A Single IP is Scanning Intensely, and Yields a List of Malware Loaders

Welcome to the August 2024 installment of the Sensor Intelligence Series (SIS), our monthly summary of vulnerability intelligence based on distributed passive sensor data.

Below are a few key takeaways from this month’s summary.

• Scanning for CVE-2017-9841 fell by 79% (vs. July).
• Scanning for CVE-2023-1389 dropped by 18.8% (vs. July).
• Overall level of non-CVE scanning was up 90.9% in term of total events observed.
• Within non-CVE scanning traffic, the top source and destination combination was scanners in Lithuania scanning US sensors.
• Within that subset of traffic, 99.9% of scanning came from a single IP address.

CVE-2017-9841 and CVE-2023-1389 Scanning

In the last two months, we’ve seen a decrease in the scanning of CVE-2017-9841 and CVE-2023-1389.

Overall, the scanning of CVE-2017-9841 has gone down by 97.4% from the surge we saw back in June of 2024. CVE-2023-1389 (an RCE vulnerability in TP-Link Archer AX21 consumer routers) is down by 18.8% compared to July, though it’s still the most scanned CVE that we track.

Figure 1: Traffic volume for CVE-2017-9841 and CVE-2023-1389, September 2023 – August 2024.

Researching an Anomaly

In our logs, we often search for anomalies unrelated to particular CVE scanning activities. This month, we discovered one that peaked our interests.

First, we saw that the total number of events detected had increased by 90.9% (in terms of total events observed), indicating a large increase in scanning compared to July. We were surprised to find that the top source and destination country combination was scanners located in Lithuania scanning US sensors. The plot twist: we found that the vast majority of that traffic was from just one IP address.

Looking at all of 2024, we found that this IP (141.98.11.114) has been scanning quite a bit, but not very consistently.