Tag: CVE-2020-17496

Who Is Scanning for CVE-2023-1389? Back in April, when we first started tracking CVE-2023-1389, we did an analysis of who was scanning for it, and found that the majority of scanning activity was coming from just two ASNs, AS49870 (Alsycon, a hosting provider out of the Netherlands) and AS47890 (Unmanaged Ltd). Running these analyses again,…

Read More

Introduction Last month’s Sensor Intel Series for March 2024 uncovered the explosion in traffic hunting for systems affected by CVE-2023-1389. The flaw which related to TP-Link Archer AX21 Wi-Fi routers has quickly become the new darling of threat actors looking to build out their DDoS botnets. No new signatures have been introduced this month. Instead,…

Read More

The majority of the scanning activity is coming from IP addresses assigned to just a handful of ASNs, mostly AS49870 (Alsycon, a hosting provider out of the Netherlands) and AS47890 (Unmanaged Ltd, what looks to be an IT consulting firm based out of the UK). The scanners appear to be using VPS or other resources…

Read More

The most glaring example of a predominant vulnerability type is visible in the top row, which is CWE-79: Improper Neutralization of Input During Web Page Generation, more commonly known as cross-site scripting (XSS). Cross-site scripting dominated the field of CVEs from 2011-2016, at times making up 60% of published vulns in a quarter. SQL injection…

Read More

It seems like threat actors everywhere could detect my impatience last month when I wrote that not much had changed among the 70-odd CVEs that we track for attack trends, because last month they did something. Actually, to be more precise, they stopped doing some things. This is the first month since September 2022 that…

Read More

Conclusions This month we were able to add seven newly observed CVEs to our list of confirmed exploited vulnerabilities: CVE-2012-4940, a directory traversal vulnerability in the Axigen Free Mail Server. CVE-2016-4945, a cross-site scripting flaw in Citrix Netscaler Gateway CVE-2017-11511 and CVE-2017-11512, arbitrary file download flaws at different URIs in the Zoho ManageEngine ServiceDesk tool…

Read More

Welcome back to the Sensor Intelligence Series, our recurring monthly summary of vulnerability intelligence based on distributed passive sensor data. We’ll start off this month’s analysis with a look at some activity from the August dataset, which demonstrates some of the oddities we occasionally see, and then dig into the changes we saw in September…

Read More

Overall Scanning Traffic Changes Lest the downward trend shown in Figure 2 makes it seem like overall scanning traffic may be abating, it’s important to note that the volume of scanning we observed has remained relatively constant, at least over the last three months, increasing by approximately 5.1% from August to September, then falling approximately…

Read More

Common Non-CVE Traffic It may be easy to conclude from the above figures that even though overall traffic has held steady, CVE exploitation attempts, at least for the CVEs and vulnerabilities we track, has decreased. That’s true, but there is a great deal of traffic that our sensor network sees that is not reflected in…

Read More

Zooming Out to Look at 2023 One of the questions we frequently get asked about this data is about attribution, that is, who is doing the scanning. This is a difficult question, because it is quite well understood that many threat actors take great pains to do at least a bit of obfuscation of their…

Read More