Ethical Hacking News
Spikes in malicious activity precede new CVEs in 80% of cases, reveals a recent study by GreyNoise, a threat monitoring firm that analyzed data from its 'Global Observation Grid' (GOG) to identify patterns in attacker behavior. The study found that spikes in malicious activity are often a precursor to the disclosure of new security vulnerabilities (CVEs), and defenders can use this knowledge to prepare for potential attacks.
GreyNoise analyzed data from its 'Global Observation Grid' (GOG) and identified 216 events that qualified as spike events, tied to eight enterprise edge vendors. 50% of spike events were followed by a new CVE within three weeks, and 80% within six weeks. The correlation was stronger for Ivanti, SonicWall, Palo Alto Networks, and Fortinet products than weaker for MikroTik, Citrix, and Cisco. State-sponsored actors target these systems for initial access and persistence. The phenomenon of "Mine Canary" indicates that monitoring scanning activity can be a leading indicator for proactive defenses. Defenders can prepare, enhance monitoring, and harden systems against potential attacks by monitoring spikes in malicious activity. Google's Project Zero will inform the public about discovered vulnerabilities within a week to reduce the "patch gap". Cybersecurity professionals can employ strategies such as monitoring scanning activity, implementing robust security measures, and enhancing collaboration with vendors and system administrators. The study highlights the importance of proactive cybersecurity measures in today's complex threat landscape. Defenders need to stay vigilant and adapt their strategies to address emerging threats.
In recent years, cybersecurity has become an increasingly complex landscape. As threats evolve, it's essential to identify patterns in attacker behavior that can inform proactive defenses. According to a study conducted by GreyNoise, a threat monitoring firm, spikes in malicious activity are a significant indicator of the disclosure of new security vulnerabilities (CVEs).
GreyNoise analyzed data from its 'Global Observation Grid' (GOG) since September 2024, applying objective statistical thresholds to avoid results-skewing cherry-picking. The firm identified 216 events that qualified as spike events, tied to eight enterprise edge vendors. These spikes were characterized by repeatable and statistically significant patterns.
The study found that across all 216 spike events, 50 percent were followed by a new CVE within three weeks, and 80 percent within six weeks. This correlation was notably stronger for Ivanti, SonicWall, Palo Alto Networks, and Fortinet products, and weaker for MikroTik, Citrix, and Cisco. State-sponsored actors have repeatedly targeted such systems for initial access and persistence.
The researchers at GreyNoise believe that this either facilitates the discovery of new weaknesses or the discovery of internet-exposed endpoints that can be targeted in the next phase of the attack, which leverages novel exploits. This phenomenon has been dubbed a "Mine Canary" by the researchers, highlighting the importance of monitoring scanning activity and promptly blocking origin IPs to exclude them from reconnaissance that typically leads to actual attacks later on.
The study's findings have significant implications for cybersecurity professionals and defenders. Traditionally, defenders respond after a CVE is published, but GreyNoise's research shows that attacker behavior can be a leading indicator and a tool for organizing proactive defenses. By monitoring spikes in malicious activity, defenders can prepare, enhance monitoring, and harden systems against a potential attack, even if a security update does not protect them and they aren't aware of which system component or function is actually targeted.
Google's Project Zero has announced that it will begin informing the public that a vulnerability has been discovered within a week, helping system admins bolster their defenses while vendors work on developing a patch. This change aims to reduce the "patch gap" by providing system administrators with sufficient time to prepare and address vulnerabilities before they are publicly disclosed.
To mitigate the risks associated with spikes in malicious activity, cybersecurity professionals can employ several strategies. Firstly, they should monitor scanning activity closely and promptly block origin IPs that exhibit suspicious behavior. Secondly, they should implement robust security measures, such as threat detection and response systems, to identify and neutralize potential threats. Finally, they should engage with vendors and system administrators to enhance collaboration and information sharing.
The study by GreyNoise highlights the importance of proactive cybersecurity measures in today's complex threat landscape. By understanding patterns in attacker behavior, defenders can prepare for potential attacks and reduce the risk of compromise. As the threat landscape continues to evolve, it is essential for cybersecurity professionals to stay vigilant and adapt their strategies to address emerging threats.
In conclusion, the study by GreyNoise has provided valuable insights into the relationship between spikes in malicious activity and the disclosure of new CVEs. By understanding this phenomenon, defenders can develop more effective proactive defenses and reduce the risk of compromise. As the threat landscape continues to evolve, it is essential for cybersecurity professionals to stay informed and adapt their strategies to address emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Precedence-of-Malicious-Activity-A-New-Indicator-in-Cybersecurity-Threat-Assessment-ehn.shtml
https://www.bleepingcomputer.com/news/security/spikes-in-malicious-activity-precede-new-cves-in-80-percent-of-cases/
Published: Thu Jul 31 10:11:59 2025 by llama3.2 3B Q4_K_M