Glenn
LightNews LightNews
banner
ntkramer.bsky.social
Glenn
@ntkramer.bsky.social
2.6K followers 260 following 140 posts
Experienced InfoSec | Elder Millennial | 💼 @GreyNoiseIO | I ask 'why?' a lot | Pro Oxford Comma | Fix it! | He/Him | #BLM | Views are my own.

https://linktr.ee/glennthorpe
Posts Replies Media Videos
ntkramer.bsky.social
Ron (@iagox86.bsky.social) and I are presenting at #Suricon (Montreal) next month! If you're around, you'll definitely want to find us for some sweet swag (oh, and our talk is pretty cool too!).

suricon.net/agenda-m...
Network protocols are messy! Sure, there are standards — RFCs, IEEEs, you name it — but there are also multiple ways to do basically everything. If you’re relying on network IDS/IPS tools like Suricata, I have bad news — a sufficiently clever attacker can bypass *a lot* of your signatures, leaving you completely blind. The cool part about HTTP is that, at every level of the stack, your software tries to make sense of the user’s (aka: the attacker’s) requests. From the web server (Apache, IIS, etc) to the language parser (PHP, .NET, etc) — everything just wants your requests to work, often at the expense of security! That’s great for ensuring the internet keeps working, but creates makes it *really* hard to write signatures! This talk will start with the basics: we’ll look at HTTP requests and learn the in-depth quirks of how the protocol works. Then we’ll look at a variety of different HTTP-based exploits (path traversal, SQL injection, shell command injection, and more!). We’ll exam
October 21, 2025 at 2:37 PM
ntkramer.bsky.social
It’s time for many folks’ annual cultural learning session. 🤣
October 3, 2025 at 12:22 PM
ntkramer.bsky.social
🥤& #threat-intel: CISA added Langflow Code Injection CVE-2025-3248 to the KEV on May 5. Recently, it has garnered considerable attention, with South Korea leading the pack. This vuln enables unauthenticated attackers to execute arbitrary code via /api/v1/validate/code

viz.greynoise.io/tag...
May 15, 2025 at 10:06 PM
ntkramer.bsky.social
This change legitimately pisses me off.

TL;DR—They appear to be removing RSS for KEV alerts and moving them to email or X.
They gave orgs 0 days to prepare. RSS is already a thing. The emails arrive many hours later. X is NOT a gov website(!); it even warns you when you click their link!
1/2
May 12, 2025 at 9:04 PM
ntkramer.bsky.social
And another one. Two in one day.
March 22, 2025 at 3:04 AM
ntkramer.bsky.social
March 21, 2025, I received this:

3/4
March 21, 2025 at 8:05 PM
ntkramer.bsky.social
March 13, 2025, I received this:

2/4
March 21, 2025 at 8:05 PM
ntkramer.bsky.social
Absolutely disgusting. The Trump admin (DHS) has repurposed opt-in email signups to spread their propaganda.

Years ago (4+) I signed up for Homeland Security emails; I don't recall doing this but based on the ones in my email it was related to something cyber -- not surprising.
1/4
March 21, 2025 at 8:04 PM
ntkramer.bsky.social
🍵 & #threatintel: @greynoise.io is observing a massive spike in exploitation attempts for CVE-2017-18368, Zyxel Command Injection Vulnerability. The source countries for this spike are pretty diverse; perhaps added to a botnet?

viz.greynoise.io/tag...

February 19, 2025 at 10:30 PM
ntkramer.bsky.social
Regarding the Murdoc botnet delivering Mirai malware (www.darkreading.com/...) GreyNoise has 👀

1) viz.greynoise.io/tag...
2) viz.greynoise.io/tag...
January 21, 2025 at 7:57 PM
ntkramer.bsky.social
Censys released an advisory regarding Kerio CVE-2024-52875. We at GreyNoise began observing exploit attempts on December 28. Although the IP addresses involved are currently quite noisy, it's notable that they predominantly trace from Singapore to Lithuania. #threatintel

viz.greynoise.io/tag...
January 7, 2025 at 11:02 PM
ntkramer.bsky.social
Happy Festivus!

_|_
December 23, 2024 at 1:40 PM
ntkramer.bsky.social
Was there a CVE for this? 😆

support.microsoft.com/en-us/office...
Keyboard shortcut for Bold changed in Word after update
December 23, 2024 at 4:02 AM
ntkramer.bsky.social
Amplifying this from our /noiseletter/. Today marks a significant milestone for GreyNoise as we (essentially) launch GreyNoise v2.
1/5
December 4, 2024 at 10:56 PM
ntkramer.bsky.social

We, @greynoise.bsky.social, are seeing a massive uptick in IPs attempting to authenticate via telnet using one of several known backdoor accounts in FiberHome routers.

viz.greynoise.io/tag...
October 30, 2024 at 7:29 PM
ntkramer.bsky.social
🎃 & #threatintel: We/GreyNoise have observed a significant increase in Fortinet SSL brute force attempts recently. This is the highest level in the past two months and the third highest of 2024.

viz.greynoise.io/tag...
Chart showing the rise of Fortinet SSL brute force attempts over the last 10 days. It is climbing quickly.
October 18, 2024 at 9:12 PM
ntkramer.bsky.social
🗞️ & #threatintel: Increased interest in IPs attempting to exploit CVE-2023-4966, an unauthenticated information disclosure vulnerability in Citrix ADC & NetScaler platforms.

viz.greynoise.io/tag...
September 22, 2024 at 5:36 PM
ntkramer.bsky.social
You disappoint ME! 😅
You must have a short name thing going on.
September 5, 2024 at 10:09 PM
ntkramer.bsky.social
☕️ & #threatintel: GreyNoise is observing a sizable increase in IPs attempting to brute-force credentials against Fortinet SSL VPNs. This is the most activity we've observed since mid January 2024.

viz.greynoise.io/tag...
Chart showing a recent increase.
August 14, 2024 at 1:49 PM
ntkramer.bsky.social
🎰 & #threatintel: GreyNoise has observed an increase in the exploitation of CVE-2021-28799 over the past few days. This vulnerability affects QNAP NAS devices and allows unauthorized remote access.

viz.greynoise.io/tag...
Chart showing increase in the exploitation of CVE-2021-28799 over the past few days.
August 5, 2024 at 7:37 PM
ntkramer.bsky.social
I'll be around the hackery summery campy things this week starting late Tues; looking forward to all the things except the germs and exhaustion. See you around!

#blackhat #BHUSA #DEFCON #defcon32 #brathacker #bsideslv #HackerSummercamp #didimissone
brat hacker meme
August 5, 2024 at 1:51 PM
ntkramer.bsky.social
🌭 & #threatintel: Not loving the bump in interest of Cisco CVE-2019-1935 right before #blackhat #defcon week.

viz.greynoise.io/tag...
August 3, 2024 at 10:32 PM
ntkramer.bsky.social
Looking back further, you can see how unusual it is:
2/2
July 15, 2024 at 6:07 PM
ntkramer.bsky.social
🥪 & #threatintel: something suspicious a-bot this spike in IP addresses attempting to exploit Mikrotik CVE-2018-14847... new botnet/addition?

viz.greynoise.io/tag...
1/2
Chart showing huge increase in IP addresses attempting to exploit Mikrotik CVE-2018-14847.
July 15, 2024 at 6:07 PM
ntkramer.bsky.social
🥪 & #threatintel: We're seeing a significant uptick (the most in the last 6+ months) in the inventorying of Outlook Web Access (OWA) instances; I can't imagine why... [Narrator: Microsoft’s June 2024 Patch Tuesday]

viz.greynoise.io/tag...
Chart showing a significant uptick in inventorying Outlook Web Access (OWA) instances
June 13, 2024 at 4:14 PM