Surge in Threat Actor Exploitation Attempts Serves as Early Warning of Emerging Cyber Vulnerabilities

Researchers have discovered a continuous relationship between increases in threat actor activity and the eventual disclosure of new Common Vulnerabilities and Exposures (CVEs) in corporate edge technologies, according to a groundbreaking report published by GreyNoise, Inc.

The study, spanning data from September 2024 onward, leverages GreyNoise’s Global Observation Grid (GOG) to monitor daily unique IP counts associated with malicious tags, including those tracking scanners, brute-force attempts, and exploitations of CVEs with CVSS scores of 6 or higher.

By defining a “spike” as a statistically significant anomaly requiring the daily IP count to exceed both the historical median plus twice the interquartile range (IQR) globally, and the 28-day rolling mean plus twice the rolling standard deviation locally the report filtered 216 such events across eight vendors.

Remarkably, 80% of these spikes were followed by a new CVE disclosure within six weeks, with 50% occurring within three weeks, offering defenders a critical preemptive window.

GreyNoise Report Uncovers Predictive Spikes in Attacker Behavior

The pattern emerged organically from tags linked to internet-facing assets like VPNs, firewalls, and products from vendors such as Cisco, Fortinet, Citrix, Ivanti, and others, without initial restrictions to enterprise technologies.

Researchers noted that most spikes involved exploit attempts against known vulnerabilities rather than generic scanning, suggesting motives like reconnaissance for system inventorying or fuzzing inputs to uncover zero-days.

For instance, spikes targeting outdated flaws, such as Cisco’s CVE-2011-3315 (a 14-year-old vulnerability) or Palo Alto Networks’ CVE-2017-15944, often preceded fresh disclosures, underscoring the persistence of legacy vulnerabilities in attacker toolkits.

This behavior aligns with tactics employed by state-sponsored actors, including groups like the Typhoons, who prioritize edge infrastructure for pre-positioning, surveillance, and persistent access, elevating the findings to national security relevance.

Defensive Recommendations

The report posits several attacker motivations driving these pre-disclosure spikes, including obfuscation through broad-spectrum activity to mask targeted reconnaissance, preemptive inventorying of exposed systems for later exploitation, and active vulnerability discovery efforts.

Defenders can exploit this six-week delta by blocking IPs during spikes to avoid inclusion in attacker inventories, even if subsequent exploits use different sources.

This is particularly vital for fully patched systems, as spikes may signal probing that uncovers novel flaws, challenging the assumption that patching alone ensures safety.

For chief information security officers (CISOs) and analysts, the insights enable proactive measures: enhancing monitoring, hardening perimeters, and justifying resource allocation ahead of disclosures.

While the correlation holds strongest for vendors like Ivanti and Fortinet where spikes tightly cluster with CVEs it varies for others, such as MikroTik and Citrix, where outliers extend beyond six weeks due to quasi-stationary patterns or excessive CVE volumes.

Nonetheless, the methodology’s rigor, excluding noisy or discontinuous tags, ensures high signal integrity, transforming reactive security paradigms into predictive ones.

GreyNoise emphasizes that this trend, observed exclusively in enterprise edge ecosystems, empowers organizations to mitigate risks from opportunistic and advanced persistent threats alike, potentially reducing exposure before vulnerabilities materialize.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!