The Sensor Intel Series is created in partnership with Efflux, who maintains a globally distributed network of sensors from which we derive attack telemetry.
Additional insights and contributions provided by the F5 Threat Campaigns team.
Introduction
Welcome to the May 2024 installment of the Sensor Intelligence Series, our monthly summary of vulnerability intelligence based on distributed passive sensor data. The big news from this month is that overall scan traffic doubled from last month, driven in part by the continuing surge in scanning for CVE-2023-1389 as well as a large increase in scanning for CVE-2017-9841.
We dug into CVE-2023-1389 last month. CVE-2017-8941 is a critical RCE in PHPUnit, and it’s been on our top ten for several years. While it may seem strange to see such intense scanning for such an old vulnerability, it’s important to realize that while the software itself has been patched by the vendor, it’s included in many other products which may not have patched their own copies. In the last 12 months, it peaked in July 2023, but it looked like scans were starting to fall off to a low and steady level until this month.
May Vulnerabilities by the Numbers
Figure 1 shows May attack traffic for the top ten CVEs that we track. Note the continued presence of CVE-2023-1389 at the top. CVE-2017-9841, which was also in the number two position last month, experienced a great deal of growth as well compared to last month.
Other changes to the top ten include the rise of CVE-2020-11625, up two positions from last month.
Who Is Scanning for CVE-2023-1389?
Back in April, when we first started tracking CVE-2023-1389, we did an analysis of who was scanning for it, and found that the majority of scanning activity was coming from just two ASNs, AS49870 (Alsycon, a hosting provider out of the Netherlands) and AS47890 (Unmanaged Ltd).
Running these analyses again, we find that the situation has changed. Now, the majority of the scanning (39%) is instead coming from AS206264. AS49870 is entirely absent.
This indicates two things. Network providers can and do work to limit scanning activity originating from their networks. But threat actors also are very adept and finding a new places from which to stage their activities, in this case shifting from a hosting provider in the Netherlands to a hosting provider based out of Hong Kong.
Targeting Trends
Figure 2 is a bump plot showing the change in traffic volume and position over the last twelve months. This shows very clearly the increase in scanning for CVE-2023-1389 since the start of the year, and the massive increase in the last two months. Also notable is the increase in CVE-2017-9841, with its total volume (seen in the width of the colored area) indicating that more scanning for this occurred last month than at any time in the previous eleven months.
Figure 2. Evolution of vulnerability targeting in the last twelve months. Note the huge increase in scanning for CVE-2023-1389.
Long Term Trends
Figure 3 shows traffic for the top 19 CVEs by all-time traffic, followed by a monthly average of the remaining CVEs. This once again shows the dramatic increase in CVE-2023-1389, as well as the movement of CVE-2017-9841.
Figure 3. Traffic volume by vulnerability. This view accentuates the recent growth of both CVE-2023-1389 and CVE-2017-9841.
Conclusions
We continue to see an intense focus on the compromise of IoT devices, with the goal of assembling massive global botnets. IoT devices, in general, have several characteristics that make them very attractive targets for such activity. They are frequently set up and then forgotten even in larger environments, or in the case of consumer grade devices, the owners may not even realize that they should be updating them regularly. In some cases, the devices may not be user-upgradable at all.
All these factors make leveraging these devices (some of which have atrocious track records when it comes to vulnerabilities) a very effective strategy for developing attacker infrastructure. For organizations, asset inventory must include all devices, not just servers and endpoints, and all these devices should be incorporated into patching and remediation plans. This is easier said than done.
