Welcome to our final Sensor Intel Series installment for 2022. The purpose of this series is to provide vulnerability targeting intelligence to practitioners, based on our analysis of telemetry from a globally distributed network of passive sensors. This series is mostly limited to ports 80 and 443, primarily because it allows us to produce timely and actionable analyses. Obviously these are not the only ports that attackers target, nor are they the only ports that run HTTP/TLS, but since architectural trends and consumption models are increasingly moving towards these ports, this is the analysis most practitioners we speak to want. Note also that we generally restrict this analysis to CVEs and not all vulnerabilities, although we have made a few exceptions for important or interesting vulnerabilities, as you’ll see below.
December 2022 was notable mostly for the activity of a single CVE, and it’s one we’ve seen many times before: CVE-2020-8958, an OS command injection vulnerability in a number of V-SOL (aka Guangzhou) GPON routers. Traffic targeting this vulnerability in December exceeded that of any vulnerability we’ve seen in 2022, with nearly 9500 connections. The next vulnerability, CVE-2018-13379, received just over one third as much traffic in comparison.
December Vulnerabilities By the Numbers
Figure 1 shows attack traffic volumes for December for the top ten vulnerabilities, and illustrates the gap in attention between CVE-2020-8958 and everything else.
Table 1 shows traffic volumes for all tracked vulnerabilities. Several CVEs are brand new to the list this month, and can be spotted in this table when the change and count columns are identical, as in the cases of CVE-2018-17246 and CVE-2015-3897.
|2018 JAWS Web Server Vuln||930||197|
|Citrix XML Buffer Overflow||300||3|
To better understand how December contrasts with previous months, Figure 2 shows the evolution of targeting volume and ranking over the course of 2022. (To avoid overplotting, Figure 2 shows the top five vulnerabilities per month, grouped and plotted across all months.) Ranking of vulnerabilities stayed largely consistent with November, with the exception being CVE-2020-25078, which dropped from roughly 3,000 connections in November to 18 in December.
Figure 2 also reiterates the growth in CVE-2020-8958, which had already increased from October to November. Note that this same vulnerability experienced our previous record for targeting traffic in July, with 8200 connections, only to drop off the map in September. Hindsight has shown that September was the anomaly, as attacker focus on this vulnerability has reached new heights.