Who Is Scanning for CVE-2023-1389?

Back in April, when we first started tracking CVE-2023-1389, we did an analysis of who was scanning for it, and found that the majority of scanning activity was coming from just two ASNs, AS49870 (Alsycon, a hosting provider out of the Netherlands) and AS47890 (Unmanaged Ltd).

Running these analyses again, we find that the situation has changed. Now, the majority of the scanning (39%) is instead coming from AS206264. AS49870 is entirely absent.

This indicates two things. Network providers can and do work to limit scanning activity originating from their networks. But threat actors also are very adept and finding a new places from which to stage their activities, in this case shifting from a hosting provider in the Netherlands to a hosting provider based out of Hong Kong.

Targeting Trends

Figure 2 is a bump plot showing the change in traffic volume and position over the last twelve months. This shows very clearly the increase in scanning for CVE-2023-1389 since the start of the year, and the massive increase in the last two months. Also notable is the increase in CVE-2017-9841, with its total volume (seen in the width of the colored area) indicating that more scanning for this occurred last month than at any time in the previous eleven months.