The Sensor Intel Series is created in partnership with Efflux, who maintains a globally distributed network of sensors from which we derive attack telemetry.
Additional insights and contributions provided by the F5 Threat Campaigns team.
Introduction
Welcome to the August 2024 installment of the Sensor Intelligence Series, our monthly summary of vulnerability intelligence based on distributed passive sensor data.
Last month, we observed the scanning for CVE-2017-9841 fell sharply, and this month is no different, with scanning for that vulnerability falling another 79% from July’s rate. Overall, it’s down 97.4% from its high-water mark in June of 2024.
CVE-2023-1389, an RCE vulnerability in TP-Link Archer AX21 consumer routers, which has been consistently towards the top of our ranking, is now the most scanned for CVEs that we track, but it too is down from last month, falling off by 18.8% compared to July.
Researching an Aberration
We frequently look for anomalies not related to specific CVE scanning activity in our logs, and this month, we found one that's worth mentioning.
We first noted that the overall level of scanning was up significantly from the month prior, having risen 90.9% in terms of total events observed.
Digging into this a bit, we were surprised to find that the top source and destination country combination was scanners located in Lithuania scanning US sensors. This is unusual, and became even more unusual when we found that the vast majority (99.9%) of that traffic was from just one IP address.
That IP address is 141.98.11.114, with a reverse DNS lookup of “srv-141-98-11-114.serveroffer.net”. Serveroffer.net appears to be a hosting infrastructure provider based out of the city of Kaunas, in Lithuania.
We looked back a bit further, across the whole of 2024 in fact, and we found that this IP has been scanning quite a lot but not very consistently.
Day | n |
07-21 | 7148 |
07-22 | 16083 |
07-25 | 16064 |
07-26 | 4016 |
07-31 | 12048 |
08-10 | 165916 |
08-11 | 82957 |
08-12 | 82956 |
08-16 | 68279 |
08-17 | 14679 |
08-18 | 165916 |
We were initially expecting to find this IP scanning for a specific set of vulnerabilities, or at least a class of vulnerability, but this scanner seems to be trying to pull a lot of odd URLs.
There are 83,193 distinct URLs being scanned for by this IP, the majority of which appear to have a file extension present, for example “GET /kolomz.exe”. We’ve published this list to our github as “141.98.11.114_unique_urls.txt”. This immediately made us wonder if this scanner was attempting to find malware hosting sites, as many malware loaders we observe in our data follow a similar naming scheme. Its User-Agent header of "BotPoke" also was an interesting breadcrumb to follow.
File Extension | n |
.exe | 525305 |
(no extention present) | 20673 |
.sh | 14768 |
.bat | 13496 |
.apk | 10710 |
.hta | 6706 |
.vbs | 4613 |
.mips | 2912 |
.arm7 | 2784 |
.arm5 | 2752 |
all_others | 31343 |
We found a few references online, some dating as far back as 2010, to a scanner exhibiting similar behavior, with the same User-Agent string, so this doesn't seem to be anything out of the ordinary, except for the intensity of the scanning activity and the use of a single IP address.
We expanded our search for unique URLs by looking for any URL associated with the User-Agent “BotPoke”, and we’ve published a full list of the unique URLs found, all 105,797 of them, to our github repo as “full_list_PokeBot_URLs.txt”.
Both the published lists may be useful for threat hunting in web environments, as they contain names of common malware loaders, but please be aware that these files likely contain all sorts of filetypes, ranging from malware loaders, to cracked games, and much else besides. Please use these lists with caution, and we make no guarantees of correctness.
August Vulnerabilities by the Numbers
Figure 1 shows July attack traffic for the top ten CVEs that we track. CVE-2017-9841 has fallen off to 4th place, and CVE-2023-1389 has retaken the top spot. Also notable is the disappearance of CVE-2021-28481 from the top 10, and the appearance of CVE-2020-0618.
The regular movement on this graph is not surprising – scanning for different vulnerabilities varies significantly month to month.
Targeting Trends
Figure 2 is a bump plot showing the change in traffic volume and position over the last twelve months. We can see quite clearly the continuing falloff in scanning for CVE-2017-9841. It’s also interesting to note that CVE-2020-11625, which was our top scanned for vulnerability in January and February of this year, has now disappeared entirely, and indeed did so June.
Long Term Trends
Figure 3 shows traffic for the top 19 CVEs by all-time traffic, followed by a monthly average of the remaining CVEs. Again, one can easily see the precipitous rise and fall of scanning for CVE-2017-8941, as well as the steady rise of scanning for CVE-2023-1389, which, although it continues to take the first place in our top 10, is itself falling off as well. In the lower right corner, you can see the average of all the other 110 CVEs we currently track, and note that these to have fallen quite dramatically.
We may be observing a long-tail phenomenon finally getting to the end here, and it’s going to be interesting to see how the addition of more recent CVEs may change this overall average, as we incorporate more signatures for many more CVEs in the coming month or two.
Conclusions
Just looking at scanning targeting CVEs, while certainly interesting, doesn’t show the whole picture, as we saw when analyzing the single IP scanner looking for malware distribution sites. There are a lot of interesting phenomena present in this data, and we hope over the coming months to not only expand the scope of the CVEs we’re tracking, but also continue to do deep dives into anomalous events as we did this month.