This view is also notable since it is the first time we’re seeing any of these newly added, high-profile CVEs show up. Second row, far right is CVE-2014-6271, an OS command injection vulnerability more commonly known as Shellshock/Bashdoor. Shellshock shows more targeting variability from month to month than most CVEs (not including CVE-2020-11625, which has been all over the place). In the last year it has seen up to 450 attacks in a month, and as little as one request. Going back a little further, it received 5200 attacks in October 2022, and 3800 in August 2022, but has been all over the map before and since. As Shellshock is older than most of our tracked CVEs and is also extensively documented, we’re wondering how fruitful these relatively large-scale scans for it are in 2024. Do they know something we don’t?

Conclusions

Under the hood, this month’s installment marks a step forward in this series, as we’ve made several technical and procedural changes. We will continue adding new signatures for prominent CVEs even without evidence of heavy attention in our data, partly to look for interesting, low-lying trends and partly to continue exploring the similarities and differences between the attack traffic we observe and other sources. Documenting a low level of attacks is more useful in terms of information gain than none at all, in the sense that a value of zero and a null value have different significance. Plus, since the raw observations noted here also feed the EPSS vulnerability intelligence system, the more exhaustive we can be, the better it is for everyone.

On a more tactical note, we note once again the enduring popularity of IoT and Microsoft Exchange vulnerabilities. As IoT devices are often poorly managed and patched over time, particularly in terms of default admin credentials, these kinds of devices are useful for attackers to build out infrastructure for future attacks, including but not limited to DDoS. So patch those cameras, routers, and other IoT gear, not just for your own sake, but also for everyone else’s.