Conclusions

This month we were able to add seven newly observed CVEs to our list of confirmed exploited vulnerabilities:

• CVE-2012-4940, a directory traversal vulnerability in the Axigen Free Mail Server.
• CVE-2016-4945, a cross-site scripting flaw in Citrix Netscaler Gateway
• CVE-2017-11511 and CVE-2017-11512, arbitrary file download flaws at different URIs in the Zoho ManageEngine ServiceDesk tool
• CVE-2017-17731, a SQL injection vulnerability in DedeCMS.
• CVE-2022-35914, a code injection vulnerability in GLPI, the open-source IT asset management tool.
• CVE-2023-25157, a SQL injection vulnerability in GeoServer, an open-source server software for geospatial data.

In looking for patterns among this data we always have to consider that passive sensors like these tend to select for unsophisticated actors who are scanning for targets of opportunity, as opposed to threat actors who know exactly whom they want to attack. This means that when we identify patterns such as a focus on open-source software, Microsoft Exchange, or IoT vulns, we are always thinking about it in terms of commoditized, repeatable attacks, in the assumption that we probably won’t observe custom exploits, zero-days, and hands-on-keyboard activity with long attack chains. This automatically leads to more questions: is this combination of target and tactics, techniques and procedures trickling down from more sophisticated attacks? Or does this represent an attacker strategy completely removed from the more skilled end of the spectrum, where state-sponsored actors and top-tier cybercrime operators rub elbows?

Ultimately there are so many unknowns around the question of attribution and sophistication that we often end up going in circles, attributing observed methods to known actors and observed actors to known methods. Nevertheless, the question of low sophistication in our attack traffic is a question to which we continually return, and over time we hope to enrich this data with more observations that will shed more light on attackers’ motivations and strategy.

Finally, just in case anyone reading this month’s article is brand new to the Sensor Intelligence Series, we will conclude by repeating some old but valid observations. We believe that the continuing attacker focus on vulnerable IoT devices like fiberoptic routers is a sign that attackers are looking for fresh devices to add to a botnet for DDoS attacks. In other words, scans for IoT devices are of concern not only to organizations with those devices, but to everyone, because those routers will only be used to create yet another attack. And with that, we’ll talk to you in October.