Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

GreyNoise late-August Cisco exposed-services reconnaissance campaign

Campaign
First reported
Last updated
Happening score
H score 45
1 unique sources, 2 articles

Summary

Hide ▲

Two large-scale reconnaissance campaigns probed Cisco ASA login portals and Cisco IOS Telnet/SSH services exposed online in late August, signaling broad interest in Cisco edge devices. The activity touched up to 25,000 unique IP addresses, suggesting high-volume target mapping rather than isolated scans. That scale matters because exposed systems were being profiled ahead of potential follow-on abuse.

Related Happenings

Forest Blizzard DNS hijacking token-theft campaign against older routers

Campaign
First: 07.04.2026 20:02 Last: 07.04.2026 20:02 Sources 1

About this happening: Russia-backed **Forest Blizzard** is running a **DNS hijacking campaign** against older routers to steal **Microsoft Office** authentication tokens, putting accounts at risk acros...

Open Happening

APT28 FrostArmada DNS hijacking and AitM credential theft campaign

Campaign
First: 07.04.2026 18:51 Last: 07.04.2026 18:51 Sources 1

About this happening: A multinational disruption effort has taken down **FrostArmada**, an **APT28** campaign that hijacked router DNS settings to steal **Microsoft account credentials** and OAuth toke...

Open Happening

APT28 SOHO router DNS hijacking and credential theft campaign

Campaign
First: 07.04.2026 18:30 Last: 07.04.2026 18:30 Sources 1

About this happening: **APT28** is running **two malicious campaigns** that abuse **vulnerable SOHO routers** and attacker-controlled **DNS/VPS infrastructure** to reroute traffic and steal credentials...

Latest development: 08.04.2026 13:03

On April 7, 2026, the US Department of Justice and the FBI said they neutralized the US portion of APT28’s DNS hijacking network, which spanned more than 23 US states and used compromised SOHO routers, especially TP-Link routers, to redirect traffic through attacker-controlled DNS servers and steal credentials from targeted organizations. The FBI said it was working with ISPs to notify affected users, and court-authorized remediation steps can reset router DNS settings, remove APT28-installed resolvers, and prevent further abuse of the original access path.

Open Happening

2025 Rise in legitimate-access intrusions across enterprise sectors

Target Trend
First: 01.04.2026 17:05 Last: 01.04.2026 17:05 Sources 1

About this happening: **Legitimate access abuse** is now a leading intrusion pattern across **2025** investigations, increasing the risk of stealthy compromise across **manufacturing, healthcare, MSPs,...

Open Happening

Ivanti EPMM exploitation wave (CVE-2026-1281)

Exploitation Wave
First: 12.02.2026 09:32 Last: 12.02.2026 09:32 Sources 1

About this happening: **Ivanti Endpoint Manager Mobile (EPMM)** is facing an **active exploitation wave** against **CVE-2026-1281** and **CVE-2026-1340**, creating immediate risk for internet-facing ma...

Open Happening

Timeline

  1. 25.09.2025 19:49 3 articles · 8mo ago

    GreyNoise detects large-scale probing of Cisco ASA and IOS services

    Campaign Scope Update

    GreyNoise detected two large-scale campaigns targeting exposed Cisco ASA login portals and Cisco IOS Telnet/SSH services in late August, with activity reaching up to 25,000 unique IP addresses.

    Show sources
    Open in new tab