Introduction

Welcome to the July 2024 installment of the Sensor Intelligence Series, our monthly summary of vulnerability intelligence based on distributed passive sensor data.

Last month we observed a massive increase in scanning for CVE-2017-9841 as well as continued increases in scanning for CVE-2023-1389 and scanning for a newly discovered PHP vulnerability – CVE-2024-4577.

This month, we observed the scanning for CVE-2017-9841 fall sharply, and we’ll get to that in a moment.

CVE-2023-1389, an RCE vulnerability in TP-Link Archer AX21 consumer routers, also fell sharply, returning to levels not seen since April 2024. In fact, overall scanning traffic fell off significantly but was mainly driven by the decrease in scanning for the two above vulnerabilities.

Following Up On CVE-2017-9841

The massive increase in scanning last month for CVE-2017-9841 made us really shake our heads. Not only was it huge, but it was also clearly done by the same scanning actor, given the similarities in the URLs scanned, the lack of any variability in header values, and the similarity of other URLs scanned from the same IPs and ASNs.

At the time, we had a lot of unanswered questions, most relevant of which was why would this scanning actor suddenly more than double their infrastructure in terms of both IPs and ASNs?

Unfortunately, we may never know for certain, but whatever the reasons, the massive change in both volume and source has now fallen off sharply, some of the lowest levels of unique source IPs and ASNs seen this year. The total events is still elevated from the average of the first six months of the year, and above average even if we remove the increases from May and June, but is now a mere 9000 or so scans detected, vs. the 76,000 we observed last month.

We dug into the sources of these scans and looked at what else they are targeting and found some interesting information.

First off all, scanning for this vulnerability has been present in our dataset from the very beginning of this project, all the way back in 2020. The following table shows the number of scans detected across our entire data set, by year.
 

Table 1: CVE-2017-9841 scanning by year, which peaked in 2021.

Scanning peaked in 2021 and decreased in 2022, but in just the first six months of 2024, this situation changed, with 100,607 events observed, and then fell massively in July. Breaking this out by month shows very clearly the massive increase, and adding additional fields reveals some interesting patterns.
 

Table 2: Breakdown of scanning sources for CVE-2017-9841, by source IP, source ASN, source country, unique headers observed, and countries targeted.

Note the large increase and then decreases in the number of unique source IPs and source ASNs. Between May and June, 38 different source ASNs dropped from the scanning activity, and 179 were added. Between June and July 2024, 157 ASNs and 651 IP addresses fell out of use.

This sort of massive fluctuation is, as we have noted previously, unusual to observe when it comes to a specific scanning actor. Most scanners don’t vary their infrastructure a great deal. One assumes that they have a setup that works, and usually don’t bother to move around a great deal unless they are under pressure or losing access to infrastructure due to takedowns.

Regardless, the owners of unpatched, and uncompromised PHPUnit installations dating from 2022 (if any indeed exist) can breathe a sigh of relief.

July Vulnerabilities by the Numbers

Figure 1 shows July attack traffic for the top ten CVEs that we track. Note the continued presence of CVE-2023-1389, and CVE-2017-9841, but also the return of a few old friends that have been absent from recent Top 10s, including the 2018 JAWS Web server vulnerability (which does not have a CVE assigned to it) as well as CVE-2022-41040/CVE-2021-34473, a pair of Microsoft Exchange Server vulnerabilities. The actual level of scanning for these vulnerabilities has remained relatively constant, however, so it’s appearance in the top ten this month is indicative of the reduction in total scans for other vulnerabilities.