The Sensor Intel Series is created in partnership with Efflux, who maintains a globally distributed network of sensors from which we derive attack telemetry.
The stubborn one-way passage of time means that it is time for another round of vulnerability targeting intelligence. Web attacks in May 2023 had a lot in common with those in April, with eight of the top ten vulnerabilities remaining consistent across the two months. In that vein of continuity, CVE-2020-8958, the Guangzhou GPON router vulnerability which attackers have targeted heavily for more than a year, continued to draw more than twice the attack traffic of any other CVE.
Also in the top ten were two vulnerabilities which were only recently added to our list of signatures: CVE-2022-24847, a GeoServer remote code execution (RCE) vulnerability that we added in May, and CVE-2021-26855, one of the ProxyLogon vulnerabilities in Microsoft Exchange Server. We actually had a signature already in place for CVE-2021-26855, but after a review of exploit code we have changed that to cover CVE-2021-27065, which is another Exchange Server vulnerability with many similarities, but which sees much less traffic. The upshot is that we are now representing traffic against Microsoft Exchange Server vulnerabilities more accurately, which is good because—stop me if you’ve heard this one—Microsoft Exchange Server is quite the popular piece of software.
May Vulnerabilities by the Numbers
Figure 1 shows the volume of attack traffic for the top ten vulnerabilities in May by volume. Here the overwhelming popularity of CVE-2020-8958 is apparent. It is also notable, however, just how many Microsoft Exchange Server vulnerabilities are present: four out of the top ten (or really five out of the top eleven, since we can’t distinguish CVE-2022-41040 from CVE-2021-34473 with these logs) are targeting Microsoft Exchange Server. This isn’t surprising, given the ubiquity and prominence of the product in enterprise systems, but there seems to have been a marked uptick in Microsoft targeting in the last few months.
Table 1 displays the traffic volume for all of the vulnerabilities that showed up in our systems in either May or April (i.e. not all of the 67 vulnerabilities we track are present here). As usual, the change from the previous month is included, but we’ve also included two metrics that are new to this series: Common Vulnerability Scoring System (CVSS) v3.x scores, and Exploit Prediction Scoring System (EPSS) scores. We’ve included these scores because both are valuable sources of vulnerability intelligence that can help put our own observations, which are necessarily limited like all logs of Web traffic, into perspective. As EPSS scores forecast exploitation likelihood in the next 30 days, they are also time-bound. The scores represented here are from June 1 2023, or the day immediately after the period in question.