Attackers are increasingly exploiting older, resurgent vulnerabilities—flaws that were patched years ago but remain unaddressed in many systems. GreyNoise’s latest research highlights how these vulnerabilities, particularly in edge devices like routers and VPNs, are being weaponized by state-sponsored actors and cybercriminal groups1. The findings underscore the need for proactive patch management and real-time threat monitoring.
TL;DR: Key Findings
- 70% of attacks target edge devices (routers, VPNs, HMIs) for initial access1.
- 145,000+ industrial control systems (ICS) are exposed online, with 30% of HMI probes being malicious2.
- State-sponsored groups like APT29 actively exploit pre-2020 CVEs, including Fortinet (CVE-2018-13379) and Microsoft flaws3.
- GreyNoise’s AI tool Sift detected zero-days in live-streaming cameras (CVE-2024-8956/8957)4.
The Resurgence of Older CVEs
GreyNoise categorizes resurgent vulnerabilities into three types: Utility (recurring exploitation, e.g., Fortinet VPN flaws), Periodic (sporadic spikes like ServiceNow CVEs), and Black Swan (unpredictable high-impact events)1. These flaws often resurface due to misconfigurations, delayed patching, or renewed attacker interest. For example, CVE-2018-13379, patched in 2019, remains a top target for credential theft due to its prevalence in legacy systems.
Critical Infrastructure at Risk
Censys data reveals that over 145,000 ICS devices, including human-machine interfaces (HMIs), are exposed to the internet2. GreyNoise honeypots observed that 30% of probes against these systems were malicious, with attackers prioritizing Remote Access Services (RAS) over ICS-specific protocols. This trend aligns with recent advisories warning of Russian APT29 targeting Citrix (CVE-2023-4966) and Microsoft (CVE-2023-29357) vulnerabilities3.
AI-Driven Threat Detection
GreyNoise’s AI platform, Sift, identified two zero-days (CVE-2024-8956/8957) in live-streaming cameras used by healthcare and government sectors4. The flaws allowed full device takeover and botnet recruitment. This demonstrates AI’s potential to detect anomalies in real-time, though it also highlights the expanding attack surface of IoT devices.
Actionable Recommendations
| Priority | Action | Tools/Resources |
|---|---|---|
| High | Patch edge devices and CVEs in CISA’s KEV catalog | CISA KEV |
| Medium | Monitor for exploitation attempts | GreyNoise Visualizer |
“Resurgence is a serious risk—some bugs go dark for years before suddenly being exploited.”
— Bob Rudis, VP of Data Science, GreyNoise
Conclusion
The re-emergence of older vulnerabilities poses a clear and present danger, especially for organizations with unpatched edge devices or exposed ICS systems. Combining AI-driven detection with prioritized patching and continuous monitoring is critical to mitigating these risks.
References
- “Resurgent Vulnerabilities Report,” GreyNoise, 2024.
- “2024 ICS Exposure Report,” Censys, 2024.
- “Update on SVR Cyber Operations,” U.S. Cybersecurity Advisory, 2024.
- “Sift AI Zero-Day Detection,” GreyNoise Labs, 2024.
