Sensor Intel Series: Top CVEs in July 2022 | F5 Labs

2024 Cybersecurity Predictions


Table 1 shows counts and monthly changes for all of the CVEs we identified in July traffic.
 

CVE Number Count Change in Count (June – July)
CVE-2020-8958 8244 3876
CVE-2017-9841 5991 -303
CVE-2020-25078 3739 2821
CVE-2018-10562 3728 2915
CVE-2017-18368 3265 3063
CVE-2019-9082 2508 -278
CVE-2021-3129 2057 -203
CVE-2021-28481 1839 -159
CVE-2022-22947 1330 -128
CVE-2021-22986 447 -7
CVE-2021-41277 226 75
CVE-2021-44228 198 -92
CVE-2022-1388 47 23
CVE-2022-22965 19 -5
CVE-2020-9757 14 8
CVE-2018-7600 13 -7
CVE-2020-28188 9 8
CVE-2022-25369 9 8
CVE-2008-6668 8 5
CVE-2021-3577 8 2
CVE-2018-7700 7 -22
CVE-2020-7796 6 3
CVE-2021-33357 6 5
CVE-2020-13167 5 4
CVE-2020-3452 5 -25
CVE-2019-2767 4 -1
CVE-2021-29203 4 2
CVE-2021-32172 3 0
CVE-2018-1000600 2 1
CVE-2021-21315 2 1

Table 1. Traffic counts for July and monthly change for CVEs. July was the first month in 2022 in which CVE-2017-9841 was not the top targeted CVE.

Other Observations

We have been filtering traffic strictly for CVEs because they are well-defined by the practitioner community and tend to have comparatively straightforward paths to remediation. However, the volume of traffic targeting more vague kinds of resources often surpasses any given CVE. Two of the most consistent targets tend to be scans or exploit attempts against WordPress instances and phpMyAdmin instances.

Traffic targeting WordPress instances in July make up 15,436 connections, which was nearly double that of the most popular CVE. Traffic targeting phpMyAdmin, which has a long history of vulnerabilities, outstripped any CVE nearly three times, with 24,772 connection attempts in July. While these kinds of targets are less clearly defined than CVEs and have more complicated mitigation requirements, they bear mention because of the sheer volume and focus that they receive from attackers. If you’re running a WordPress or PMA site, your security posture deserves an extra look-over (or two).

CVE Writeups

Below you will find brief writeups and links to the National Vulnerability Database for all of the new CVEs that showed up in July. For CVEs that were present in the first six month dataset, see the first Sensor Intel Series article.

CVE-2020-8958

A command injection vulnerability in Guangshou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and in V2804RGW 1.9.1-181203 through 2.9.0-101024 which allowed remote attackers to execute arbitrary OS commands. The vast majority of these were simple requests to identify possibly vulnerable endpoints, but a few were attempting to log in with simple credential pairs (admin/admin, and the like). NVD

CVE-2017-18368

A critical command injection vulnerability in ZyXEL router model no. P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31. Traffic targeting this vulnerability in our logs was completely uniform, requesting exactly the same URI every time via a POST method with no body content. NVD

CVE-2021-28481

A critical remote code execution (RCE) vulnerability in Microsoft Exchange Server, unique from several other CVEs for Exchange that came out about a month earlier (CVE-2021-28480, CVE-2021-28482, CVE-2021-28483. The most common scan was done by scanners using the ‘Mozilla/5.0 zgrab/0.x’ User-Agent, which (assuming it isn’t being spoofed) is the User-Agent used by the zgrab scanner (part of Zmap). The rest used the User-Agent header associated with the Leakix internet scanning platform, although as that scanner is open source, they may not have been generated by that platform itself. NVD

CVE-2021-41277

A local file inclusion (LFI) vulnerability in Metabase, an open source data analytics platform, fixed in maintenance releases 0.40.5 and 1.40.5. This allowed attackers to view the contents of local files and environmental variables on the affected server. Our dataset shows that the vast majority of the attempts were trying to read /etc/hosts, and a handful went for /etc/passwd. Once again the User-Agent header was associated with the Leakix scanning platform. NVD

CVE-2021-22986

CVE-2021-22986 is critical unauthenticated remote command execution vulnerability on F5 BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 and BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2. In our dataset, a handful of these simply checked if a command could be run, but in most cases, an attempt was made to download a shell script from a remote server and execute it. NVD

CVE-2022-1388

CVE-2022-1388 is another critical vulnerability on F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions. In our dataset, the majority of the time an actual attempt to exploit this was observed. NVD

July Port Scan Data

F5 Labs also analyzes data for TCP ports other than 80 and 443 from the Effluxio network. The top 10 ports for July 2022 follow patterns we’ve been seeing for years, with port 5900 (VNC) topping the list, followed by a collection of ports used mainly for remote access (ssh, telnet, ftp, RDP) and some database and mail related ports as well. Interestingly, despite decades of advice suggesting that SMB not be exposed to the internet, it still appears to be scanned for regularly.
 

Port % of total connections Typical application
5900 34.8% VNC
80 19.3% HTTP
22 10.8% SSH
23 10.2% Telnet
443 4.6% HTTPS/TLS
1080 2.8% SOCKS proxy
3389 2.5% RDP
3306 2.5% Mysql/MariaDB
25 1.6% SMTP
445 0.3% SMB

Conclusion

Last month we noted the unsurprising popularity of remote code execution vulnerabilities, but also recognized that two of the six vulnerabilities were IoT vulnerabilities. This month, not only is the top targeted CVE an IoT vulnerability, but several of the new vulnerabilities or newly prominent ones are as well, including CVE-2017-18368. In fact, 4 of the top 9 targeted vulnerabilities in July were IoT vulnerabilities. 2021 and 2022 have seen several record-breaking DDoS attacks, and we know how useful IoT devices are for DDoS attacks. As a result we are left to speculate that threat actors are building infrastructure for future DDoS. Because of this, in addition to recommending vulnerability scanning and remediation, we also recommend scoping for DDoS protection and mitigation in one form or another.



Source link
lol

Table 1 shows counts and monthly changes for all of the CVEs we identified in July traffic.  CVE Number Count Change in Count (June – July) CVE-2020-8958 8244 3876 CVE-2017-9841 5991 -303 CVE-2020-25078 3739 2821 CVE-2018-10562 3728 2915 CVE-2017-18368 3265 3063 CVE-2019-9082 2508 -278 CVE-2021-3129 2057 -203 CVE-2021-28481 1839 -159 CVE-2022-22947 1330 -128 CVE-2021-22986 447…

Leave a Reply

Your email address will not be published. Required fields are marked *