Today we are going to look at the latest threat intelligence covering the month of September from our data partners Efflux. As we discussed in the first sensor intel series piece, these monthly updates are focused on traffic targeting known CVEs. While the volume of traffic targeting known CVEs is a small portion of the entire data set, much of the traffic that the sensors log is noisy or equivocal in significance, whereas the CVEs are relatively easy to identify and therefore constitute higher-quality intelligence.
After seeing many of the same CVEs occupy the bulk of attacker attention over the last several months, September saw a comparative newcomer at the top, in the form of CVE-2018-13379. This is a directory traversal vulnerability in certain versions of the Fortinet FortiOS and FortiProxy SSL VPNs.1 We should also note that in September 2021, Fortinet disclosed that a malicious actor had published 87,000 sets of Fortigate SSL VPN credentials based on this exploit, and recommended that even customers who had upgraded to a mitigated software version should reset passwords and hunt for indicators of compromise.
September Vulnerabilities By the Numbers
Figure 1 shows the volume of traffic targeting the top 10 CVEs for the month of September.
Table 1 shows traffic counts for all of the vulnerabilities tracked in September, along with the change from the previous month.
|2018 JAWS Web Server Vuln||2730||-253|
To get a sense of the change in targeting over time, Figure 2 shows a bump plot of the top vulnerabilities over the course of 2022. Like the bump plot from August (and unlike earlier plots in this series), this plot shows traffic over time for a subset of the total vulnerabilities because the full plot became too difficult to read as we added more and more vulnerabilities. There are ten vulnerabilities shown here, which collectively constitute the top five of each month.