200,886,675 sessions. 101 unique source IPs. March 16–23, 2026.

GreyNoise At The Edge intelligence brief highlights:

1. The MEVSPACE RDP brute-force operator returned after a 99.8% infrastructure collapse — single IP generated 7,975,241 sessions before deliberately withdrawing after 4 days. GreyNoise has tracked a surge-withdraw-reconstitute cycle since January 2026, reinforcing that well-resourced operators can reconstitute capacity within days.

2. Two coordinated campaigns emerged: VPSVAULT.HOST (IoT worm weaponizing 21+ CVEs against 12+ manufacturers) and Omegatech (TLS fingerprint randomization with 5,854 unique JA3s per node).

3. Sophos CVE-2022-1040 exploitation stabilized at 638,654 sessions in its fifth consecutive week. Enterprise VPN credential pressure reached week 9 across five vendors with 2.9M+ combined sessions.

4. n8n CVE-2026-21858 (CVSS 10.0) reached 118,086 sessions with links to MuddyWater and ZeroBot. ICS/SCADA reconnaissance expanded with new HMI and PLC vulnerabilities trending.

🔗 https://www.greynoise.io/resources/at-the-edge-clear-032326

#ThreatIntel #CyberSecurity #InfoSec #GreyNoise

200,886,675 sessions. 101 unique source IPs. March 16–23, 2026.

GreyNoise At The Edge intelligence brief highlights:

1. The MEVSPACE RDP brute-force operator returned after a 99.8% infrastructure collapse — single IP generated 7,975,241 sessions before deliberately withdrawing after 4 days. GreyNoise has tracked a surge-withdraw-reconstitute cycle since January 2026, reinforcing that well-resourced operators can reconstitute capacity within days.

2. Two coordinated campaigns emerged: VPSVAULT.HOST (IoT worm weaponizing 21+ CVEs against 12+ manufacturers) and Omegatech (TLS fingerprint randomization with 5,854 unique JA3s per node).

3. Sophos CVE-2022-1040 exploitation stabilized at 638,654 sessions in its fifth consecutive week. Enterprise VPN credential pressure reached week 9 across five vendors with 2.9M+ combined sessions.

4. n8n CVE-2026-21858 (CVSS 10.0) reached 118,086 sessions with links to MuddyWater and ZeroBot. ICS/SCADA reconnaissance expanded with new HMI and PLC vulnerabilities trending.

🔗 https://www.greynoise.io/resources/at-the-edge-clear-032326

#ThreatIntel #CyberSecurity #InfoSec #GreyNoise

@gknauss I think the thing is to move to 18.7.3, which is patched.

For devices running versions of iOS prior to 18.6, DarkSword uses CVE-2025-31277, a JIT optimization/type confusion bug which was patched by Apple in iOS 18.6. For devices running iOS 18.6-18.7, DarkSword uses CVE-2025-43529, a garbage collection bug in the Data Flow Graph (DFG) JIT layer of JavaScriptCore which was patched by Apple in iOS 18.7.3 and 26.2 after it was reported by GTIG. Both exploits develop their own fakeobj/addrof primitives, and then build arbitrary read/write primitives the same way on top of them.

I'm unaware of a compelling reason or hardware limitation to not upgrade from 18.6 to 18.7

https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain/

We're released Netty 4.2.11 and 4.1.132. These contain many bug fixes, and fixes for two CVEs both rated *high*:

- CVE-2026-33871: HTTP/2 CONTINUATION frame flood Denial of Service.
- CVE-2026-33870: HTTP/1.1 Request Smuggling vulnerability in chunked encoding parsing.

Release notes for 4.2.11: https://netty.io/news/2026/03/24/4-2-11-Final.html
Release notes for 4.1.132: https://netty.io/news/2026/03/24/4-1-132-Final.html

Also of note: We had 17 people contribute to Netty 4.2.11, of which 5 are new first time contributors 😲

#netty #java

@gknauss I think the thing is to move to 18.7.3, which is patched.

For devices running versions of iOS prior to 18.6, DarkSword uses CVE-2025-31277, a JIT optimization/type confusion bug which was patched by Apple in iOS 18.6. For devices running iOS 18.6-18.7, DarkSword uses CVE-2025-43529, a garbage collection bug in the Data Flow Graph (DFG) JIT layer of JavaScriptCore which was patched by Apple in iOS 18.7.3 and 26.2 after it was reported by GTIG. Both exploits develop their own fakeobj/addrof primitives, and then build arbitrary read/write primitives the same way on top of them.

I'm unaware of a compelling reason or hardware limitation to not upgrade from 18.6 to 18.7

https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain/

We're released Netty 4.2.11 and 4.1.132. These contain many bug fixes, and fixes for two CVEs both rated *high*:

- CVE-2026-33871: HTTP/2 CONTINUATION frame flood Denial of Service.
- CVE-2026-33870: HTTP/1.1 Request Smuggling vulnerability in chunked encoding parsing.

Release notes for 4.2.11: https://netty.io/news/2026/03/24/4-2-11-Final.html
Release notes for 4.1.132: https://netty.io/news/2026/03/24/4-1-132-Final.html

Also of note: We had 17 people contribute to Netty 4.2.11, of which 5 are new first time contributors 😲

#netty #java