Common Non-CVE Traffic

It may be easy to conclude from the above figures that even though overall traffic has held steady, CVE exploitation attempts, at least for the CVEs and vulnerabilities we track, has decreased. That’s true, but there is a great deal of traffic that our sensor network sees that is not reflected in the above data. To give a more comprehensive picture, we can note that of the overall traffic in November 2023, approximately 35% of the total traffic was composed of scans attempting to find unsecured files that might contain credentials (such as “/.env” or “/.aws/credentials”), and approximately 9% of the total were scans for PHPMyAdmin web interfaces exposed to the internet, likely as a target for credential stuffing.

We hope to dig further into non-CVE traffic in the future, but until then, take this as a clear message from attackers – it’s not simply CVEs you need to be concerned with. It’s your entire attack surface, which includes files and services incorrectly exposed to the internet.

Conclusions

We again reiterate that our sensors are passive, and they do not respond to requests, nor do they pretend to be any specific platform or software stack. They are simply an open socket on port 80 and 443, with just enough of a webserver to be able to record the requests made to them and negotiate any required TLS connection. They do not have DNS names, although it’s certainly possible they may once have had them. Sometimes IP blocks are reassigned, and old DNS records remain that continue to point to them.

For those new to the Sensor Intelligence Series, we will conclude by repeating some old but valid observations. We see a continuing focus on IoT and router vulnerabilities, as well as easy, essentially one-request remote code execution vulnerabilities. These typically result in the installation of malware, crypto miners, and DDoS bots. Additionally, past CVEs, we see continuous scanning activity that might be most accurately described as reconnaissance; the identification of attack surface, exposed files, and other materials that attackers hope to leverage to enable further attacks. See you in January for our final Sensor Intel Series report covering 2023!