Researchers have found that in roughly 80% of cases, spikes in malicious activity like network reconnaissance, targeted scanning, and brute-forcing attempts targeting edge networking devices are a precursor to the disclosure of new security vulnerabilities (CVEs) within six weeks.
This has been discovered by threat monitoring firm GreyNoise, which reports these occurrences are not random, but are rather characterized by repeatable and statistically significant patterns.
GreyNoise bases this on data from its 'Global Observation Grid' (GOG) collected since September 2024, applying objective statistical thresholds to avoid results-skewing cherry-picking.
After removing noisy, ambiguous, and low-quality data, the firm ended up with 216 events that qualified as spike events, tied to eight enterprise edge vendors.
"Across all 216 spike events we studied, 50 percent were followed by a new CVE within three weeks, and 80 percent within six weeks," explain the researchers.
The correlation was notably stronger for Ivanti, SonicWall, Palo Alto Networks, and Fortinet products, and weaker for MikroTik, Citrix, and Cisco. State-sponsored actors have repeatedly targeted such systems for initial access and persistence.
Spike activity and time of disclosure of new CVEs
Source: GreyNoise
GreyNoise notes that in the majority of the cases underlying these spikes, the attackers perform exploit attempts against older, known flaws.
The researchers believe that this either facilitates the discovery of new weaknesses or the discovery of internet-exposed endpoints that can be targeted in the next phase of the attack, which leverages novel exploits.
... continue reading