Introduction

Welcome to the October 2024 installment of the Sensor Intelligence Series, our monthly summary of vulnerability intelligence based on distributed passive sensor data.

Following on from our last month’s analysis, scanning of CVE-2017-9841 has fallen to barely a trickle.

CVE-2023-1389, an RCE vulnerability in TP-Link Archer AX21 consumer routers, which has been consistently towards the top of our ranking, continues for a third month to be the most scanned for CVE that we track, although it too has fallen off somewhat.

BotPoke Scanner Switches IP Addresses

The last few months we have been tracking a pattern of scanning which was strongly associated with a specific IPv4 address, 141.98.11.114, which we noted was exhibiting signs of being the BotPoke scanner.

While last month it fell off slightly, this month it simply disappeared from our logs entirely.

This does not mean that the scanning isn’t happening. In fact, what has happened is that the scanning activity associated with the BotPoke scanner has moved from a Lithuanian address to one in Hong Kong, specifically 154.213.184.3. This IP continues the tradition of being our most seen IP, and accounts for 31.5% of all the traffic we observed this month.

Other than changing IPs, this scanner continued to do exactly what it did last month and targeted the same URIs and many of the same regions where our sensors reside.

October Vulnerabilities by the Numbers

Figure 1 shows October attack traffic for the top ten CVEs that we track. CVE-2023-1389 is dominating this visualization, with much more traffic than any of the other top 10. The massive increase in scanning for this vulnerability throws off the proportionality of this view, however. See further down for an easier to understand view using a logarithmic scale in Figure 3.