Who Is Scanning for CVE-2023-1389?
Back in April, when we first started tracking CVE-2023-1389, we did an analysis of who was scanning for it, and found that the majority of scanning activity was coming from just two ASNs, AS49870 (Alsycon, a hosting provider out of the Netherlands) and AS47890 (Unmanaged Ltd).
Running these analyses again, we find that the situation has changed. Now, the majority of the scanning (39%) is instead coming from AS206264. AS49870 is entirely absent.
This indicates two things. Network providers can and do work to limit scanning activity originating from their networks. But threat actors also are very adept and finding a new places from which to stage their activities, in this case shifting from a hosting provider in the Netherlands to a hosting provider based out of Hong Kong.
Targeting Trends
Figure 2 is a bump plot showing the change in traffic volume and position over the last twelve months. This shows very clearly the increase in scanning for CVE-2023-1389 since the start of the year, and the massive increase in the last two months. Also notable is the increase in CVE-2017-9841, with its total volume (seen in the width of the colored area) indicating that more scanning for this occurred last month than at any time in the previous eleven months.
Scanning for TP-Link Wifi Router Vulnerability Increases by 100%
Related Posts
First Israel’s Exploding Pagers Maimed and Killed. Now Comes the Paranoia
“They don’t trust their smartphones, so they reach back to these more archaic devices, and those blow up. What’s next?” says Schneier. “Everything becomes less efficient, because they can’t communicate…
14 dead as Hezbollah walkie-talkies explode in second, deadlier attack
Aurich Lawson | Getty Images Wireless communication devices have exploded again today across Lebanon in a second attack even deadlier than yesterday’s explosion of thousands of Hezbollah pagers. According to…