Glenn
@ntkramer.bsky.social
Experienced InfoSec | Elder Millennial | 💼 @GreyNoiseIO | I ask 'why?' a lot | Pro Oxford Comma | Fix it! | He/Him | #BLM | Views are my own.
https://linktr.ee/glennthorpe
https://linktr.ee/glennthorpe
Looking forward to sharing the stage at [un]prompted with the wizard himself, @hrbrmstr.dev, as we showcase "Orbie" (a custom-built AI agent that analyzes internet-scale honeypot data to surface emerging threats and even identify campaigns).
Agenda - [un]prompted
unpromptedcon.org
February 16, 2026 at 3:25 PM
Looking forward to sharing the stage at [un]prompted with the wizard himself, @hrbrmstr.dev, as we showcase "Orbie" (a custom-built AI agent that analyzes internet-scale honeypot data to surface emerging threats and even identify campaigns).
Excited to share that I've been asked to speak at the Minorities in Cybersecurity Conference this March!
I’ll be on a panel “How Do You Define Cybersecurity Experience? A Change in Perspective” where we’ll dig into what really counts as cybersecurity experience
I’ll be on a panel “How Do You Define Cybersecurity Experience? A Change in Perspective” where we’ll dig into what really counts as cybersecurity experience
February 12, 2026 at 12:45 PM
Excited to share that I've been asked to speak at the Minorities in Cybersecurity Conference this March!
I’ll be on a panel “How Do You Define Cybersecurity Experience? A Change in Perspective” where we’ll dig into what really counts as cybersecurity experience
I’ll be on a panel “How Do You Define Cybersecurity Experience? A Change in Perspective” where we’ll dig into what really counts as cybersecurity experience
My latest pet project, an RSS feed to alert you to the silent KEV knownRansomwareCampaignUse flips!
(Did you know there were four CVEs flipped last week?) #threatintel
(Did you know there were four CVEs flipped last week?) #threatintel
In 2025, 59 CVEs quietly flipped to “known ransomware use” in CISA’s KEV...no alerts, no fanfare. 🧐
We dug through a year of JSON to catch every silent flip and built an RSS feed so you don’t miss the next one.
Read the blog + grab the feed 🗞️
We dug through a year of JSON to catch every silent flip and built an RSS feed so you don’t miss the next one.
Read the blog + grab the feed 🗞️
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
In 2025, 59 KEV entries silently flipped to “known ransomware use.” GreyNoise uncovers the hidden flips, why they matter, and a new feed to track them.
www.greynoise.io
February 2, 2026 at 7:54 PM
My latest pet project, an RSS feed to alert you to the silent KEV knownRansomwareCampaignUse flips!
(Did you know there were four CVEs flipped last week?) #threatintel
(Did you know there were four CVEs flipped last week?) #threatintel
🍩 & #threatintel - 95% of exploitation attempts targeting CVE-2026-20045, a critical vulnerability in Cisco Unified Communications Manager, have used a distinctive user-agent: Mozilla/5.0 (compatible; CiscoExploit/1.0) and are heavily targeting our Cisco Unified Communications Manager sensors.
1/2
1/2
January 31, 2026 at 4:52 PM
🍩 & #threatintel - 95% of exploitation attempts targeting CVE-2026-20045, a critical vulnerability in Cisco Unified Communications Manager, have used a distinctive user-agent: Mozilla/5.0 (compatible; CiscoExploit/1.0) and are heavily targeting our Cisco Unified Communications Manager sensors.
1/2
1/2
☕ & #threatintel - Two campaigns (100x spike!) are hitting Ivanti Connect Secure; one loud (34K sessions from Romania/Moldova), one stealthy (~6K distributed IPs). Both target a pre-exploitation endpoint for CVE-2025-0282.
Inside the Infrastructure: Who’s Scanning for Ivanti Connect Secure? – GreyNoise Labs
GreyNoise detected a 100x surge in Ivanti Connect Secure reconnaissance targeting CVE-2025-0282 (EPSS 93%). Analysis reveals two distinct campaigns: an aggressive AS213790-based operation generating 34K+ sessions and a stealthier distributed botnet approach across 6K IPs. Infrastructure analysis and defender recommendations included.
www.labs.greynoise.io
January 29, 2026 at 5:20 PM
☕ & #threatintel - Two campaigns (100x spike!) are hitting Ivanti Connect Secure; one loud (34K sessions from Romania/Moldova), one stealthy (~6K distributed IPs). Both target a pre-exploitation endpoint for CVE-2025-0282.
CISA's KEV hit 1,500 yesterday. I'm working on a cool #threatintel blog (yes, I'm biased) about additional hidden intel in KEV that should be published soon, along with a helpful tool hosted by GreyNoise! :)
January 28, 2026 at 5:33 PM
CISA's KEV hit 1,500 yesterday. I'm working on a cool #threatintel blog (yes, I'm biased) about additional hidden intel in KEV that should be published soon, along with a helpful tool hosted by GreyNoise! :)
☕ & #threatintel: CISA has moved the due date for mitigating CVE-2025-55182 (Meta React Server Components Remote Code Execution Vulnerability) up by two weeks. It was initially set for December 26, but it is now due on December 12.
1/2
1/2
December 10, 2025 at 2:04 PM
☕ & #threatintel: CISA has moved the due date for mitigating CVE-2025-55182 (Meta React Server Components Remote Code Execution Vulnerability) up by two weeks. It was initially set for December 26, but it is now due on December 12.
1/2
1/2
Ron & my talk from SuriCon 2025 | Abusing HTTP Quirks to Evade Detection
I think it turned out pretty well; pardon the disco effect where a stage light was failing :)
www.youtube.com/watc...
CC: @iagox86.bsky.social @greynoise.io
I think it turned out pretty well; pardon the disco effect where a stage light was failing :)
www.youtube.com/watc...
CC: @iagox86.bsky.social @greynoise.io
SuriCon 2025 | Abusing HTTP Quirks to Evade Detection
Presented at SuriCon 2025 by Ron Bowes and Glenn Thorpe
Network protocols are messy! Sure, there are standards — RFCs, IEEEs, you name it — but there are also multiple ways to do basically everything. If you’re relying on network IDS/IPS tools like Suricata, I have bad news — a sufficiently cl
www.youtube.com
December 9, 2025 at 10:41 PM
Ron & my talk from SuriCon 2025 | Abusing HTTP Quirks to Evade Detection
I think it turned out pretty well; pardon the disco effect where a stage light was failing :)
www.youtube.com/watc...
CC: @iagox86.bsky.social @greynoise.io
I think it turned out pretty well; pardon the disco effect where a stage light was failing :)
www.youtube.com/watc...
CC: @iagox86.bsky.social @greynoise.io
Ron (@iagox86.bsky.social) and I are presenting at #Suricon (Montreal) next month! If you're around, you'll definitely want to find us for some sweet swag (oh, and our talk is pretty cool too!).
suricon.net/agenda-m...
suricon.net/agenda-m...
October 21, 2025 at 2:37 PM
Ron (@iagox86.bsky.social) and I are presenting at #Suricon (Montreal) next month! If you're around, you'll definitely want to find us for some sweet swag (oh, and our talk is pretty cool too!).
suricon.net/agenda-m...
suricon.net/agenda-m...
It’s time for many folks’ annual cultural learning session. 🤣
October 3, 2025 at 12:22 PM
It’s time for many folks’ annual cultural learning session. 🤣
Reposted by Glenn
On 28 September, GreyNoise observed a sharp one-day surge in attempts to exploit Grafana CVE-2021-43798. Full analysis & malicious IPs ⬇️
#Grafana #GreyNoise #ThreatIntel
#Grafana #GreyNoise #ThreatIntel
Coordinated Grafana Exploitation Attempts on 28 September
GreyNoise observed a sharp one-day surge of exploitation attempts targeting CVE-2021-43798 — a Grafana path traversal vulnerability that enables arbitrary file reads. All observed IPs are classified a...
www.greynoise.io
October 2, 2025 at 9:32 PM
On 28 September, GreyNoise observed a sharp one-day surge in attempts to exploit Grafana CVE-2021-43798. Full analysis & malicious IPs ⬇️
#Grafana #GreyNoise #ThreatIntel
#Grafana #GreyNoise #ThreatIntel
We all know that @hrbrmstr.dev is a mad scientist, and when you give him the amazing telemetry our new fleet has been collecting lately, you get knowledge drops like this! Super proud of our @greynoise.io team’s work on the deception capabilities we now have! hashtag#threatintel
🚨 New Research: GreyNoise identifies an early warning signal, spikes in attacker activity tend to precede new CVE disclosures within six weeks. Which vendors show the strongest signal and more, all in our latest report ⬇️
Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities
GreyNoise’s new research reveals a recurring pattern: spikes in malicious activity often precede the disclosure of new CVEs — especially in enterprise edge technologies like VPNs and firewalls.
www.greynoise.io
August 1, 2025 at 3:24 PM
We all know that @hrbrmstr.dev is a mad scientist, and when you give him the amazing telemetry our new fleet has been collecting lately, you get knowledge drops like this! Super proud of our @greynoise.io team’s work on the deception capabilities we now have! hashtag#threatintel
Reposted by Glenn
An unexpected cluster of malicious IPs in a remote U.S. town led GreyNoise researchers to uncover a 500+ device botnet. Full analysis ⬇️
#Cybersecurity #ThreatIntel #Botnet #VoIP #GreyNoise #Cyber #Tech
#Cybersecurity #ThreatIntel #Botnet #VoIP #GreyNoise #Cyber #Tech
A Spike in the Desert: How GreyNoise Uncovered a Global Pattern of VOIP-Based Telnet Attacks
A spike in botnet traffic from a single utility in a rural part of New Mexico led to the discovery of a global botnet. Explore how human-led, AI-powered analysis exposed compromised devices, uncovered...
www.greynoise.io
July 24, 2025 at 1:05 PM
An unexpected cluster of malicious IPs in a remote U.S. town led GreyNoise researchers to uncover a 500+ device botnet. Full analysis ⬇️
#Cybersecurity #ThreatIntel #Botnet #VoIP #GreyNoise #Cyber #Tech
#Cybersecurity #ThreatIntel #Botnet #VoIP #GreyNoise #Cyber #Tech
🫖 & #threatintel - noticing a few other spikes orgs should be mindful of:
🔥 CVE-2025-49132 (Pterodactyl Panel RCE) (10/10 RCE)
⚡ CVE-2024-20439 (Cisco Smart Licensing Utility) (9.8/10, KEV)
📝 CVE-2017-18370 (Zyxel P660HN)
1/4
🔥 CVE-2025-49132 (Pterodactyl Panel RCE) (10/10 RCE)
⚡ CVE-2024-20439 (Cisco Smart Licensing Utility) (9.8/10, KEV)
📝 CVE-2017-18370 (Zyxel P660HN)
1/4
July 16, 2025 at 9:45 PM
🫖 & #threatintel - noticing a few other spikes orgs should be mindful of:
🔥 CVE-2025-49132 (Pterodactyl Panel RCE) (10/10 RCE)
⚡ CVE-2024-20439 (Cisco Smart Licensing Utility) (9.8/10, KEV)
📝 CVE-2017-18370 (Zyxel P660HN)
1/4
🔥 CVE-2025-49132 (Pterodactyl Panel RCE) (10/10 RCE)
⚡ CVE-2024-20439 (Cisco Smart Licensing Utility) (9.8/10, KEV)
📝 CVE-2017-18370 (Zyxel P660HN)
1/4
🩸& #threatintel | We (GreyNoise) just published a quick note (www.greynoise.io/blo...) regarding CVE-2025-5777 - CitrixBleed 2
1/2
1/2
Exploitation of CitrixBleed 2 (CVE-2025-5777) Began Before PoC Was Public
GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 — nearly two weeks before a public proof-of-concept was released on July 4.
www.greynoise.io
July 16, 2025 at 9:05 PM
🩸& #threatintel | We (GreyNoise) just published a quick note (www.greynoise.io/blo...) regarding CVE-2025-5777 - CitrixBleed 2
1/2
1/2
🥜 & #threatintel - Thanks to @horizon3ai.bsky.social, we pushed a tag out today for CitrixBleed 2 CVE-2025-5777 and are backfilling. Currently, we see 233 hits starting on July 1 from:
64.176.50[.]109
38.154.237[.]100
102.129.235[.]108
121.237.80[.]241
45.135.232[.]2
Follow along...
1/2
64.176.50[.]109
38.154.237[.]100
102.129.235[.]108
121.237.80[.]241
45.135.232[.]2
Follow along...
1/2
July 7, 2025 at 9:56 PM
🥜 & #threatintel - Thanks to @horizon3ai.bsky.social, we pushed a tag out today for CitrixBleed 2 CVE-2025-5777 and are backfilling. Currently, we see 233 hits starting on July 1 from:
64.176.50[.]109
38.154.237[.]100
102.129.235[.]108
121.237.80[.]241
45.135.232[.]2
Follow along...
1/2
64.176.50[.]109
38.154.237[.]100
102.129.235[.]108
121.237.80[.]241
45.135.232[.]2
Follow along...
1/2
Just a totally normal trip home from the airport last night… passing the national guard rolling down the highway as they prepare for NO KINGS DAY protests. F this administration. About 3 more months before they start trying to censor social media via tech controls.
June 12, 2025 at 2:37 PM
Just a totally normal trip home from the airport last night… passing the national guard rolling down the highway as they prepare for NO KINGS DAY protests. F this administration. About 3 more months before they start trying to censor social media via tech controls.
Seems like a lot of work when you could have found 200 year old brain proteins in the US Congress rn.
phys.org/news/2025-0...
phys.org/news/2025-0...
Paleoproteomic profiling recovers diverse proteins from 200-year-old human brains
A new method developed by researchers at the Nuffield Department of Medicine, University of Oxford, could soon unlock the vast repository of biological information held in the proteins of ancient soft ...
phys.org
May 29, 2025 at 11:45 AM
Seems like a lot of work when you could have found 200 year old brain proteins in the US Congress rn.
phys.org/news/2025-0...
phys.org/news/2025-0...
It's hard to beat good deception. :)
GreyNoise Discovers Stealthy Backdoor Campaign Targeting ASUS Routers. Attacker tradecraft reflects APT-like behavior: quiet, durable, and designed for long-term access. Full blog ⬇️
#Cybersecurity #ThreatIntel #GreyNoise #ASUS
#Cybersecurity #ThreatIntel #GreyNoise #ASUS
GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers
GreyNoise uncovers a stealth campaign exploiting ASUS routers, enabling persistent backdoor access via CVE-2023-39780 and unpatched techniques. Learn how attackers evade detection, how GreyNoise disco...
www.greynoise.io
May 28, 2025 at 3:38 PM
It's hard to beat good deception. :)
If you're ever feeling lonely, just close Zoom.
This works because a funny thing always happens: a random last-minute Zoom will appear if you close it completely.
This works because a funny thing always happens: a random last-minute Zoom will appear if you close it completely.
May 27, 2025 at 9:21 PM
If you're ever feeling lonely, just close Zoom.
This works because a funny thing always happens: a random last-minute Zoom will appear if you close it completely.
This works because a funny thing always happens: a random last-minute Zoom will appear if you close it completely.
🥤& #threat-intel: CISA added Langflow Code Injection CVE-2025-3248 to the KEV on May 5. Recently, it has garnered considerable attention, with South Korea leading the pack. This vuln enables unauthenticated attackers to execute arbitrary code via /api/v1/validate/code
viz.greynoise.io/tag...
viz.greynoise.io/tag...
May 15, 2025 at 10:06 PM
🥤& #threat-intel: CISA added Langflow Code Injection CVE-2025-3248 to the KEV on May 5. Recently, it has garnered considerable attention, with South Korea leading the pack. This vuln enables unauthenticated attackers to execute arbitrary code via /api/v1/validate/code
viz.greynoise.io/tag...
viz.greynoise.io/tag...
This change legitimately pisses me off.
TL;DR—They appear to be removing RSS for KEV alerts and moving them to email or X.
They gave orgs 0 days to prepare. RSS is already a thing. The emails arrive many hours later. X is NOT a gov website(!); it even warns you when you click their link!
1/2
TL;DR—They appear to be removing RSS for KEV alerts and moving them to email or X.
They gave orgs 0 days to prepare. RSS is already a thing. The emails arrive many hours later. X is NOT a gov website(!); it even warns you when you click their link!
1/2
May 12, 2025 at 9:04 PM
This change legitimately pisses me off.
TL;DR—They appear to be removing RSS for KEV alerts and moving them to email or X.
They gave orgs 0 days to prepare. RSS is already a thing. The emails arrive many hours later. X is NOT a gov website(!); it even warns you when you click their link!
1/2
TL;DR—They appear to be removing RSS for KEV alerts and moving them to email or X.
They gave orgs 0 days to prepare. RSS is already a thing. The emails arrive many hours later. X is NOT a gov website(!); it even warns you when you click their link!
1/2
Join us live! Or later? Looking forward to chatting with Tracy!
🎙️ Tomorrow on Storm⚡️Watch we’re joined by the one and only @infosecsherpa.bsky.social! 🧗♀️
Catch it live Tuesday at 1030 AM ET: stormwatch.ing
Catch it live Tuesday at 1030 AM ET: stormwatch.ing
Storm⚡️Watch
Storm⚡️Watch is a weekly podcast and livestream that digs deep into various cybersecurity topics and internet exploitation trends. Our goal is simple: to deliver insightful analyses, thought-provoking...
stormwatch.ing
April 15, 2025 at 1:37 PM
Join us live! Or later? Looking forward to chatting with Tracy!
Hi yes. Help your local cybersecurity researchers. If you blog a thing, please date the blog. kthx.
April 7, 2025 at 3:26 PM
Hi yes. Help your local cybersecurity researchers. If you blog a thing, please date the blog. kthx.