Scanning for CVE-2017-9841 Drops Precipitously
Introduction
Welcome to the July 2024 installment of the Sensor Intelligence Series (SIS). This is our monthly summary of vulnerability intelligence based on distributed passive sensor data.
Last month, we saw a significant increase in scanning for CVE-2017-9841, CVE-2023-1389 (an RCE vulnerability in TP-Link Archer AX21consumer routers), and a newly discovered PHP vulnerability, CVE-2024-4577. This month, we saw a sharp decrease in the scanning for CVE-2017-9841 and in CVE-2023-1389.
Following Up On CVE-2017-9841
Last month, a significant increase in scanning for CVE-2017-9841 was observed, indicating the same scanning actor, despite similarities in URLs, header values, and other URLs from the same IPs and ASNs. Which raises the question, why would this scanning actor suddenly more than double their infrastructure in terms of both IPs and ASNs?
We may never know why, but the big change in both volume and source has now dropped sharply. This means that there are now some of the lowest numbers of unique source IPs and ASNs we’ve seen this year. Total events are still above average, but now only 9000 scans detected versus the 76,000 we saw last month.
We dug into the sources of these scans and found some interesting information.
- The vulnerability (CVE-2017-9841) has been present in our dataset since 2020 with the table below showcasing the number of scans detected by year across the entire dataset.
|
Year |
n |
|
2020 |
40609 |
|
2021 |
149650 |
|
2022 |
58500 |
|
2023 |
30382 |
|
2024 |
109748 |
Table 1: CVE-2017-9841 scanning by year, which peaked in 2021.
- Scanning peaked in 2021 and decreased in 2022, then increased to 100,607 events in the first six months of 2024, then fell massively in July.
|
Month |
Unique Source IPs |
Unique Source ASNs |
Unique Source Countries |
Unique Headers |
Countries Targeted |
Total Events |
|
January 2024 |
224 |
62 |
39 |
1 |
35 |
2148 |
|
February 2024 |
327 |
82 |
43 |
1 |
34 |
2555 |
|
March 2024 |
637 |
101 |
49 |
1 |
34 |
2397 |
|
April 2024 |
219 |
68 |
43 |
1 |
34 |
2320 |
|
May 2024 |
324 |
98 |
41 |
1 |
33 |
15254 |
|
June 2024 |
814 |
233 |
54 |
1 |
33 |
75933 |
|
July 2024 |
163 |
76 |
44 |
1 |
34 |
9141 |
Table 2: Breakdown of scanning sources for CVE-2017-9841, by source IP, source ASN, source country, unique headers observed, and countries targeted.
July Vulnerabilities by the Numbers
Figure 1 shows July attack traffic for top ten CVEs, including CVE-2023-1389 and CVE-2017-9841, and returning old favorites like 2018 JAWS Web server vulnerability and Microsoft Exchange Server vulnerabilities.
Figure 1. Top ten vulnerabilities by traffic volume in July 2024. CVE-2017-9841 is still dominant, but much reduced from last month.
Targeting Trends and Long Term Trends
Figure 2 shows a significant decrease in traffic volume and position for CVE-2017-9841 and CVE-2023-1389 scanning over the past year, dropping to levels not seen since April 2024.
Figure 2. Evolution of vulnerability targeting in the last twelve months. Note the huge decrease in scanning for CVE-2017-9841.
Figure 3 shows a significant falloff in scanning for CVE-2017-9841 and CVE-2023-1389, as seen in all-time traffic and monthly averages of remaining CVEs. Note the logarithmic scale.
Figure 3. Traffic volume by vulnerability. This view accentuates the recent changes in both CVE-2023-1389 and CVE-2017-9841.
Conclusion
The overall scanning activity for CVEs decreased by just 2.2% from June to July, primarily aimed at identifying sensitive data exposed due to misconfigurations and to find web-based login forms for administrative interfaces, highlighting the importance of constant vigilance.
To find out more about July’s CVEs and for recommendations on how to stay ahead of the curve in cybersecurity check out our full Sensor Intelligence Series article on F5 Labs.
Published Sep 09, 2024
Version 1.0
Jesse_Smith
Employee
Employee
m_heathEmployee
Employee- JRahm
Admin
great stuff, guys!
