Another month has passed, which means more sensor telemetry to analyze for attacker targeting trends. October’s data is notable primarily because we detected attackers looking for a handful of interesting vulnerabilities that were recently released or discovered, most notably CVE-2022-41040, one of the Microsoft Exchange zero day vulnerabilities that attackers began to exploit in August 2022,1 as well as CVE-2022-40684, a recent authentication bypass vulnerability on several Fortinet appliances.2
At the same time, most of the targeting traffic we observed was going after the same old standard targets, so let’s dig in and see what’s new and what’s old.
October Vulnerabilities By the Numbers
Figure 1 shows the volume of traffic targeting the top 10 vulnerabilities in October, and it’s largely the same cast of characters we’ve observed since January 2022. After a dip from its high point in July, CVE-2020-8958 grew 60% in frequency from September to October. CVE-2017-9841 continued to trend downwards in frequency, both in absolute as well as in relative terms.
CVE-2018-13379 was a newcomer to our logs last month, and despite its presence in the second spot this month, October traffic targeting it actually increased by 16% compared with September. We suspect that the increased attention on Fortinet systems in general reminded threat actors about this vulnerability.
Table 1 shows the traffic for all of the vulnerabilities that were targeted in October, along with the change in traffic from the previous month. We noted the presence of traffic targeting another interesting vulnerability without a CVE number, which we’ve dubbed “Citrix XML Buffer Overflow.”1 We also noted large changes across the board, such as CVE-2020-25078, which grew nearly ninefold in prevalence from the previous month. Dramatic changes such as this without any obvious explanation illustrate that predicting attacker attention is very difficult except for a small number of high-value indicators.2
|2018 JAWS Web Server Vuln||1256||-1474|
|Citrix XML Buffer Overflow||197||3|
To understand how attacker targeting in October contrasted with the rest of 2022, see Figure 2. Continuing the visualization approach that we began with August data, these eleven vulnerabilities represent the top 5 for each month, visualized across the entire period. While several vulnerabilities changed volume dramatically, Figure 2 really captures the magnitude of the change in CVE-2020-25078, an IoT vulnerability which spiked in July, only to lapse back into relative obscurity in the intervening time. In contrast, another IoT vulnerability we’ve discussed recently, the 2018 JAWS web server vulnerability affecting networked surveillance cameras, dropped in prevalence almost as dramatically as 2020-25078 grew. Most of the other vulnerabilities making up the overall top 11 remained more or less consistent in terms of attacker activity.