Our second installment in the new Sensor Intel Series is a monthly update for July to the vulnerability targeting information for the first half of 2022 that we published in July. This intelligence is based on our analysis of logs from a globally distributed sensor network maintained by our partners Effluxio.
The most notable thing about July was that the IoT vulnerability CVE-2020-8958 surpassed CVE-2017-9841, after CVE-2017-9841 had held the top spot for the entire first half of 2022. The total traffic volume in July seeking CVE-2020-8958 was 8,244 connections, which not only exceeded July traffic targeting CVE-2017-9841 but was the largest amount of traffic targeting a single vulnerability we’ve seen in the entire seven-month period. We were unfortunately not able to discover a reason behind this spike in attention, but we do know that CVE-2020-8958 has been targeted at a significantly lower level throughout the entire period.
We also noted an increase in targeting diversity: whereas it initially appeared that only six vulnerabilities constituted 97% of the overall traffic for the original six-month overview, in July that same proportion of total traffic was spread over nine vulnerabilities (Figure 1). Furthermore, we also discovered traffic throughout the entire period targeting a few additional vulnerabilities (CVE-2021-28481 and CVE-2017-18368, as well as CVE-2020-8958) that had escaped our filters. Figure 1 data for January through June has been updated to reflect these additions.
To get a better sense of the actual volume of traffic per vulnerability, Figure 2 shows the volume of July traffic targeting the top ten CVEs. This view emphasizes the dramatic growth in traffic targeting CVE-2020-8958 in July—it outstripped CVE-2017-9841 by more than a third.
Table 1 shows counts and monthly changes for all of the CVEs we identified in July traffic.
|CVE Number||Count||Change in Count (June – July)|
We have been filtering traffic strictly for CVEs because they are well-defined by the practitioner community and tend to have comparatively straightforward paths to remediation. However, the volume of traffic targeting more vague kinds of resources often surpasses any given CVE. Two of the most consistent targets tend to be scans or exploit attempts against Wordpress instances and phpMyAdmin instances.
Traffic targeting Wordpress instances in July make up 15,436 connections, which was nearly double that of the most popular CVE. Traffic targeting phpMyAdmin, which has a long history of vulnerabilities, outstripped any CVE nearly three times, with 24,772 connection attempts in July.1 While these kinds of targets are less clearly defined than CVEs and have more complicated mitigation requirements, they bear mention because of the sheer volume and focus that they receive from attackers. If you’re running a Wordpress or PMA site, your security posture deserves an extra look-over (or two).
Below you will find brief writeups and links to the National Vulnerability Database for all of the new CVEs that showed up in July. For CVEs that were present in the first six month dataset, see the first Sensor Intel Series article.
A command injection vulnerability in Guangshou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and in V2804RGW 1.9.1-181203 through 2.9.0-101024 which allowed remote attackers to execute arbitrary OS commands. The vast majority of these were simple requests to identify possibly vulnerable endpoints, but a few were attempting to log in with simple credential pairs (admin/admin, and the like). NVD
A critical command injection vulnerability in ZyXEL router model no. P660HN-T1A v1 TCLinux Fw $18.104.22.168 v001 / 3.40(ULM.0)b31. Traffic targeting this vulnerability in our logs was completely uniform, requesting exactly the same URI every time via a POST method with no body content. NVD
A critical remote code execution (RCE) vulnerability in Microsoft Exchange Server, unique from several other CVEs for Exchange that came out about a month earlier (CVE-2021-28480, CVE-2021-28482, CVE-2021-28483. The most common scan was done by scanners using the ‘Mozilla/5.0 zgrab/0.x’ User-Agent, which (assuming it isn’t being spoofed) is the User-Agent used by the zgrab scanner (part of Zmap). The rest used the User-Agent header associated with the Leakix internet scanning platform, although as that scanner is open source, they may not have been generated by that platform itself. NVD
A local file inclusion (LFI) vulnerability in Metabase, an open source data analytics platform, fixed in maintenance releases 0.40.5 and 1.40.5. This allowed attackers to view the contents of local files and environmental variables on the affected server. Our dataset shows that the vast majority of the attempts were trying to read /etc/hosts, and a handful went for /etc/passwd. Once again the User-Agent header was associated with the Leakix scanning platform. NVD
CVE-2021-22986 is critical unauthenticated remote command execution vulnerability on F5 BIG-IP versions 16.0.x before 22.214.171.124, 15.1.x before 126.96.36.199, 14.1.x before 14.1.4, 13.1.x before 188.8.131.52, and 12.1.x before 184.108.40.206 and BIG-IQ 7.1.0.x before 220.127.116.11 and 7.0.0.x before 18.104.22.168. In our dataset, a handful of these simply checked if a command could be run, but in most cases, an attempt was made to download a shell script from a remote server and execute it. NVD
CVE-2022-1388 is another critical vulnerability on F5 BIG-IP 16.1.x versions prior to 22.214.171.124, 15.1.x versions prior to 126.96.36.199, 14.1.x versions prior to 188.8.131.52, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions. In our dataset, the majority of the time an actual attempt to exploit this was observed. NVD
July Port Scan Data
F5 Labs also analyzes data for TCP ports other than 80 and 443 from the Effluxio network. The top 10 ports for July 2022 follow patterns we’ve been seeing for years, with port 5900 (VNC) topping the list, followed by a collection of ports used mainly for remote access (ssh, telnet, ftp, RDP) and some database and mail related ports as well. Interestingly, despite decades of advice suggesting that SMB not be exposed to the internet, it still appears to be scanned for regularly.
|Port||% of total connections||Typical application|
Last month we noted the unsurprising popularity of remote code execution vulnerabilities, but also recognized that two of the six vulnerabilities were IoT vulnerabilities. This month, not only is the top targeted CVE an IoT vulnerability, but several of the new vulnerabilities or newly prominent ones are as well, including CVE-2017-18368. In fact, 4 of the top 9 targeted vulnerabilities in July were IoT vulnerabilities. 2021 and 2022 have seen several record-breaking DDoS attacks, and we know how useful IoT devices are for DDoS attacks.2, 3, 4 As a result we are left to speculate that threat actors are building infrastructure for future DDoS. Because of this, in addition to recommending vulnerability scanning and remediation, we also recommend scoping for DDoS protection and mitigation in one form or another.