Tag: CVE-2017-9841
Introduction Welcome to the July 2024 installment of the Sensor Intelligence Series, our monthly summary of vulnerability intelligence based on distributed passive sensor data. Last month we observed a massive increase in scanning for CVE-2017-9841 as well as continued increases in scanning for CVE-2023-1389 and scanning for a newly discovered PHP vulnerability – CVE-2024-4577. This…
Read MoreNote the large increase in the number of unique source IPs and source ASNs. Between May and June, 38 different source ASNs dropped from the scanning activity, and 179 were added. This is unusual. While scanners will abandon infrastructure as takedowns happen, or access is revoked, they typically do not make such massive changes without…
Read MoreWho Is Scanning for CVE-2023-1389? Back in April, when we first started tracking CVE-2023-1389, we did an analysis of who was scanning for it, and found that the majority of scanning activity was coming from just two ASNs, AS49870 (Alsycon, a hosting provider out of the Netherlands) and AS47890 (Unmanaged Ltd). Running these analyses again,…
Read MoreIntroduction Last month’s Sensor Intel Series for March 2024 uncovered the explosion in traffic hunting for systems affected by CVE-2023-1389. The flaw which related to TP-Link Archer AX21 Wi-Fi routers has quickly become the new darling of threat actors looking to build out their DDoS botnets. No new signatures have been introduced this month. Instead,…
Read MoreThe majority of the scanning activity is coming from IP addresses assigned to just a handful of ASNs, mostly AS49870 (Alsycon, a hosting provider out of the Netherlands) and AS47890 (Unmanaged Ltd, what looks to be an IT consulting firm based out of the UK). The scanners appear to be using VPS or other resources…
Read MoreAfter a few days of monitoring the channel, the bot master noticed our activity and registered the nicknames of the admins and white-listed the IRC clients allowed to join the network. This prevented us from pretending to be admins and controlling the bots. During our research, the botnet peaked at around 350 bots, which is…
Read MoreIdentifying Trends in Recent Cyberattacks Web attacks vary quite a lot—by target, technique, objective, and attacker—which makes it difficult for a system owner to assess the instantaneous risk to their particular combination of systems until they’re attacked. To help defenders anticipate the risks they face, we analyzed several months’ worth of global honeypot traffic from…
Read MoreF5 Labs in collaboration with Effluxio researches global attack traffic to gain a better understanding of the cyberthreat landscape. In this installment of regional threat analysis, F5 Labs researchers break down the data collected by our sensors on attacks targeting Latin America from January 1 through March 31, 2021. Cyberattacks happen in many forms, but…
Read MoreAugust Port Scan Data F5 Labs also analyzes data for TCP ports other than 80 and 443 from the Efflux network. The top 10 ports for August 2022 follow patterns we’ve been seeing for years, with port 5900 (VNC) topping the list, followed by a collection of ports used mainly for remote access (ssh, telnet,…
Read MoreThere are several interesting developments in this plot other than the emphasis on CVE-2018-13379, the vulnerability in the Fortinet SSL VPNs . After growing in prominence to second rank in June and occupying top spot in July and August, CVE-2020-8958 dropped in attack frequency in September to occupy the fourth spot. September was also the…
Read More