The majority of the scanning activity is coming from IP addresses assigned to just a handful of ASNs, mostly AS49870 (Alsycon, a hosting provider out of the Netherlands) and AS47890 (Unmanaged Ltd, what looks to be an IT consulting firm based out of the UK). The scanners appear to be using VPS or other resources at these firms to conduct their activity.

After normalization for the number of sensors and other factors, the scanning activity looks to be quite evenly distributed across all the target countries listed above, each receiving approximately 3% of the total traffic, indicative of scanning casting an internet-wide net and attempting to find, in this case, as many vulnerable Wifi routers as possible.

Traffic Volume for Everything Else

Leaving the top ten, Table 1 shows traffic volumes for all vulnerabilities that we’re tracking, along with change from the previous month, CVSS score, and EPSS score. This month we’ve continued to include percent change in addition to the raw change. In terms of high-traffic CVEs, the percent change is usually more instructive. In terms of low-traffic CVEs where a fluctuation of a handful of connections makes for a change of hundreds of percent, raw traffic is more useful.