The Sensor Intel Series is created in partnership with Efflux, who maintains a globally distributed network of sensors from which we derive attack telemetry.
Welcome back to the Sensor Intelligence Series, our recurring monthly summary of vulnerability intelligence based on distributed passive sensor data. We’ll start off this month’s analysis with a look at some activity from the August dataset, which demonstrates some of the oddities we occasionally see, and then dig into the changes we saw in September for the CVEs we track.
First, an Aside From August
The sensors from which we gather Sensor Intel Series data are passive, meaning they do not have any DNS names associated with them, and that they do not respond to traffic. This means that most of the traffic we receive is broad, Internet-wide scanning activity, not particularly targeted to specific business or organization. Additionally, we’re focused on detecting attempts to exploit CVEs, so we typically don’t look very closely at traffic that isn’t targeting specific vulnerabilities.
It’s always a bit of a surprise when we see what looks like targeted activity. In preparation for this article, reviewing August 2023 data, we noticed an anomaly that was an interesting exception to the general rule.
Starting on August 15th, 2023, at 05:21 UTC, and ending on August 23rd, at 19:30 UTC, we saw a determined credential stuffing attack take place against one of our sensors located in Greece.
Over the course of these 8 days and 14 hours, we observed a steady stream of POST requests to the URI “/”, each containing the username of “root” or “admin” and a varying password string, most of which were only sent once. There wasn’t any indication of a particular software platform being targeted. The specific POST parameters which were used were “input_user”, “input_pass”, and “submit_login.”
This strikes us as notable for a few reasons. First, this traffic was seen on only one sensor. Secondly, it was relatively slow. Each request was separated from the next by 1 second or more. Third, the attack was sourced from a mere 18 IP addresses in just two ASNs. While there was some traffic observed from these IPs and ASNs targeting other sensors with other traffic, no other sensors saw this cred stuffing activity.
Table 1 shows the IPs and ASNs involved in this attack, along with the source and destination countries, and counts of traffic observed.
Rank | Source IP | Source ASN | Source country | Destination country | Count |
1 | 94.66.207.186 | 6799 | Greece | Greece | 3685 |
2 | 188.161.195.114 | 12975 | Palestine | Greece | 1146 |
3 | 212.205.228.102 | 6799 | Greece | Greece | 951 |
4 | 94.65.86.163 | 6799 | Greece | Greece | 773 |
5 | 85.184.240.116 | 12975 | Palestine | Greece | 690 |
6 | 188.161.80.66 | 12975 | Palestine | Greece | 500 |
7 | 188.161.81.207 | 12975 | Palestine | Greece | 156 |
8 | 37.8.15.4 | 12975 | Palestine | Greece | 103 |
9 | 82.205.18.14 | 12975 | Palestine | Greece | 89 |
10 | 176.65.3.117 | 12975 | Palestine | Greece | 80 |
11 | 176.65.3.84 | 12975 | Palestine | Greece | 51 |
12 | 37.8.15.54 | 12975 | Palestine | Greece | 37 |
13 | 79.129.44.64 | 6799 | Greece | Greece | 15 |
14 | 85.184.241.237 | 12975 | Palestine | Greece | 14 |
15 | 82.205.7.4 | 12975 | Palestine | Greece | 8 |
16 | 176.65.3.49 | 12975 | Palestine | Greece | 4 |
17 | 82.205.28.48 | 12975 | Palestine | Greece | 3 |
18 | 82.205.18.146 | 12975 | Palestine | Greece | 1 |
Once the attack ended, we didn’t see it again. In fact, we went back through all the 2023 data we have so far, and this specific pattern of cred stuffing attack only appears this once.
The biggest question we had was “Why would such a determined attack be launched at a sensor that wouldn’t ever respond?” In typical credential stuffing attacks, an attacker will monitor their results, looking for a “200 Success” or a “302 Redirect” response, or even just a size difference between successful and unsuccessful attempts, to be able to determine which username and password pair was valid. In this case, no responses whatsoever were seen by the attacker.
One possibility is that the attacker’s targeting was simply wrong. Perhaps they were targeting a netblock where they had identified a possibly valid target, and our sensor was caught up in an overly broad range of IPs. Perhaps they simply mistyped the target IP address, or used a DNS name which was incorrectly pointed towards our sensor. At the end of the day, we don’t have enough information to really say for certain.
Nevertheless, we did manage to capture some 6600 unique username and password pairs that this attacker used for their attempt and can now keep an eye out for more activity.
September Vulnerabilities by the Numbers
Figure 1 shows the traffic for the top 10 CVEs in September. CVE-2020-8958, a Guangzhou router command injection vulnerability, has been our top seen CVE for much of the past year, returning to the top last month, and continuing its dominance this month. Second place remained unchanged: CVE-2022-34847, an RCE in the open-source GeoServer software. In fact, only two of our top contenders changed their position this month. CVE-2022-42475, a heap-based buffer overflow in Fortinet SSL-VPNs dropped from 3rd to 4th position, and CVE-2017-9841, an RCE vulnerability in PHPUnit, dropped another position, continuing a downward trend we started observing in August. Overall traffic in the CVEs we track dropped again, but not as precipitously as it did in August.
Table 2 shows traffic for September, change in traffic from August, CVSS v3.x score, and EPSS scores for 75 CVEs. Our list of CVEs with confirmed attack or scanning traffic currently stands at 81, but 6 vulnerabilities saw no traffic in either July or August and so don’t make this table.