Tag: log4j

Who Is Scanning for CVE-2023-1389? Back in April, when we first started tracking CVE-2023-1389, we did an analysis of who was scanning for it, and found that the majority of scanning activity was coming from just two ASNs, AS49870 (Alsycon, a hosting provider out of the Netherlands) and AS47890 (Unmanaged Ltd). Running these analyses again,…

Read More

Introduction Last month’s Sensor Intel Series for March 2024 uncovered the explosion in traffic hunting for systems affected by CVE-2023-1389. The flaw which related to TP-Link Archer AX21 Wi-Fi routers has quickly become the new darling of threat actors looking to build out their DDoS botnets. No new signatures have been introduced this month. Instead,…

Read More

The majority of the scanning activity is coming from IP addresses assigned to just a handful of ASNs, mostly AS49870 (Alsycon, a hosting provider out of the Netherlands) and AS47890 (Unmanaged Ltd, what looks to be an IT consulting firm based out of the UK). The scanners appear to be using VPS or other resources…

Read More

There are several interesting developments in this plot other than the emphasis on CVE-2018-13379, the vulnerability in the Fortinet SSL VPNs . After growing in prominence to second rank in June and occupying top spot in July and August, CVE-2020-8958 dropped in attack frequency in September to occupy the fourth spot. September was also the…

Read More

Another month has passed, which means more sensor telemetry to analyze for attacker targeting trends. October’s data is notable primarily because we detected attackers looking for a handful of interesting vulnerabilities that were recently released or discovered, most notably CVE-2022-41040, one of the Microsoft Exchange zero day vulnerabilities that attackers began to exploit in August…

Read More

Another interesting aspect of Figure 3 is identifying when vulnerabilities drop off for periods of time. In October we identified two recently released vulnerabilities, CVE-2022-40684 and CVE-2022-41040, in our logs. Both are severe vulnerabilities; CVE-2022-40684, an authentication bypass vulnerability in various Fortinet security appliances, has a CVSS 3.1 score of 9.8, and CVE-2022-41040, an escalation…

Read More

Vulnerabilities New and Old Particularly avid readers, or perhaps just readers with a magnifying glass, will note that there are six-and-a-half new vulnerabilities in Figure 3 compared with our November SIS. We say a half-new vulnerability because one of the new ones is indistinguishable from an existing signature. While tuning the pattern for CVE-2022-41040, a…

Read More

You may have heard about the log4j security vulnerability — one of the most widespread cybersecurity vulnerabilities in recent years. Here’s a non-technical explanation of it: What is it? It’s a vulnerability that was discovered in a piece of free, open source software called log4j. This software is used by thousands of websites and applications,…

Read More

Welcome to the Sensor Intel Series installment for January 2023. The purpose of this recurring monthly brief is to provide security practitioners with vulnerability targeting intelligence so that they can make better-informed decisions about patching and vulnerability remediation. The source of this intelligence is log data from a globally distributed network of passive sensors. While…

Read More

Also notable this month is the dramatic growth in CVE-2020-25078, which is also an IoT vulnerability but this time in several IP cameras. On the one hand the volume of traffic scanning for this vulnerability was not remarkable, with ~3600 connections in February, but only 200 connections were attempted in January, which means traffic increased…

Read More