Zooming Out to Look at 2023

One of the questions we frequently get asked about this data is about attribution, that is, who is doing the scanning. This is a difficult question, because it is quite well understood that many threat actors take great pains to do at least a bit of obfuscation of their activities, and in a situation like this may very well chose to use proxy networks or cloud providers to conceal the origins of their scanning.

However, there are some interesting details that emerge when looking at the entirety of the scan data we have from 2023. In terms of “top talkers” by ASN, we find the following.
 

Table 3: Top ten ASNs by percent of total 2023 traffic observed. Note that ASNs from the USA compromise 11.3% of the total scanning traffic observed world-wide.

ASN 202306 is assigned to HostGlobal.Plus Ltd, a hosting company, and 196645 is Hostpro Lab LLC, another hosting company. 14061 is Digital Ocean, and 6939 is Hurricane Electric, LLC. Even a quick look at this data seems to indicate that most scanning traffic is generated out of hosting provider networks at least in our dataset.

There may be several reasons for this. Provisioning VPS infrastructure to perform scanning is relatively easy and can be done on many hosting providers using false information for the account. Further, it is less likely that targets will wish to block large ranges of hosting provider IP space as this might lead to the blocking of legitimate sites.

It’s important to note that even though in the above table 7.27% of all the scanning traffic we observed in 2023 originated from IPs geolocated to Russia, this does not mean that this is evidence of Russian state sponsored activity, only that this hosting provider (which has IP space in both Russia and the UK) has been used by some set of scanners to provide their infrastructure.

Digging in further, we can see that the scans originating from ASN202306 have a relativel small set of target URLs, the top 20 of which are shown below.
 

Table 4: URLs scanned by ASN 202306 by percent of overall traffic scanned by that ASN

As can be seen above, the scanning from the most active ASN in our data is almost entirely concerned with finding leaked credentials and other sensitive data.

Conclusions

We again reiterate that our sensors are passive, and they do not respond to requests, nor do they pretend to be any specific platform or software stack. They are simply an open socket on port 80 and 443, with just enough of a webserver to be able to record the requests made to them and negotiate any required TLS connection. They do not have DNS names, although it’s certainly possible they may once have had them. Sometimes IP blocks are reassigned, and old DNS records remain that continue to point to them.

As we noted above, attribution is a somewhat difficult question. We certainly can tell where the majority of scanning activity comes from, but only at the level of IP and associated ASN, which is not enough to make a connection to a specific group, especially as the majority of scanning traffic we observe originates from large hosting providers.

For those new to the Sensor Intelligence Series, we will conclude by repeating some old but valid observations. We see a continuing focus on IoT and router vulnerabilities, as well as easy, essentially one-request remote code execution vulnerabilities. These typically result in the installation of malware, crypto miners, and DDoS bots. Additionally, we see continuous scanning activity that might be most accurately described as reconnaissance; the identification of attack surface, exposed files, and other materials that attackers hope to leverage to enable further attacks.