Analyzing the Global Increase in Vulnerability Scanning in 2024

Introduction

Our recent Sensor Intel Series article 2024 Vulnerability Scanning Surges 91% observed that vulnerability scanning in 2024 increased dramatically compared with 2023.

This article digs into that more deeply, looking at month by month changes and source and destination countries, and concludes with an explanation of where most of the increase originated from.

It's very important to note that our monthly SIS articles are looking only at scanning for specific CVEs and that this type of scanning makes up only a tiny proportion of the scanning activity we see overall. The vast majority of scanning we see is reconnaissance, such as scanning for favicon.ico or “/”, looking for exposed data and credentials, or looking for authentication endpoints, ostensibly to target with a credential stuffing attack. With that caveat out of the way, let’s dig into the data.

Blame BotPoke

As we mentioned previously, we observed a total of 8,727,820 HTTP requests hitting our sensors in 2024, up from 5,125,557 requests in 2023, an approximate 71% increase.

Given the size of this increase, we wanted to find out more about it. Was it due to general scanning activity? Perhaps it was scans targeting specific CVEs? Could we determine who was responsible for the increase in traffic? Or was it simply a side effect of our data partner Efflux deploying more sensors and so gathering more for us to analyze?

Here’s what the raw counts by month looked like:

To start our analysis, we normalized each month’s traffic by the number of sensors present in that month. That yielded a nearly 95% increase in scanning activity compared to 2023, and accounted for any differences in sensor counts from year to year.

We then broke 2024’s data out by month, to see if there was any sort of pattern to the increase or if it was uniform across the year.

As can be easily seen, we have a spike in May, and then generally more traffic than is typical from August through December.

Source Analysis

Now that we knew when the increase happened, we wanted to know where the traffic was coming from.

We looked at source countries that contributed the most traffic in each month and compared that to the total events observed. The results lined up very well with the analysis above, showing very clearly where the traffic originated.

Focusing first on the upper right pane, the increase in November and December (and to some extent also contributing to September) is from traffic originating from Germany. In the lower left pane, October’s increase can be seen to originate from Hong Kong, and finally in the lower right pane, the traffic increases in May, August, and September can clearly be attributed to scanning originating from Lithuania.

BotPoke Scanning

For those who have read previous articles, you will no doubt remember our mentioning of the BotPoke scanner, which we originally identified back in September of last year.^1, 2, 3

To refresh your memory, this is scanning activity that was easily identifiable by its User-Agent string of “BotPoke” and its predilection for scanning for filenames associated with different malware distributions. In other words, this is a scanner looking for malware distribution sites. It’s not necessarily malicious activity - but it’s also unclear what the motivation behind it is, either.

We also knew from prior analysis that much of the BotPoke Activity originated in Lithuania, then switched IPs to ones in Hong Kong, and then to one in the Netherlands, although its activity had dropped off significantly by the time the last change happened.

We identified the top source countries for BotPoke activity each month and looked at the proportion of that activity compared to total events.

This shows quite clearly how prevalent BotPoke scanning was and shows that it was the main contributor to the high-traffic months of May, August, September, and October 2024, as well as showing clearly how the BotPoke scanner changed its infrastructure location in October.

However, this does not yet explain the increases in November and December.

Generic Scanning From Germany

November and December 2024 were also high traffic months and specifically saw a lot of activity from Germany.

Looking at the traffic in November we can see that 74% of it was generated by just 3 IP addresses – 75.119.158.141, 109.205.183.151, and 194.163.160.246 – and that in December 109.205.183.151 dropped out but was replaced with 213.136.70.221, with a similar volume of scanning activity.

All of these IP addresses are from netblocks currently owned by Contabo GbmH, a German cloud hosting provider, and do not have negative IP reputation scores, although 75.119.158.141 is marked as “compromised” in Shodan.io, and 194.163.160.246 resolves to ictel.com, so it seems more likely than not that this scanning is originating from compromised servers at least in part.

Digging into these IP addresses, we can see that these IPs were scanning primarily for reconnaissance and information disclosure.
 

Additional Observations

The following didn’t contribute extensively to the overall increase in scanning that we’ve been discussing above, but they were interesting enough to mention.

Ukrainian Hosts Scanning Ukrainian Sensors

We observed a good amount of traffic from just one IP address in Ukraine that was targeting the one sensor we have in that country, and while we briefly mentioned it in a previous SIS, we have some more details to provide.

This traffic was quite interesting, composed as it was entirely of scans looking for ‘/’ and coming almost exclusively from 194.28.84.86, an IP in a netblock of a Ukrainian hosting provider called Hostpro Ltd. Further investigation, however, made it obvious that this was a misconfigured Nagios HTTP host check, with the consistent User-Agent header of ‘check_http/v2.4.5 (nagios-plugins 2.4.5)’.

Could this be some sort of masquerade with a faked User-Agent header to mislead analysis? Certainly it could be, but given that the number of events is very close to the number of a health check every 2 minutes across an entire year, and that furthermore, a sampling of the timestamps of the events observed show that they do indeed occur every 2 minutes, we feel quite confident in saying that this is a simple misconfiguration, which incidentally generated some 261,234 events in our logs.
 

CVE Specific Scanning Does Not Add Much to Overall Traffic

It turns out that scanning for specific CVEs didn’t rise to the level of having much effect on the overall amount of traffic we see. For example, CVE-2023-1389 contributed a mere 155,524 events in total during 2024, despite being one of the top scanned for CVEs in our dataset.

Likewise, CVE-2017-9841 accounted for only 113,126 events across the year, despite the massive spike in scanning we observed in June of 2024, not enough to contribute much to the overall level of scanning.

Conclusions

While much of the overall increase in scanning during 2024 can be attributed to just one source, the BotPoke scanner that we have remarked on before, the rest appears to be normal scanning we see a great deal of each month – looking for exposed credentials and information gathering, admittedly from just a handful of IP addresses in Germany.

These sorts of variations are to be expected – a single IP can, given the tooling available today, scan the entire IPv4 space in a remarkably short period of time, and can keep doing so until either the operator or an ISP decides enough is enough. Given a large enough list of target URLs that one IP can generate a staggering amount of traffic, even when assayed by only a limited number of sensors.

We hope you’ve enjoyed this discussion digging into the reasons for the increase in scanning towards the end of 2024 we observed previously.