The Sensor Intel Series is created in partnership with Efflux, who maintains a globally distributed network of sensors from which we derive attack telemetry.
Introduction
Welcome to the March 2024 installment of the Sensor Intelligence Series, our monthly summary of vulnerability intelligence based on distributed passive sensor data. This month’s attack data had one really big difference from what we usually see – we added a signature for CVE-2023-1389 and found that it was our top scanned for vulnerability and had been on the rise for the last several months!
Newly tracked vulns include:
- CVE-2023-1389, a command injection vulnerability in the firmware for the TP-Link Archer AX21 Wi-Fi router (CVSS 8.8, EPSS 92.7%)1
- CVE-2009-3960, an unspecified information disclosure vulnerability in the BlazeDS 3.2 library used by several Adobe products (CVSS v2 4.3, EPSS 99.68%)2
- CVE-2014-9792, a privilege escalation vulnerability in a Qualcomm component for Android devices (CVSS 7.8, EPSS n/a)3
- CVE-2020-28188, a remote code execution vulnerability in the TerraMaster TOS software. We already have been tracking this, but we added a new signature for another vector for exploiting this. (CVSS 9.8, EPSS 99.9%)4
- CVE-2022-47945, a local file inclusion vulnerability in the ThinkPHP framework (CVSS 9.8, EPSS 92%)5
March Vulnerabilities by the Numbers
Figure 1 shows March attack traffic for the top ten CVEs that we track. Note the emergence of CVE-2023-1389 at the top. Once we found a good signature for this vulnerability, we found that it’s activity pattern over the last year had been quite low, but present, in 2023, and suddenly jumped by several orders of magnitude in the last three months. Clearly, someone is targeting this WiFi router bug quite intentionally, likely to build out a bot net or other attacker infrastructure.
Our other top 10 entries are all ones we’ve seen before and are not showing a huge amount of variability.
Who is Scanning for CVE-2023-1389?
When we see such a distinct increase in scanning activity for a particular CVE, the next question is usually to figure out who is scanning for it, and where they’re targeting thier scans. Sometimes, we see a wide variety of IPs and source countries, and other times we see activity coming from a smaller subset of ASNs.
In this case, just two ASNs are generating the majority of the activity. The following chart shows the distribution of source ASNs for scans targeting CVE-2023-1389.
Meanwhile, the scans are distributed across a wide range of target countries:
The majority of the scanning activity is coming from IP addresses assigned to just a handful of ASNs, mostly AS49870 (Alsycon, a hosting provider out of the Netherlands) and AS47890 (Unmanaged Ltd, what looks to be an IT consulting firm based out of the UK). The scanners appear to be using VPS or other resources at these firms to conduct their activity.
After normalization for the number of sensors and other factors, the scanning activity looks to be quite evenly distributed across all the target countries listed above, each receiving approximately 3% of the total traffic, indicative of scanning casting an internet-wide net and attempting to find, in this case, as many vulnerable Wifi routers as possible.
Traffic Volume for Everything Else
Leaving the top ten, Table 1 shows traffic volumes for all vulnerabilities that we’re tracking, along with change from the previous month, CVSS score, and EPSS score. This month we’ve continued to include percent change in addition to the raw change. In terms of high-traffic CVEs, the percent change is usually more instructive. In terms of low-traffic CVEs where a fluctuation of a handful of connections makes for a change of hundreds of percent, raw traffic is more useful.
