www.greynoise.io Open in urlscan Pro
52.17.119.105  Public Scan

Form analysis
1 forms found in the DOM

/search

<form action="/search" class="nav-search w-form">
  <div class="nav-search-text">
    <div class="margin-bottom-0-5rem">Search plans and pricing, blog posts, company info, and more.</div>
  </div>
  <div class="nav-search-form"><input type="search" class="nav-search-input w-input" autofocus="true" maxlength="256" name="query" placeholder="Start your search here..." id="search" required=""><input type="submit" value="Search"
      class="cta-button-small w-button"></div>
  <div class="nav-search-text">
    <div>Hoping to access our Visualizer? <a href="https://viz.greynoise.io/" target="_blank">Go here instead</a>.</div>
  </div>
</form>

Text Content

PricingBlogDocumentationLog In
Product

GreyNoise identifies internet scanners and common business activity in your
security events so you can make confident decisions, faster!
Product Overview
Explore
SearchIP SimilarityTrends
Investigate
IP TimelineIP DetailsTag Details
Act
BlocklistsAlerts
Integrate
IntegrationsAPI
Solutions

GreyNoise deploys solutions tailored to the needs of specific industries and use
cases.
Verticals
HealthcareFinancial ServicesGovernment
Use Cases
Maximize SOC EfficiencyMass Exploitation DefenseContextualized Threat Hunting

Resources

Checkout our demos, case studies, and more to help you expand your skills.
Featured Content
How I Use GreyNoise (video)CyberWire: Hacking Humans #199 (podcast)
GreyNoise Resources
Resources HubTag RequestROI CalculatorCommunityGlossary of Terms
Company

GreyNoise collects, analyzes, and labels data on IPs that scan the internet and
saturate security tools with noise.
Press Room
GreyNoise in the NewsPress ReleasesGreyNoise Community Love
EventsRequest GreyNoise SwagCareers at GreyNoiseContact Us
Partners

Expand your reach, increase revenues, and deepen customer relationships by
partnering with GreyNoise.
GreyNoise PartnersReseller PartnersTechnical AlliancesOEM PartnersMSSPs & MDRs
Explore Our Data
Explore Our Data
Product

Product Overview
Explore
SearchIP SimilarityTrends
Investigate
IP TimelineIP DetailsTag Details
Act
BlocklistsAlerts
Integrate
APIIntegrations
Solutions

Verticals
HealthcareFinancial ServicesGovernment
Use Cases
Automated Alert ReductionMaximize SOC EfficiencyMass Exploitation Defense
Resources

Resources HubROI CalculatorCommunityGlossary of Terms
Company

Press Room
GreyNoise in the NewsPress ReleasesGreyNoise Community Love
More
EventsRequest GreyNoise SwagCareers at GreyNoiseContact Us
Partners

GreyNoise PartnersReseller PartnersTechnical AlliancesOEM PartnersMSSPs & MDRs
PricingBlogDocumentationLog In

Search plans and pricing, blog posts, company info, and more.

Hoping to access our Visualizer? Go here instead.

BACK TO THE GREYNOISE RESOURCE HUB
White Paper


ATTACKERS WITHOUT BORDERS: THE CANADIAN VIEW OF GLOBAL MALICIOUS TRAFFIC


Read the Case StudyListen to the PodcastWatch the Video

DOWNLOAD THE PDF VERSION HERE.


EXECUTIVE SUMMARY

In today’s interconnected world, understanding the landscape of malicious
internet cyber activity is crucial for organizations and nation states to
protect their digital assets and maintain a strong security posture.

To that end, researchers from GreyNoise Labs analyzed the volume and type of
malicious traffic observed by GreyNoise Intelligence’s planetary scale sensor
network — with a hyperfocus on Canada — to help organizations and agencies make
more informed decisions about their cybersecurity strategies.

The GreyNoise operated sensor fleet primarily sees opportunistic, mass
exploitation. This view provides an up-to-the-minute view of the regular
drumbeat of botnet activity, but also sheds light on when new patterns or
activity surfaces, especially when there are new, emergent threats.

The term “malicious” is reserved for activity that is associated with an attempt
to execute an exploit against a target system.

The data for this report looked at malicious traffic coming from or directed at
Canada for a period of 30 days between mid-August (2023) and mid-September.

During that time GreyNoise observed 164,329 malicious exploitation attempts
against Canada IP address space and 3,603 attacks from Canada being directed at
other country-assigned networks.

The sections in this brief will look at the source and destination traffic in
more detail and conclude with recommendations for how this information can be
use to make organizations, agencies, and citizens safer.


MALICIOUS INBOUND TRAFFIC

The “Research Notes And References” section provides information on the nuances
of source-country attribution.

Generally speaking, organizations and agencies can expect to see their malicious
source traffic to come from either (a) countries with higher allocated and
in-use IP address space, or (b) countries with internet-facing device profiles
that lend themselves to be more prone to exploitation.

To see how that mix plays out, Brazil and Vietnam are in fourth and ninth place,
below, during the sample period but tenth and twenty-third when it comes to
available IP address space. This is due to an inordinately high number of
compromised internet of things (IoT) devices, such as IP-accessible cameras, and
both white-box and popular-but-regularly-vulnerable networking equipment, such
as MicroTik.



This inbound country view will be dynamic if you use the GreyNoise Visualizer or
API to perform future assessments. Meaning, members of the list will trade
places depending on what adversary controlled infrastructure is in use within
any given time period.

You can use geographic source information as one means of risk-assessing
connections you see in logs or network flows to help inform blocking or incident
response decisions.

The source networks these IP addresses are hosted in can be classified in many
ways. For this report, we will focus our attention on the assigned category —
ISP, Hosting, Mobile, Business, or Education — for these malicious connection
attempts:



Of initial note is that “Mobile” is third on the list. Researchers in GreyNoise
Labs have observed a steady uptick in mobile networks — whether it be from
tethered systems or compromised Android devices — becoming the source of attack
traffic. This increases the burden on defenders, since it is difficult to
convince application owners to block any connections from what is around 40-50%
of all incoming benign traffic to most websites and web applications. The timely
nature of GreyNoise block lists may make such conversations less problematic.

Routers, exposed storage and IoT devices, and compromised laptops/desktops are a
large part of why residential and small business ISPs regularly top the list. To
understand why, all we need to do is look at the top “tags” (“detections” in
intrusion detection and prevention nomenclature) GreyNoise sees in this Canada
inbound traffic:



The Mirai botnet is almost always in the number one spot when it comes to
malicious, opportunistic activity engaged by our adversaries. This traffic is
the “heartbeat” of the internet. Not a single minute passes without members of
the Mirai botnet searching for new and existing hosts to assimilate into to its
collective. This activity, combined with other “Worm”s, help ensure a healthy
inventory that can be used in targeted attacks against your agency or
organization.

The “Bruteforcer”s can also be used to build up botnet inventories, but they
have a secondary nefarious purpose of working to gain Initial Access, which can
be sold to bidders on attacker forums. All it takes is for an organization or
individual to leave a default or misconfigured system on the internet for less
than an hour to have it become part of this adversarial inventory. It is rare
for targeted attack infrastructure to be used for this, quite noisy, activity.
Therefore, it is strongly advised to consider blocking these attempts at the
network level and checking for outbound requests to IP addresses exhibiting this
behaviour.

Before we look at what systems and devices in Canada are targeting, we should
note that of the 164,329 inbound malicious exploitation attempts, 1,564 (1.0%)
were directed only at Canada during the observation period. This may indicate
that organizations, such as Canada’s Canadian Centre for Cyber Security (CCCS)
are helping to make country networks sufficiently resilient against attacks to
force attackers to direct country-centric efforts elsewhere.


MALICIOUS OUTBOUND TRAFFIC

During the study period, GreyNoise researchers observed a mere 3,603 malicious
exploitation attempts coming from Canada-attributed network sources.

The outbound tag distribution is nearly identical to the inbound, so we’ll avoid
repetition and focus on two points of interest.

First, “Business” networks are third on the list:



This is somewhat disconcerting given the discussion in the previous section.
Both the CCCS and organizations that help provide cybersecurity services to
small-to-medium-sized business in Canada may want to consider implementing more
rigorous malicious activity checks to reduce the likelihood of these networks
being increasingly used in adversarial campaigns.

The next, and final, point is that nodes under adversarial control in Canada
seem to be aiming at home and ally networks, though the malicious traffic is
also spread around:



This is unsurprising, as Canada IP address space tends to have a higher positive
reputation than many other countries, so initial risk-based “trust” decisions
that are part of many perimeter defense systems are more likely to let
connections from Canada sources through.

Organizations can use GreyNoise to see if they’re “part of the problem”, and
agencies in Canada should work closely with ISPs, hosting providers, mobile
carriers, and businesses to ensure Canada’s IP space reputation continues to
trend positive.


IN SUMMARY

Every GreyNoise user can use the same data provided in this report to gain
hourly insights into malicious activity coming from or to organisation and
agency network in Canada.

Those same queries can be tailored to provide timely alerts for emergent threats
being targeted at, or coming from Canada networks. By working together, we can
help reduce the number of active botnet nodes on the internet, and make the
internet that much safer for the humans we’re aiming to protect.


ADDENDUM: RESEARCH NOTES, REFERENCES, AND DEFINITIONS


GREYNOISE TAGS

A GreyNoise “Tag” is a signature-based detection method used to capture patterns
and create subsets in our planetary-scale internet sensor data. Tags cover five
primary categories: Activity, Tool, Actor, Worm, and Search Engine. These tags
are not limited to CVE-based activity but also include behaviours, attribution,
and unique traffic characteristics.

Activity tags cover crawlers, vulnerability checks & exploitation,
authentication attempts, and other behaviours observed from interactions with
GreyNoise sensors. Tool tags can include open-source scanning tools and
programming language libraries, such as NMap, Nuclei, Metasploit, Paramiko, and
Go HTTP. Actor tags describe the actor behind the activity, including
commercial/enterprise entities, researchers, and universities. Please note that
all current Actor tags denote Benign actors. This may change in the future, but
GreyNoise does not presently engage in malicious actor attribution.

GreyNoise tags provide insight into IP addresses that are scanning the internet
or attempting to opportunistically exploit hosts across the internet. Tag data
associated with a specific IP address offers an overview of the activity that
GreyNoise has observed from that IP, as well as insight into the intention of
the activity originating from it.


GREYNOISE QUERIES USED

The following GreyNoise Queries (GNQL) were used in this analysis:

 * destination_country_code:CA spoofable:false classification:malicious
 * query=destination_country_code:CA spoofable:false single_destination:true
   classification:malicious
 * source_country_code:CA spoofable:false classification:malicious

These can be viewed on the GreyNoise Visualizer, and the data behind them
accessed via the GreyNoise API/CLI.


COUNTRY ATTRIBUTION

IANA (the Internet Assigned Numbers Authority) is charged with allocating
internet address space to regional registries; and, ARIN is responsible for
Canadian address space allocations. Traffic coming from IP address space
allocated to a given country does not mean that country has malicious intent. It
generally means systems and devices in that country were either vulnerable to
some exploit that coopted them into the service of adversaries. However, there
are numerous “bulletproof hosting” companies — think of them as a “malicious
Amazon AWS” or “evil Google Cloud Platform” — that regularly emerge in any given
IP address space as well.


IP ADDRESS METADATA

GreyNoise uses IPInfo.io for IP geolocation, autonomous system (ASN), and
hosting classification metadata information. Spur is used for identifying VPN,
Tor, and other network classifications.

‍


SUMMARY

DOWNLOAD THE PDF VERSION HERE.


EXECUTIVE SUMMARY

In today’s interconnected world, understanding the landscape of malicious
internet cyber activity is crucial for organizations and nation states to
protect their digital assets and maintain a strong security posture.

To that end, researchers from GreyNoise Labs analyzed the volume and type of
malicious traffic observed by GreyNoise Intelligence’s planetary scale sensor
network — with a hyperfocus on Canada — to help organizations and agencies make
more informed decisions about their cybersecurity strategies.

The GreyNoise operated sensor fleet primarily sees opportunistic, mass
exploitation. This view provides an up-to-the-minute view of the regular
drumbeat of botnet activity, but also sheds light on when new patterns or
activity surfaces, especially when there are new, emergent threats.

The term “malicious” is reserved for activity that is associated with an attempt
to execute an exploit against a target system.

The data for this report looked at malicious traffic coming from or directed at
Canada for a period of 30 days between mid-August (2023) and mid-September.

During that time GreyNoise observed 164,329 malicious exploitation attempts
against Canada IP address space and 3,603 attacks from Canada being directed at
other country-assigned networks.

The sections in this brief will look at the source and destination traffic in
more detail and conclude with recommendations for how this information can be
use to make organizations, agencies, and citizens safer.


MALICIOUS INBOUND TRAFFIC

The “Research Notes And References” section provides information on the nuances
of source-country attribution.

Generally speaking, organizations and agencies can expect to see their malicious
source traffic to come from either (a) countries with higher allocated and
in-use IP address space, or (b) countries with internet-facing device profiles
that lend themselves to be more prone to exploitation.

To see how that mix plays out, Brazil and Vietnam are in fourth and ninth place,
below, during the sample period but tenth and twenty-third when it comes to
available IP address space. This is due to an inordinately high number of
compromised internet of things (IoT) devices, such as IP-accessible cameras, and
both white-box and popular-but-regularly-vulnerable networking equipment, such
as MicroTik.



This inbound country view will be dynamic if you use the GreyNoise Visualizer or
API to perform future assessments. Meaning, members of the list will trade
places depending on what adversary controlled infrastructure is in use within
any given time period.

You can use geographic source information as one means of risk-assessing
connections you see in logs or network flows to help inform blocking or incident
response decisions.

The source networks these IP addresses are hosted in can be classified in many
ways. For this report, we will focus our attention on the assigned category —
ISP, Hosting, Mobile, Business, or Education — for these malicious connection
attempts:



Of initial note is that “Mobile” is third on the list. Researchers in GreyNoise
Labs have observed a steady uptick in mobile networks — whether it be from
tethered systems or compromised Android devices — becoming the source of attack
traffic. This increases the burden on defenders, since it is difficult to
convince application owners to block any connections from what is around 40-50%
of all incoming benign traffic to most websites and web applications. The timely
nature of GreyNoise block lists may make such conversations less problematic.

Routers, exposed storage and IoT devices, and compromised laptops/desktops are a
large part of why residential and small business ISPs regularly top the list. To
understand why, all we need to do is look at the top “tags” (“detections” in
intrusion detection and prevention nomenclature) GreyNoise sees in this Canada
inbound traffic:



The Mirai botnet is almost always in the number one spot when it comes to
malicious, opportunistic activity engaged by our adversaries. This traffic is
the “heartbeat” of the internet. Not a single minute passes without members of
the Mirai botnet searching for new and existing hosts to assimilate into to its
collective. This activity, combined with other “Worm”s, help ensure a healthy
inventory that can be used in targeted attacks against your agency or
organization.

The “Bruteforcer”s can also be used to build up botnet inventories, but they
have a secondary nefarious purpose of working to gain Initial Access, which can
be sold to bidders on attacker forums. All it takes is for an organization or
individual to leave a default or misconfigured system on the internet for less
than an hour to have it become part of this adversarial inventory. It is rare
for targeted attack infrastructure to be used for this, quite noisy, activity.
Therefore, it is strongly advised to consider blocking these attempts at the
network level and checking for outbound requests to IP addresses exhibiting this
behaviour.

Before we look at what systems and devices in Canada are targeting, we should
note that of the 164,329 inbound malicious exploitation attempts, 1,564 (1.0%)
were directed only at Canada during the observation period. This may indicate
that organizations, such as Canada’s Canadian Centre for Cyber Security (CCCS)
are helping to make country networks sufficiently resilient against attacks to
force attackers to direct country-centric efforts elsewhere.


MALICIOUS OUTBOUND TRAFFIC

During the study period, GreyNoise researchers observed a mere 3,603 malicious
exploitation attempts coming from Canada-attributed network sources.

The outbound tag distribution is nearly identical to the inbound, so we’ll avoid
repetition and focus on two points of interest.

First, “Business” networks are third on the list:



This is somewhat disconcerting given the discussion in the previous section.
Both the CCCS and organizations that help provide cybersecurity services to
small-to-medium-sized business in Canada may want to consider implementing more
rigorous malicious activity checks to reduce the likelihood of these networks
being increasingly used in adversarial campaigns.

The next, and final, point is that nodes under adversarial control in Canada
seem to be aiming at home and ally networks, though the malicious traffic is
also spread around:



This is unsurprising, as Canada IP address space tends to have a higher positive
reputation than many other countries, so initial risk-based “trust” decisions
that are part of many perimeter defense systems are more likely to let
connections from Canada sources through.

Organizations can use GreyNoise to see if they’re “part of the problem”, and
agencies in Canada should work closely with ISPs, hosting providers, mobile
carriers, and businesses to ensure Canada’s IP space reputation continues to
trend positive.


IN SUMMARY

Every GreyNoise user can use the same data provided in this report to gain
hourly insights into malicious activity coming from or to organisation and
agency network in Canada.

Those same queries can be tailored to provide timely alerts for emergent threats
being targeted at, or coming from Canada networks. By working together, we can
help reduce the number of active botnet nodes on the internet, and make the
internet that much safer for the humans we’re aiming to protect.


ADDENDUM: RESEARCH NOTES, REFERENCES, AND DEFINITIONS


GREYNOISE TAGS

A GreyNoise “Tag” is a signature-based detection method used to capture patterns
and create subsets in our planetary-scale internet sensor data. Tags cover five
primary categories: Activity, Tool, Actor, Worm, and Search Engine. These tags
are not limited to CVE-based activity but also include behaviours, attribution,
and unique traffic characteristics.

Activity tags cover crawlers, vulnerability checks & exploitation,
authentication attempts, and other behaviours observed from interactions with
GreyNoise sensors. Tool tags can include open-source scanning tools and
programming language libraries, such as NMap, Nuclei, Metasploit, Paramiko, and
Go HTTP. Actor tags describe the actor behind the activity, including
commercial/enterprise entities, researchers, and universities. Please note that
all current Actor tags denote Benign actors. This may change in the future, but
GreyNoise does not presently engage in malicious actor attribution.

GreyNoise tags provide insight into IP addresses that are scanning the internet
or attempting to opportunistically exploit hosts across the internet. Tag data
associated with a specific IP address offers an overview of the activity that
GreyNoise has observed from that IP, as well as insight into the intention of
the activity originating from it.


GREYNOISE QUERIES USED

The following GreyNoise Queries (GNQL) were used in this analysis:

 * destination_country_code:CA spoofable:false classification:malicious
 * query=destination_country_code:CA spoofable:false single_destination:true
   classification:malicious
 * source_country_code:CA spoofable:false classification:malicious

These can be viewed on the GreyNoise Visualizer, and the data behind them
accessed via the GreyNoise API/CLI.


COUNTRY ATTRIBUTION

IANA (the Internet Assigned Numbers Authority) is charged with allocating
internet address space to regional registries; and, ARIN is responsible for
Canadian address space allocations. Traffic coming from IP address space
allocated to a given country does not mean that country has malicious intent. It
generally means systems and devices in that country were either vulnerable to
some exploit that coopted them into the service of adversaries. However, there
are numerous “bulletproof hosting” companies — think of them as a “malicious
Amazon AWS” or “evil Google Cloud Platform” — that regularly emerge in any given
IP address space as well.


IP ADDRESS METADATA

GreyNoise uses IPInfo.io for IP geolocation, autonomous system (ASN), and
hosting classification metadata information. Spur is used for identifying VPN,
Tor, and other network classifications.

‍


Read the Case Study
Listen to the Podcast
Watch the Video
READ THE TRANSCRIPT

BACK TO THE GREYNOISE RESOURCE HUB
Solutions
Verticals
HealthcareFinancial ServicesGovernment
Use Cases
Accelerated Alert TriageMass Exploitation DefenseContextualized Threat Hunting
Company
NewsPress ReleasesEventsCommunity LoveRequest SwagCareers
Resources
Resource HubTag RequestGlossary of TermsROI Calculator
Partners
GreyNoise PartnersReseller PartnersTechnical AlliancesOEM PartnersMSSPS & MDRS
CommunityPricingDocumentationBlogLog In
© 2023 GreyNoise, Inc. All Rights Reserved.
Terms
|
Privacy
|
Security
|
Cookies
|
Patents
|
Principles
Cookie Settings
We use cookies to ensure you get the best experience on our website. Learn more
Got It