64.176.50[.]109
38.154.237[.]100
102.129.235[.]108
121.237.80[.]241
45.135.232[.]2
Follow along...
1/2
Just a totally normal trip home from the airport last night… passing the national guard rolling down the highway as they prepare for NO KINGS DAY protests. F this administration. About 3 more months before they start trying to censor social media via tech controls.
June 12, 2025 at 2:37 PM
Just a totally normal trip home from the airport last night… passing the national guard rolling down the highway as they prepare for NO KINGS DAY protests. F this administration. About 3 more months before they start trying to censor social media via tech controls.
Seems like a lot of work when you could have found 200 year old brain proteins in the US Congress rn.
phys.org/news/2025-0...
phys.org/news/2025-0...
Paleoproteomic profiling recovers diverse proteins from 200-year-old human brains
A new method developed by researchers at the Nuffield Department of Medicine, University of Oxford, could soon unlock the vast repository of biological information held in the proteins of ancient soft ...
phys.org
May 29, 2025 at 11:45 AM
Seems like a lot of work when you could have found 200 year old brain proteins in the US Congress rn.
phys.org/news/2025-0...
phys.org/news/2025-0...
It's hard to beat good deception. :)
GreyNoise Discovers Stealthy Backdoor Campaign Targeting ASUS Routers. Attacker tradecraft reflects APT-like behavior: quiet, durable, and designed for long-term access. Full blog ⬇️
#Cybersecurity #ThreatIntel #GreyNoise #ASUS
#Cybersecurity #ThreatIntel #GreyNoise #ASUS
GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers
GreyNoise uncovers a stealth campaign exploiting ASUS routers, enabling persistent backdoor access via CVE-2023-39780 and unpatched techniques. Learn how attackers evade detection, how GreyNoise disco...
www.greynoise.io
May 28, 2025 at 3:38 PM
It's hard to beat good deception. :)
If you're ever feeling lonely, just close Zoom.
This works because a funny thing always happens: a random last-minute Zoom will appear if you close it completely.
This works because a funny thing always happens: a random last-minute Zoom will appear if you close it completely.
May 27, 2025 at 9:21 PM
If you're ever feeling lonely, just close Zoom.
This works because a funny thing always happens: a random last-minute Zoom will appear if you close it completely.
This works because a funny thing always happens: a random last-minute Zoom will appear if you close it completely.
🥤& #threat-intel: CISA added Langflow Code Injection CVE-2025-3248 to the KEV on May 5. Recently, it has garnered considerable attention, with South Korea leading the pack. This vuln enables unauthenticated attackers to execute arbitrary code via /api/v1/validate/code
viz.greynoise.io/tag...
viz.greynoise.io/tag...
May 15, 2025 at 10:06 PM
🥤& #threat-intel: CISA added Langflow Code Injection CVE-2025-3248 to the KEV on May 5. Recently, it has garnered considerable attention, with South Korea leading the pack. This vuln enables unauthenticated attackers to execute arbitrary code via /api/v1/validate/code
viz.greynoise.io/tag...
viz.greynoise.io/tag...
This change legitimately pisses me off.
TL;DR—They appear to be removing RSS for KEV alerts and moving them to email or X.
They gave orgs 0 days to prepare. RSS is already a thing. The emails arrive many hours later. X is NOT a gov website(!); it even warns you when you click their link!
1/2
TL;DR—They appear to be removing RSS for KEV alerts and moving them to email or X.
They gave orgs 0 days to prepare. RSS is already a thing. The emails arrive many hours later. X is NOT a gov website(!); it even warns you when you click their link!
1/2
May 12, 2025 at 9:04 PM
This change legitimately pisses me off.
TL;DR—They appear to be removing RSS for KEV alerts and moving them to email or X.
They gave orgs 0 days to prepare. RSS is already a thing. The emails arrive many hours later. X is NOT a gov website(!); it even warns you when you click their link!
1/2
TL;DR—They appear to be removing RSS for KEV alerts and moving them to email or X.
They gave orgs 0 days to prepare. RSS is already a thing. The emails arrive many hours later. X is NOT a gov website(!); it even warns you when you click their link!
1/2
Join us live! Or later? Looking forward to chatting with Tracy!
🎙️ Tomorrow on Storm⚡️Watch we’re joined by the one and only @infosecsherpa.bsky.social! 🧗♀️
Catch it live Tuesday at 1030 AM ET: stormwatch.ing
Catch it live Tuesday at 1030 AM ET: stormwatch.ing
Storm⚡️Watch
Storm⚡️Watch is a weekly podcast and livestream that digs deep into various cybersecurity topics and internet exploitation trends. Our goal is simple: to deliver insightful analyses, thought-provoking...
stormwatch.ing
April 15, 2025 at 1:37 PM
Join us live! Or later? Looking forward to chatting with Tracy!
Hi yes. Help your local cybersecurity researchers. If you blog a thing, please date the blog. kthx.
April 7, 2025 at 3:26 PM
Hi yes. Help your local cybersecurity researchers. If you blog a thing, please date the blog. kthx.
Reposted by Glenn
🚨 New GreyNoise Tag Alert: We've added a fresh tag tracking CrushFTP Authentication Bypass (CVE-2025-2825) exploitation attempts. Thanks to @horizon3ai.bsky.social for the intel! Dive into the details: viz.greynoise.io/tags/crushft...
March 27, 2025 at 9:31 PM
🚨 New GreyNoise Tag Alert: We've added a fresh tag tracking CrushFTP Authentication Bypass (CVE-2025-2825) exploitation attempts. Thanks to @horizon3ai.bsky.social for the intel! Dive into the details: viz.greynoise.io/tags/crushft...
Today is Opening Day for baseball season in the US. At least now I have my fav sport to put on when I want to watch something but avoid TV news.
March 27, 2025 at 11:30 AM
Today is Opening Day for baseball season in the US. At least now I have my fav sport to put on when I want to watch something but avoid TV news.
Dammit
if you’re reading this, relax your jaw
March 27, 2025 at 2:40 AM
Dammit
Reposted by Glenn
Headed to RSAC next month? 👀 NoiseFest will be just a few blocks away...no nonsense (well maybe a little 😈), just drinks, good people, and real security talk.
House of Shields | April 30 | 7–10PM
Spots are limited. RSVP now.
info.greynoise.io/events/noise...
House of Shields | April 30 | 7–10PM
Spots are limited. RSVP now.
info.greynoise.io/events/noise...
GreyNoise - NoiseFest at RSAC 2025
Join us for NoiseFest at RSAC 2025 on April 30th, At the House of Shields. Enjoy drinks, snacks, and engaging conversations with your peers. RSVP now!
info.greynoise.io
March 26, 2025 at 7:08 PM
Headed to RSAC next month? 👀 NoiseFest will be just a few blocks away...no nonsense (well maybe a little 😈), just drinks, good people, and real security talk.
House of Shields | April 30 | 7–10PM
Spots are limited. RSVP now.
info.greynoise.io/events/noise...
House of Shields | April 30 | 7–10PM
Spots are limited. RSVP now.
info.greynoise.io/events/noise...
Absolutely disgusting. The Trump admin (DHS) has repurposed opt-in email signups to spread their propaganda.
Years ago (4+) I signed up for Homeland Security emails; I don't recall doing this but based on the ones in my email it was related to something cyber -- not surprising.
1/4
Years ago (4+) I signed up for Homeland Security emails; I don't recall doing this but based on the ones in my email it was related to something cyber -- not surprising.
1/4
March 21, 2025 at 8:04 PM
Absolutely disgusting. The Trump admin (DHS) has repurposed opt-in email signups to spread their propaganda.
Years ago (4+) I signed up for Homeland Security emails; I don't recall doing this but based on the ones in my email it was related to something cyber -- not surprising.
1/4
Years ago (4+) I signed up for Homeland Security emails; I don't recall doing this but based on the ones in my email it was related to something cyber -- not surprising.
1/4
Happy ~Fat~ Tariff Tuesday to all that celebrate stupidity.
March 4, 2025 at 1:33 PM
Happy ~Fat~ Tariff Tuesday to all that celebrate stupidity.