The Sensor Intel Series is created in partnership with Efflux, who maintains a globally distributed network of sensors from which we derive attack telemetry.

------------------------------------------------------------------------------------------

Welcome back to the Sensor Intelligence Series, our recurring monthly summary of vulnerability intelligence based on distributed passive sensor data. This time, we added a section discussing the overall level of scan traffic month to month, to give a better sense of how the ups and downs of the various CVEs we track compare to overall variations in traffic volume.

So, without any further ado, let’s dig into the changes we saw in October for the CVEs we track, so the people in the USA at least can get back to eating their Thanksgiving leftovers.

October Vulnerabilities by the Numbers

Figure 1 shows the traffic for the top 10 CVEs in October. CVE-2020-8958, a Guangzhou router command injection vulnerability, has been our top seen CVE for much of the past year, returning to the top in August and September 2023, and just this month being displaced from the premier spot by CVE 2017-9841, an RCE vulnerability PHPUnit. CVE-2017-9841 has been a top contender in the past but has been falling in the last several months. In third is CVE-2022-24847, an RCE in the open-source GeoServer software which we’ve seen towards the top position before. Overall traffic in the CVEs we track dropped again as it did in September, with the notable exception of CVE 2017-9841, which rebounded significantly from its general downward trend after it previously peaked in July.

Figure 1. Top ten targeted vulnerabilities in October 2023.

Table 1 shows traffic for October, change in traffic from September, CVSS v3.x score, and EPSS scores for 70 CVEs. Our list of CVEs with confirmed attack or scanning traffic currently stands at 82, but 11 vulnerabilities saw no traffic in either September or October and so don’t make this table.

CVE NumberOctober TrafficChange from SeptemberCVSS v3.x ScoreEPSS Score
CVE-2017-9841277614759.80.97477
CVE-2020-89582773-14157.20.76447
CVE-2022-248472367-1347.20.00067
CVE-2022-229472216550100.97481
CVE-2022-424751219-1899.80.38721
CVE-2022-41040/CVE-2021-344731199-2119.80.97344
CVE-2021-405398554319.80.97402
CVE-2021-28481752-609.80.0405
CVE-2021-26855535329.80.97494
2018 JAWS Web Server Vuln42814NA#N/A
CVE-2020-0618396-218.80.97449
CVE-2014-2321280258NA0.96364
Citrix XML Buffer Overflow238-13NA#N/A
CVE-2014-2908237-19NA0.00594
CVE-2017-18368166-5409.80.97501
CVE-2019-18935160-349.80.94355
CVE-2021-442281465100.97453
CVE-2020-25213120359.80.97352
CVE-2018-1337911929.80.97336
CVE-2021-26086117-35.30.54993
CVE-2017-1000226104-25.30.00127
CVE-2022-4068484229.80.95286
CVE-2018-105615939.80.97317
CVE-2020-174964079.80.97451
CVE-2021-312940-69.80.97509
NETGEAR-MOZI31-27NA#N/A
CVE-2019-908223-328.80.97467
CVE-2020-34522047.50.97541
CVE-2019-127258-29.80.96271
CVE-2018-20062719.80.96823
CVE-2022-229657-219.80.97469
CVE-2020-9757649.80.96999
CVE-2018-76004-39.80.97555
CVE-2020-250784-4387.50.96829
CVE-2021-22986/CVE-2022-13884-469.80.9745
CVE-2018-172463-19.80.96913
CVE-2021-21985309.80.9737
CVE-2017-0929227.50.03588
CVE-2017-11511227.50.3318
CVE-2018-1000600218.80.95579
CVE-2018-7700228.80.73235
CVE-2020-17505208.80.96839
CVE-2020-175062-19.80.95885
CVE-2020-255062-49.80.97424
CVE-2020-281882-19.80.9724
CVE-2020-79612-49.80.97414
CVE-2021-260842-279.80.97173
CVE-2021-29203209.80.95745
CVE-2021-33564209.80.07998
CVE-2013-639711NA0.65834
CVE-2017-11512117.50.97175
CVE-2019-2767107.20.14972
CVE-2019-89821-39.80.02146
CVE-2020-131671-59.80.97419
CVE-2020-155051-29.80.97504
CVE-2020-77961-19.80.72496
CVE-2021-201671080.95282
CVE-2021-21315107.80.96899
CVE-2021-321721-19.80.26193
CVE-2021-33357109.80.96598
CVE-2021-35771-18.80.96855
CVE-2008-66680-1NA0.00359
CVE-2015-38970-2NA0.83225
CVE-2017-177310-49.80.14043
CVE-2021-253690-16.20.00118
CVE-2021-270650-927.80.96908
CVE-2021-412770-8100.11624
CVE-2022-10400-19.80.97072
CVE-2022-359140-19.80.96807
CVE-2023-251570-29.80.38863

Table 1. October traffic, change from September, CVSS and EPSS scores for 70 CVEs.

Targeting Trends

To better assess rapid changes in attack traffic, Figure 2 shows a bump plot, which plots both traffic volume and changes in rank. The 12 CVEs shown here represent the top five for each of the twelve months. Notable in this month’s plot, as previously mentioned, is the rise of CVE 2017-9841. While not anywhere near its former peak in July, it did see a sharp reversal from the general downward trend previously observed.

Figure 2. Evolution of vulnerability targeting trends over previous twelve months. Note the sharp rise in traffic for CVE-2017-9841.

Figure 2. Evolution of vulnerability targeting trends over previous twelve months. Note the sharp rise in traffic for CVE-2017-9841.

Overall Scanning Traffic Changes

Lest the downward trend shown in Figure 2 makes it seem like overall scanning traffic may be abating, it’s important to note that the volume of scanning we observed has remained relatively constant, at least over the last three months, increasing by approximately 5.1% from August to September, then falling approximately 5.8% from September to October.

The full details of the changes in scanning traffic over the last 12 months are shown in the following table.

Month % Change from Previous Month
November 2022 15.3%
December 2022 1.2%
January 2023 5.6%
February 2023 -15.5%
March 2023 -22.4%
April 2023 37.3%
May 2023 -0.9%
June 2023 -0.3%
July 2023 20.1%
August 2023 -27.9%
September 2023 5.1%
October 2023 -5.8%

Table 2: Percentage change of overall scanning traffic from November 2022 to October 2023

Long Term Trends

Because Figure 2 only shows high-traffic CVEs, Figure 3 shows traffic for all 82 CVEs we have tracked. In this view, most of our tracked CVEs can be seen to be holding at a relatively steady rate, with a few showing marked declines from relatively high rates seen in previous months, such as CVE-2013-6397, a directory traversal vulnerability in Apache Solr before version 4.6, and CVE-2021-26084, a critical Remote Code Execution vulnerability in Confluence Server and Data Center in several versions before 7.4.11, 7.11.6, and 7.12.5.

Figure 3. Traffic volume for the last twelve months for 82 tracked CVEs.

Figure 3. Traffic volume for the last twelve months for 82 tracked CVEs.

Conclusions

We must once again reiterate that our sensors are passive, and they do not respond to requests, nor do they pretend to be any specific platform or software stack. They are simply an open socket on port 80 and 443, with just enough of a webserver to be able to record the requests made to them and negotiate any required TLS connection. They do not have DNS names, although it’s certainly possible they may once have had them. Sometimes IP blocks are reassigned, and old DNS records remain that continue to point to them.

For those new to the Sensor Intelligence Series, we will conclude by repeating some old but valid observations. We see a continuing focus on IoT and router vulnerabilities, as well as easy, essentially one-request remote code execution vulnerabilities. These typically result in the installation of malware, crypto miners, and DDoS bots. See you in December!

Recommendations

Technical
Preventative
  • Scan your environment for vulnerabilities aggressively.
  • Patch high-priority vulnerabilities (defined however suits you) as soon as feasible.
  • Engage a DDoS mitigation service to prevent the impact of DDoS on your organization.
Technical
Detective
  • Use a WAF or similar tool to detect and stop web exploits.
  • Inventory your exposed applications rigorously, to allow rapid response to emerging vulnerabilities that may be quickly weaponized by threat actors.
  • Monitor anomalous outbound traffic to detect devices in your environment that are participating in DDoS attacks.

Authors & Contributors

Malcolm Heath (Author)

Principal Threat Researcher, F5