Recently, GreyNoise observed a sudden and highly coordinated wave of exploitation attempts targeting CVE-2021-43798, a Grafana path traversal that allows arbitrary file reads. The surge, captured by the company’s Global Observation Grid (GOG), involved 110 unique malicious IPs in just one day.
Grafana exploitation activity had been relatively quiet in recent months, but GreyNoise reported that “on 28 September, activity spiked sharply: 110 unique IPs observed in a single day.” These attempts targeted endpoints in only three countries: the United States, Slovakia, and Taiwan.
Notably, Bangladesh accounted for 107 of the malicious IPs, with 105 of those focusing almost exclusively on U.S. endpoints. China and Germany contributed two and one IPs respectively. GreyNoise emphasized that the majority of these IPs were “first seen on 28 September, the same day they attempted exploitation.”
Analysis of the traffic revealed a distinct 3:1:1 ratio of targeting (U.S.: Slovakia: Taiwan). This pattern held true even when isolating activity from specific source countries. For example, “China-based IPs → U.S. (7), Slovakia (2), Taiwan (2); Germany-based IPs → U.S. (3), Slovakia (1), Taiwan (1); Bangladesh-based IPs → U.S. (100), Slovakia (1), Taiwan (1).”
GreyNoise also noted convergence across tooling. Multiple TCP and HTTP fingerprints were observed, but all mapped to the same destination patterns. This suggests, as the report states, “shared tasking or a common target list, not uncoordinated traffic.”
Two China-based IPs stood out during the surge: 60.186.152.35 and 122.231.163.197, both linked to CHINANET-BACKBONE. GreyNoise observed that “both were first observed on 28 September, active only that day, and overwhelmingly focused on Grafana.”
GreyNoise observed that “Grafana path traversal and related have been leveraged in large-scale SSRF / exploit waves … and are actively researched and weaponized for account takeovers.”
The advisory further warns that these often appear as early steps in multi-stage exploit chains, where reconnaissance and lateral movement follow the initial foothold.
GreyNoise concludes that the observed surge is likely not random but coordinated: “This activity reflects a coordinated push against a known, older . The uniform targeting pattern across source countries and tooling indicates common tasking or shared exploit use.”
