Tag: CVE-2018-7600
Introduction Welcome to the July 2024 installment of the Sensor Intelligence Series, our monthly summary of vulnerability intelligence based on distributed passive sensor data. Last month we observed a massive increase in scanning for CVE-2017-9841 as well as continued increases in scanning for CVE-2023-1389 and scanning for a newly discovered PHP vulnerability – CVE-2024-4577. This…
Read MoreNote the large increase in the number of unique source IPs and source ASNs. Between May and June, 38 different source ASNs dropped from the scanning activity, and 179 were added. This is unusual. While scanners will abandon infrastructure as takedowns happen, or access is revoked, they typically do not make such massive changes without…
Read MoreWho Is Scanning for CVE-2023-1389? Back in April, when we first started tracking CVE-2023-1389, we did an analysis of who was scanning for it, and found that the majority of scanning activity was coming from just two ASNs, AS49870 (Alsycon, a hosting provider out of the Netherlands) and AS47890 (Unmanaged Ltd). Running these analyses again,…
Read MoreIntroduction Last month’s Sensor Intel Series for March 2024 uncovered the explosion in traffic hunting for systems affected by CVE-2023-1389. The flaw which related to TP-Link Archer AX21 Wi-Fi routers has quickly become the new darling of threat actors looking to build out their DDoS botnets. No new signatures have been introduced this month. Instead,…
Read MoreThe majority of the scanning activity is coming from IP addresses assigned to just a handful of ASNs, mostly AS49870 (Alsycon, a hosting provider out of the Netherlands) and AS47890 (Unmanaged Ltd, what looks to be an IT consulting firm based out of the UK). The scanners appear to be using VPS or other resources…
Read MoreMost don’t, according to BuiltWith, a site that tracks the technologies websites use. Based on its latest data, a paltry .2% of sites on the Internet include CSP headers. Digging further, 8.4% of the Quantcast Top 10,000 have used CSP headers. Which sounds better until you do the math. That’s only 840 sites. By…
Read MoreF5 researchers uncovered a cryptominer campaign delivering new Golang malware that targets Linux-based servers. Golang malware is not often seen in the threat landscape; it was first seen to mid-2018 and has continued throughout 2019. The malware campaign propagates using 7 different methods: 4 web application exploits (2 targeting ThinkPHP, 1 targeting Drupal, and 1…
Read MoreConclusion Campaigns aimed at mining cryptocurrency and targeting Oracle WebLogic are clearly on the rise, and F5 researchers anticipate this trend to continue. This has been fueled partly by the zero-day vulnerability (CVE-2019-2725)found in April 2019. Oracle WebLogic is used widely by large corporations, and the servers are resource-intensive. This attracts threat actors looking to…
Read MoreA vulnerable FortiGate SSL VPN server responds to this request with contents of the sslpvpn_websession file, which contains the username and password of a user. This information can be used or sold to threat actors in order to compile brute force and credential stuffing lists. While reconnaissance campaigns do not actively exploit systems, they enable…
Read MoreSecurity researchers at F5 Networks constantly monitor web traffic at various locations all over the world. This allows us to detect “in the wild” malware, and to get an insight into the current threat landscape. In December 2019, security researchers detected a 100% increase in new threat campaigns as compared to November 2019. This was…
Read More