Ron Bowes
@iagox86.bsky.social
Principal Security Researcher at GreyNoise. https://skullsecurity.org
Mostly post about work stuff, maybe some improv stuff and maybe even magic some day. Seattle-based (originally Canadian), queer, cybersecurity nerd.
(He/him)
Mostly post about work stuff, maybe some improv stuff and maybe even magic some day. Seattle-based (originally Canadian), queer, cybersecurity nerd.
(He/him)
Alright, I guess I "block sender and report spam"
February 18, 2026 at 9:08 PM
Alright, I guess I "block sender and report spam"
It was funny to me that people would fall for a scam this transparent - why would Seattle Utilities send me to some sketchy "interest free" loan processor via text message? I had a good laugh at this transparent phishing attempt.
...then I logged into my account and discovered it's real.
...then I logged into my account and discovered it's real.
February 18, 2026 at 5:13 PM
It was funny to me that people would fall for a scam this transparent - why would Seattle Utilities send me to some sketchy "interest free" loan processor via text message? I had a good laugh at this transparent phishing attempt.
...then I logged into my account and discovered it's real.
...then I logged into my account and discovered it's real.
Reposted by Ron Bowes
We have disclosed CVE-2026-2329, a critical unauth stack-based buffer overflow vuln affecting the Grandstream GXP1600 series of VoIP phones. Read our disclosure on the @rapid7.com blog, including technical details for unauth RCE, and accompanying @metasploit-r7.bsky.social modules: r-7.co/4tIzope
February 18, 2026 at 2:39 PM
We have disclosed CVE-2026-2329, a critical unauth stack-based buffer overflow vuln affecting the Grandstream GXP1600 series of VoIP phones. Read our disclosure on the @rapid7.com blog, including technical details for unauth RCE, and accompanying @metasploit-r7.bsky.social modules: r-7.co/4tIzope
Reposted by Ron Bowes
It took less than a day. A PoC for BeyondTrust CVE-2026-1731 hit GitHub, and GreyNoise immediately started seeing reconnaissance from multi-exploit actors hiding behind VPNs + custom tooling. See what our data reveals about who’s mapping targets + how.
Reconnaissance Has Begun for the New BeyondTrust RCE (CVE-2026-1731): Here's What We See So Far
A PoC for CVE-2026-1731 hit GitHub on Feb 10. Within 24 hours, GreyNoise observed reconnaissance probing for vulnerable BeyondTrust instances.
www.greynoise.io
February 12, 2026 at 6:13 PM
It took less than a day. A PoC for BeyondTrust CVE-2026-1731 hit GitHub, and GreyNoise immediately started seeing reconnaissance from multi-exploit actors hiding behind VPNs + custom tooling. See what our data reveals about who’s mapping targets + how.
Half way through my "work on @bsidessfctf.bsky.social week"! I've written a compiler, designed a stupid cryptosystem based on a Seth MacFarlane show I fell asleep watching, and wrote challenges to teach write-,memory vulnerabilities
Two more days, what other crazy ideas will fall out of my brain?
Two more days, what other crazy ideas will fall out of my brain?
February 12, 2026 at 4:51 PM
Half way through my "work on @bsidessfctf.bsky.social week"! I've written a compiler, designed a stupid cryptosystem based on a Seth MacFarlane show I fell asleep watching, and wrote challenges to teach write-,memory vulnerabilities
Two more days, what other crazy ideas will fall out of my brain?
Two more days, what other crazy ideas will fall out of my brain?
Reposted by Ron Bowes
We observed a 65% drop in global telnet traffic in 1 hour on Jan 14, settling into a sustained 59% reduction. 18 ASNs went silent, 5 countries disappeared, but cloud providers were unaffected.
Our analysis of 51.2M sessions points to backbone-level port 23 filtering by a Tier 1 transit provider.
Our analysis of 51.2M sessions points to backbone-level port 23 filtering by a Tier 1 transit provider.
2026-01-14: The Day the telnet Died – GreyNoise Labs
On January 14, 2026, global telnet traffic observed by GreyNoise sensors fell off a cliff. A 59% sustained reduction, eighteen ASNs going completely silent, five countries vanishing from our data enti...
www.labs.greynoise.io
February 10, 2026 at 8:44 PM
We observed a 65% drop in global telnet traffic in 1 hour on Jan 14, settling into a sustained 59% reduction. 18 ASNs went silent, 5 countries disappeared, but cloud providers were unaffected.
Our analysis of 51.2M sessions points to backbone-level port 23 filtering by a Tier 1 transit provider.
Our analysis of 51.2M sessions points to backbone-level port 23 filtering by a Tier 1 transit provider.
Reposted by Ron Bowes
83% of observed Ivanti EPMM exploitation (CVE-2026-1281) traces to one bulletproof IP that isn't on any published IOC list. The IPs that are? VPN exits with zero Ivanti activity. We broke down who's actually doing this ⬇️
#Ivanti #ThreatIntel #CVE20261281 #InfoSec
#Ivanti #ThreatIntel #CVE20261281 #InfoSec
Active Ivanti Exploitation Traced to Single Bulletproof IP—Published IOC Lists Point Elsewhere
The GreyNoise Global Observation Grid observed active exploitation of two critical Ivanti Endpoint Manager Mobile vulnerabilities, and 83% of that exploitation traces to a single IP address on bulletp...
www.greynoise.io
February 10, 2026 at 7:17 PM
83% of observed Ivanti EPMM exploitation (CVE-2026-1281) traces to one bulletproof IP that isn't on any published IOC list. The IPs that are? VPN exits with zero Ivanti activity. We broke down who's actually doing this ⬇️
#Ivanti #ThreatIntel #CVE20261281 #InfoSec
#Ivanti #ThreatIntel #CVE20261281 #InfoSec
I have this theory: cooking is actually pretty easy and most dishes have a wide range of good outcomes. But it's sold as hard with "secret recipes" and "food crimes" and "Dad burned water again". But it's really not that hard!
February 8, 2026 at 4:51 PM
I have this theory: cooking is actually pretty easy and most dishes have a wide range of good outcomes. But it's sold as hard with "secret recipes" and "food crimes" and "Dad burned water again". But it's really not that hard!
"I have very serious concerns about concentration camps built in my state".. dear lord, can we possibly get left-wing politicians to stand up and shout their beliefs instead of these milquetoast statements?
I have very serious concerns about the Department of Homeland Security’s plans to build an ICE detention center in Washington County.
February 7, 2026 at 1:30 AM
"I have very serious concerns about concentration camps built in my state".. dear lord, can we possibly get left-wing politicians to stand up and shout their beliefs instead of these milquetoast statements?
Huge pet peeve: writeups that include screenshots of HTTP requests without transcriptions.
research.checkpoint.com/2020/inj3cto...
research.checkpoint.com/2020/inj3cto...
INJ3CTOR3 Operation – Leveraging Asterisk Servers for Monetization - Check Point Research
Research by: Ido Solomon, Ori Hamama and Omer Ventura, Network Research Intro Recently, Check Point Research encountered a series of worldwide attacks relevant to VoIP, specifically to Session initiat...
research.checkpoint.com
February 6, 2026 at 9:53 PM
Huge pet peeve: writeups that include screenshots of HTTP requests without transcriptions.
research.checkpoint.com/2020/inj3cto...
research.checkpoint.com/2020/inj3cto...
First time seeing The Room last night, at a small local theater. People laughed and yelled and threw spoons and had a great time
The movie was somehow worse than I expected it to be!
The movie was somehow worse than I expected it to be!
February 6, 2026 at 3:01 PM
First time seeing The Room last night, at a small local theater. People laughed and yelled and threw spoons and had a great time
The movie was somehow worse than I expected it to be!
The movie was somehow worse than I expected it to be!
Reposted by Ron Bowes
was talking with someone about this just the other day: it's a real shame that we're lumping in actually useful applications of machine learning in with pointlessly wasteful LLM projects due to nothing more than semantic scope-creep.
I love hearing this, but I also wish reporters would differentiate between “machine learning,” which does amazing stuff like this, and “large language models,” which puke up slop and make CSAM on ex-Twitter. Not all “AI” is the same!
🩺 Researchers are using artificial intelligence to detect abnormalities in #mammograms.
This #WorldCancerDay, FRANCE 24 takes a look at how #AI is being developed as a tool for treatment.
Watch to learn more ⤵️
This #WorldCancerDay, FRANCE 24 takes a look at how #AI is being developed as a tool for treatment.
Watch to learn more ⤵️
February 4, 2026 at 10:20 PM
was talking with someone about this just the other day: it's a real shame that we're lumping in actually useful applications of machine learning in with pointlessly wasteful LLM projects due to nothing more than semantic scope-creep.
I've been reading Mike Close's books on magic ("Workers"), and something he said really resonated: all the tricks marketed by magic sellers advertise "EASY!", and "LEARN INSTANTLY", but what's the fun in that? I want to learn things that are hard, not easy!
#magic
#magic
February 4, 2026 at 5:05 PM
I've been reading Mike Close's books on magic ("Workers"), and something he said really resonated: all the tricks marketed by magic sellers advertise "EASY!", and "LEARN INSTANTLY", but what's the fun in that? I want to learn things that are hard, not easy!
#magic
#magic
Reposted by Ron Bowes
Two IPs now generate 56% of all CVE-2025-55182 exploitation traffic.
One deploys cryptominers. The other opens reverse shells.
We dug into the infrastructure. What we found goes back to 2020.
One deploys cryptominers. The other opens reverse shells.
We dug into the infrastructure. What we found goes back to 2020.
React Server Components Exploitation Consolidates as Two IPs Generate Majority of Attack Traffic
Two months after CVE-2025-55182 was disclosed on December 3, 2025, exploitation activity targeting React Server Components has consolidated significantly.
www.greynoise.io
February 3, 2026 at 9:04 PM
Two IPs now generate 56% of all CVE-2025-55182 exploitation traffic.
One deploys cryptominers. The other opens reverse shells.
We dug into the infrastructure. What we found goes back to 2020.
One deploys cryptominers. The other opens reverse shells.
We dug into the infrastructure. What we found goes back to 2020.
One of the smartest marketing coups was convincing people that the ads are the best part of a big sporting event
I look forward to "watch this amazing Superbowl ad!!!" being over - an ad's an ad, block it
I look forward to "watch this amazing Superbowl ad!!!" being over - an ad's an ad, block it
February 2, 2026 at 4:57 PM
One of the smartest marketing coups was convincing people that the ads are the best part of a big sporting event
I look forward to "watch this amazing Superbowl ad!!!" being over - an ad's an ad, block it
I look forward to "watch this amazing Superbowl ad!!!" being over - an ad's an ad, block it
Reposted by Ron Bowes
vibecoded web apps have such boring security bugs. "the whole database was wide open". oh. ok.
at least have some class and write some sql-injectable php. maybe a little stack buffer overflow as a treat.
at least have some class and write some sql-injectable php. maybe a little stack buffer overflow as a treat.
February 1, 2026 at 2:47 PM
vibecoded web apps have such boring security bugs. "the whole database was wide open". oh. ok.
at least have some class and write some sql-injectable php. maybe a little stack buffer overflow as a treat.
at least have some class and write some sql-injectable php. maybe a little stack buffer overflow as a treat.
Reposted by Ron Bowes
Dun dun daaah
From the sciencefiction community on Reddit: My e-Reader Just Created the Shortest Horror Story Ever
Explore this post and more from the sciencefiction community
www.reddit.com
January 31, 2026 at 9:39 AM
Dun dun daaah
January 31, 2026 at 7:01 AM
Reposted by Ron Bowes
Hell yes! Many of us have been following this story from the beginning, and I'm SO glad to see it resolved finally...
arstechnica.com/security/202...
arstechnica.com/security/202...
January 29, 2026 at 8:49 PM
Hell yes! Many of us have been following this story from the beginning, and I'm SO glad to see it resolved finally...
arstechnica.com/security/202...
arstechnica.com/security/202...
Reposted by Ron Bowes
👀 Seeing who’s poking Ivanti Connect Secure?
GreyNoise just caught a ~100x spike in recon on CVE-2025-0282 featuring one loud AS213790 campaign and one sneaky botnet spread across 6K IPs.
We broke down the infra + what defenders should do next. 👇
GreyNoise just caught a ~100x spike in recon on CVE-2025-0282 featuring one loud AS213790 campaign and one sneaky botnet spread across 6K IPs.
We broke down the infra + what defenders should do next. 👇
Inside the Infrastructure: Who’s Scanning for Ivanti Connect Secure? – GreyNoise Labs
GreyNoise detected a 100x surge in Ivanti Connect Secure reconnaissance targeting CVE-2025-0282 (EPSS 93%). Analysis reveals two distinct campaigns: an aggressive AS213790-based operation generating 3...
www.labs.greynoise.io
January 29, 2026 at 5:26 PM
👀 Seeing who’s poking Ivanti Connect Secure?
GreyNoise just caught a ~100x spike in recon on CVE-2025-0282 featuring one loud AS213790 campaign and one sneaky botnet spread across 6K IPs.
We broke down the infra + what defenders should do next. 👇
GreyNoise just caught a ~100x spike in recon on CVE-2025-0282 featuring one loud AS213790 campaign and one sneaky botnet spread across 6K IPs.
We broke down the infra + what defenders should do next. 👇
Reposted by Ron Bowes
"What Lin and Cursor achieved was to show that an AI agent can generate millions of lines of code that’s lifted from other projects, and that don’t compile, let alone work."
Cursor lies about vibe-coding a web browser with AI
Cursor lies about vibe-coding a web browser with AI
January 28, 2026 at 10:00 AM
"What Lin and Cursor achieved was to show that an AI agent can generate millions of lines of code that’s lifted from other projects, and that don’t compile, let alone work."
Cursor lies about vibe-coding a web browser with AI
Cursor lies about vibe-coding a web browser with AI
Reposted by Ron Bowes
Most attacker behavior only makes sense over time. 🕰️
Recall brings time-series analysis to GNQL so you can see how scanning and exploitation evolved.
See the timeline. Find the pattern.
Recall brings time-series analysis to GNQL so you can see how scanning and exploitation evolved.
See the timeline. Find the pattern.
GreyNoise Introduces Recall: Time-Series Intelligence for GreyNoise Query Language
Recall is a time-series capability that enables customers to query GreyNoise data over specific historical ranges. Instead of a static summary of current IP behavior, Recall allows you to see exactly ...
www.greynoise.io
January 28, 2026 at 7:02 PM
Most attacker behavior only makes sense over time. 🕰️
Recall brings time-series analysis to GNQL so you can see how scanning and exploitation evolved.
See the timeline. Find the pattern.
Recall brings time-series analysis to GNQL so you can see how scanning and exploitation evolved.
See the timeline. Find the pattern.
Reposted by Ron Bowes
Three campaigns. One fingerprint.
React RCE, VPN brute forcing, and router scanning—all linked to the same infrastructure.→ 1.7M React attacks
→ 506K VPN targets
→ 3 IPs behind 1.8M router attempts
This week's At The Edge preview: greynoise.io/contact
React RCE, VPN brute forcing, and router scanning—all linked to the same infrastructure.→ 1.7M React attacks
→ 506K VPN targets
→ 3 IPs behind 1.8M router attempts
This week's At The Edge preview: greynoise.io/contact
January 27, 2026 at 10:33 PM
Three campaigns. One fingerprint.
React RCE, VPN brute forcing, and router scanning—all linked to the same infrastructure.→ 1.7M React attacks
→ 506K VPN targets
→ 3 IPs behind 1.8M router attempts
This week's At The Edge preview: greynoise.io/contact
React RCE, VPN brute forcing, and router scanning—all linked to the same infrastructure.→ 1.7M React attacks
→ 506K VPN targets
→ 3 IPs behind 1.8M router attempts
This week's At The Edge preview: greynoise.io/contact
Reposted by Ron Bowes
We used the wrong Just Happy to Be Here logo on our poster!! Here's the right one!
January 27, 2026 at 11:29 PM
We used the wrong Just Happy to Be Here logo on our poster!! Here's the right one!