It is time for another monthly round-up of web scanning and attack telemetry from our data partners Efflux. As usual, we focus on ports 80 and 443. It's been said for a long time that new services will increasingly use HTTP/TLS as their transport protocol, which is certainly true, especially as web API becomes a dominant way to provide services.
It's worth noting, however, that there is nothing inherent in those protocols that require them to be run on port 80 or 443. Indeed, many IoT devices, "private/internal" services, and proxies run webservers on alternate ports and are not therefore included in our analysis. Yet, we know that scanners are looking for HTTP/TLS services on alternate ports as well, and this should be a factor in any risk assessment.
F5 Labs Newsletter
Great! You should receive your first email shortly.
The information you provide will be treated in accordance with the F5 Privacy Notice.
November’s data doesn’t feature a huge amount of change from October, with most of the top vulnerabilities remaining consistent in terms of rank. However, the top-ranked vulnerability from October, CVE-2020-8958, outstripped its competitors in attack volume in November, featuring nearly double the traffic of the next vulnerability, CVE-2018-13379.
A command injection vulnerability in Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and in V2804RGW 1.9.1-181203 through 2.9.0-101024 which allowed remote attackers to execute arbitrary OS commands. NVD
November Vulnerabilities By the Numbers
Figure 1 shows the attack or scan traffic for the top ten vulnerabilities in November. In this view, the difference between CVE-2020-8958 and the other vulnerabilities this month is notable.
Figure 1. Top ten vulnerabilities by traffic volume during November 2022. CVE-2020-8958, an IoT OS command injection vulnerability, received nearly double the amount of attack traffic as the next vulnerability down, CVE-2018-13379.
Even a single exploit attempt against a vulnerable system can be devastating, however, so Table 1 shows the attack volume and change from October for all 40 of the vulnerabilities that were targeted in November.
2018 JAWS Web Server Vuln
Citrix XML Buffer Overflow
Table 1. CVE targeting volume for November, along with traffic change from October.
One vulnerability, CVE-2014-2908, is a newcomer to our analysis.1 Despite being a very old vulnerability and having been in our logs the entire time, we recognized the indicators of attack and developed a signature for it only recently, which is why this is the first month it has shown up in the Sensor Intel Series. Note that the traffic volume for this vulnerability was 291 connections in November, which is consistent with its volume throughout 2022, so it would not have shown up in our top ten for any given month in any case.
A cross-site scripting (XSS) vulnerability in the web server embedded within Siemens SIMATIC S7-1200 industrial controllers v2.X and 3.x. NVD
To understand how attacker attention evolves over time, Figure 2 shows changes in rank and attack volume for the most heavily targeted vulnerabilities. The eleven vulnerabilities plotted here represent the top five per month across all eleven months, since plotting all 49 tracked CVEs would be impossible to decipher.
Figure 2 makes it easy to see the comparative stability in attacker traffic between October and November, with the top five CVEs remaining consistent in rank. With the exception of CVE-2020-8958, which grew in traffic by nearly 50% in November, they also stayed roughly consistent in terms of attack volume.
Identifying Rapid Growth
Figure 3 shows the traffic over 2022 for all 49 vulnerabilities, ranked in order of total number of connection attempts from January to November. As discussed in the September and October SIS, this plot makes it easy to spot dramatic changes in attacker attention, as we see in CVE-2022-22947 in April and CVE-2017-18368 in March.
Another interesting aspect of Figure 3 is identifying when vulnerabilities drop off for periods of time. In October we identified two recently released vulnerabilities, CVE-2022-40684 and CVE-2022-41040, in our logs. Both are severe vulnerabilities; CVE-2022-40684, an authentication bypass vulnerability in various Fortinet security appliances, has a CVSS 3.1 score of 9.8,1 and CVE-2022-41040, an escalation of privilege vulnerability in Microsoft Exchange Server, has a CVSS 3.1 score of 8.8.2 CVE-2022-41040, the Exchange Server vulnerability, did not recur in our logs in November (which is good news), whereas CVE-2022-40684 increased in volume by nearly 80 percent (bad news). Owners of vulnerable Fortinet systems should take note and patch aggressively due to this growth in interest. We note that while attention on the other significant Fortinet vulnerability here, CVE-2018-13379, was nearly sixfold the traffic looking for CVE-2022-40684, CVE-2018-13379 is beginning to decline in prominence, so if the current trends continue, the more recent Fortinet vulnerability will eventually supersede it.
As ever, the number one conclusion from the Sensor Intel Series remains constant: patch if you’re vulnerable. Even the low-traffic vulnerabilities on this list have a demonstrated amount of attacker intent, which places them in the minority of vulnerabilities.
Furthermore, significant growth in CVE-2020-8958, alongside the recent addition of CVE-2014-2908 to our logs, should serve as a reminder about the relationship between IoT vulnerabilities and botnets for DDoS. This means that there is another recommendation for all organizations, irrespective of whether their footprint contains any of these vulnerabilities: plan for future DDoS attacks.
Malcolm Heath is a Senior Threat Researcher with F5 Labs. His career has included incident response, program management, penetration testing, code auditing, vulnerability research, and exploit development at companies both very large and very small. Prior to joining F5 Labs, he was a Senior Security Engineer with the F5 SIRT.
Sander Vinberg is a Threat Research Evangelist for F5 Labs. As the lead researcher on the Application Protection Research Series, he specializes in the evolution of the threat landscape over the long term. He holds a master’s degree from the University of Washington in Information Management, as well as bachelor’s degrees in History and African and African-American Studies from the University of Chicago.