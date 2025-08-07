Research Links Threat Actor Activity to Future Vulnerabilities

The data provides recommendations for proactively protecting networks before vulnerabilities are disclosed.

Aug 7, 2025
Computer Crime Concept 516607038 2125x1416 (1)

GreyNoise Intelligence, a provider of cybersecurity threat intelligence, recently released a research report exploring the correlation between spikes in attacker activity and subsequent disclosures of Common Vulnerabilities and Exposures (CVEs) in edge technologies. The research report, entitled “Early Warning Signals:  When Attacker Behavior Precedes New Vulnerabilities,” offers predictive value and recommendations on what defenders can do to proactively protect their networks, before vulnerabilities are even disclosed.

GreyNoise analyzed all of its tags (CVSS 6+ CVEs) associated with edge technologies to determine whether there was a consistent, repeatable pattern of significant spikes in opportunistic attacker activity (e.g. scanning, brute forcing, and exploitation attempts) against edge technologies preceding the disclosure of new vulnerabilities. GreyNoise only observed this pattern across a specific subset of enterprise edge products from eight vendors, though it did not limit its analysis to enterprise technologies. 

Key findings from the report include:

  • Spikes in attacker activity often precede new cyber vulnerabilities. In 80 percent of cases we analyzed, significant spikes in opportunistic attacker activity against edge technologies were followed by the disclosure of a new CVE affecting the same technology within six weeks. This recurring pattern may offer early warning value.
  • These spikes give defenders a defined window to prepare. The clustering of new CVEs within six weeks of attacker spikes provides defenders with a concrete timeframe to increase monitoring, harden systems, and preemptively act — even before a vulnerability is known. CISOs can use this window to justify early planning or investment.
  • Blocking early reconnaissance may keep systems off attacker inventories. Spikes may reflect exploit-based reconnaissance designed to identify exposed systems. Blocking the associated IPs during these phases may prevent inclusion in attacker inventories — reducing the likelihood of being targeted later, even if different IPs are used for exploitation of the new CVE emerging weeks later.
  • Enterprise edge technologies show the strongest patterns. After filtering out ambiguous cases and noise, all spike-CVE pairs we observed involved internet-facing assets commonly deployed in enterprise environments such as VPNs, firewalls, and products from vendors like Cisco, Fortinet, Citrix, and Ivanti.
  • Most spikes involved real exploits — not scanning. The majority of activity leading up to CVEs was not generic scanning but exploit attempts against previously known vulnerabilities. This supports two likely motives: testing inputs that may lead to new CVE discovery, or inventorying systems for future exploitation when a new flaw becomes known.
  • State-sponsored actors have repeatedly targeted edge infrastructure. Nation-state groups like the Typhoons have reportedly focused on enterprise-focused edge devices for pre-positioning, surveillance, and access persistence. All products studied in this analysis are enterprise-focused edge systems, highlighting both enterprise and national security stakes. 
Latest in Cybersecurity
Today in Manufacturing Podcast
Sponsored
Today in Manufacturing Podcast
August 7, 2025
Computer Crime Concept 516607038 2125x1416 (1)
Research Links Threat Actor Activity to Future Vulnerabilities
August 7, 2025
Utility Metamorworks
Why AI Is Not a Silver Bullet for OT Infrastructure Security
August 7, 2025
Phishing Tadamichi
Report Shows Cybercriminals Personalizing Deception Tactics
August 7, 2025
Related Stories
Utility Metamorworks
Cybersecurity
Why AI Is Not a Silver Bullet for OT Infrastructure Security
Phishing Tadamichi
Cybersecurity
Report Shows Cybercriminals Personalizing Deception Tactics
Caseyellistn
Video
Security Breach: The Keys to Being 'Proactively Paranoid, Not Paralyzed'
Today in Manufacturing Podcast
Sponsor Content
Today in Manufacturing Podcast
More in Cybersecurity
Today in Manufacturing Podcast
Sponsored
Today in Manufacturing Podcast
Today in Manufacturing has a new podcast brought to you by the editors of Industrial Media. In each episode, we discuss the five biggest stories in manufacturing, and the implications they have on the industry moving forward.
August 7, 2025
Utility Metamorworks
Cybersecurity
Why AI Is Not a Silver Bullet for OT Infrastructure Security
AI can help, but not without knowledge of unique OT functions, risks and integration characteristics.
August 7, 2025
Cybersecurity
Keon McEwen
Head of Solutions Development, Industrial Cybersecurity – Black & Veatch
August 7, 2025
Phishing Tadamichi
Cybersecurity
Report Shows Cybercriminals Personalizing Deception Tactics
Low-cost, AI-enhanced phishing emails are being leveraged in numerous, nefarious ways.
August 7, 2025
Caseyellistn
Video
Security Breach: The Keys to Being 'Proactively Paranoid, Not Paralyzed'
Using AI and other tools to prioritize and plan in responding to new attacks and legacy vulnerabilities.
August 7, 2025
Industrial Cyber
Cybersecurity
Cybersecurity's Expanding Footprint in the Industrial Renaissance
Progress forges complex vulnerabilities in a battle where the stakes are nothing less than global production.
August 6, 2025
Cybersecurity
Ed Fox
CTO of MetTel
August 6, 2025
Protection Background Technology Security 524882074 701x502 (1)
Cybersecurity
What the Ingram Micro Hack Reinforces About Supply Chain Security
The attack is a wake-up call to reinforce collaboration and preparation across every link in the chain.
August 6, 2025
Cybersecurity
Ven Auvaa
Director of Information Security at ArmorPoint
August 6, 2025
Cyber vulnerability detection rendering.
Cybersecurity
RTX to Optimize Cyber Vulnerability Detection for DARPA
RTX BBN Technologies to advance high-fidelity exploit chain testing and evaluation.
August 5, 2025
Illumina
Cybersecurity
Illumina Settles Cybersecurity Allegations
Illumina allegedly sold systems with cybersecurity vulnerabilities to federal agencies.
August 4, 2025
Hacktivist Peshkov
Cybersecurity
Increased Hacktivist Activity Impacting the ICS
The evolution of these groups raises unique concerns.
July 31, 2025
Cybersecurity In A Bubble
Cybersecurity
Top 5 Barriers to Cybersecurity Investment in Manufacturing
Overcoming unique issues in the face of escalating attacks.
July 31, 2025
Cybersecurity
Stu Sjouwerman
Founder and Executive Chairman, KnowBe4
July 31, 2025
Screenshot 2025 07 31 At 10 04 57 Am
Cybersecurity
CISA Updates Advisory on Scattered Spider Group
The ransomware group has targeted a number of industrial enterprises.
July 31, 2025