BotPoke Scanner Switches IP

Welcome to the October 2024 installment of the Sensor Intelligence Series (SIS), our monthly summary of vulnerability intelligence based on distributed passive sensor data.

Below are a few key highlights from this month’s summary.

• Scanning for CVE-2017-9841 has significantly decreased, while CVE-2023-1389, an RCE vulnerability in TP-Link Archer AX21 routers, continues to be the most scanned CVE.
• The BotPoke scanner’s activity has shifted from a Lithuanian IP address to one in Hong Kong, with the new IP accounting for 31.5% of all traffic observed.
• Monthly averages for the 110 tracked CVEs have remained stable, while CVE-2017-18368 exhibited erratic scanning patterns.

BotPoke Scanner Switches IP Address

The BotPoke scanner, associated with an IPv4 address (141.98.11.114), disappeared from our logs this month. However, the scanning activity moved from Lithuanian to Hong Kong (154.213.184.3), which accounts for 31.5% of all traffic observed this month. The scanner continued targeting the same URIs and regions where our sensors reside.

October Vulnerabilities by the Numbers

Figure 1 shows October attack traffic for top ten CVEs we track, with CVE-2023-1389 dominating.

Figure 1: Top ten vulnerabilities by traffic volume in October 2024. CVE-2023-1389 continues to dominate all other CVEs we track in terms of volume.

Targeting Trends

Figure 2 shows traffic volume and position changes over the past year, with heavy scanning for CVE-2023-1389 and decline for CVE-2017-9841, and CVE-2020-11625 rising to second place.

Figure 2: Evolution of vulnerability targeting in the last twelve months. Note the continued falloff in scanning for CVE-2017-9814, and the slight increase in scanning for CVE-2020-11625.

Long-Term Trends

Figure 3 shows the top 20 CVEs’ traffic and monthly averages. Scanning for CVE-2017-8941 and CVE-2023-1389 showed a precipitous rise and fall, while CVE-2020-11625 rose from single digits to 1000s. The average of other 110 CVEs remained constant this month, with CVE-2017-18368 showing a jagged scanning pattern.

Figure 3: Traffic volume by vulnerability. This view accentuates the recent changes in both CVE-2023-1389 and CVE-2017-9841, well as the increase in scanning for CVE-2020-11625 and CVE-2017-18368.

To find out more about October’s CVEs and for recommendations on how to stay ahead of the curve in cybersecurity, https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip.

See you next month!