Spikes in hacker activity seen six weeks before a new CVE

GreyNoise recently found that in 80% of the cases its research team analyzed, significant spikes in attacker activity against edge devices was observed six weeks before the release of a new CVE.

In its July 31 report, GreyNoise said this recurring pattern could offer defenders an early warning.

“These spikes give defenders a defined window to prepare,” the researchers wrote. “The clustering of new CVEs within six weeks of attacker spikes provides defenders with a concrete timeframe to increase monitoring, harden systems, and preemptively act — even before a vulnerability is known. CISOs can use this window to justify early planning or investment.”

J Stephen Kowski, Field CTO at SlashNextEmail Security, said it makes sense that spikes in suspicious behavior often come before new vulnerability disclosures — attackers are feeling things out and testing weak spots, especially with tools that let them move a lot faster. That said, Kowski said he’s be cautious about reading too much into short-term patterns: there’s clearly a signal here, but not every spike equals a new CVE.

“I would hesitate to use 80% of all spikes indicate a newly found CVE as a rule,” said Kowski. “What’s clear is that real-time visibility into this kind of scanning and probing matters more than ever, especially when AI speeds everything up. The sooner we can detect what attackers are rehearsing, the better our chances of stopping the show before it starts.”

John Bambenek, president at Bambenek Consulting, said cybersecurity pros are in the business of chasing what the adversary already knows. In the case of vulnerabilities, Bambenek said the attackers are out there exploiting devices and we have to discover that these devices are hacked and then reverse engineer what happened.

“The good news is that broad internet-wide scanning is easily detectable and gives us a hint there’s a problem,” said Bambenek. “The bad news is that the attacks average about six weeks of free reign before the vendor can respond.”

Casey Ellis, founder at Bugcrowd, added that the significant takeaway from this report is that, especially when it comes to edge devices, "the horse has bolted" from an exploitation standpoint by the time a CVE rolls out. Ellis said defenders should think about protecting internet-exposed systems accordingly, deploying patches promptly, and thinking about defense-in-depth as well as proactive and continuous threat hunting.

“The six-week window makes a lot of sense, and is something Bugcrowd has observed in the past,” said Ellis. “When it comes to vulnerabilities in common or high-value systems, security researchers know that when a bug is initially found it often indicates that there’s a broader quality issue with that codebase/code path, and research clustering in pursuit of additional vulnerabilities tends to follow the initial discovery.”