Who Is Scanning for CVE-2023-1389?
Back in April, when we first started tracking CVE-2023-1389, we did an analysis of who was scanning for it, and found that the majority of scanning activity was coming from just two ASNs, AS49870 (Alsycon, a hosting provider out of the Netherlands) and AS47890 (Unmanaged Ltd).
Running these analyses again, we find that the situation has changed. Now, the majority of the scanning (39%) is instead coming from AS206264. AS49870 is entirely absent.
This indicates two things. Network providers can and do work to limit scanning activity originating from their networks. But threat actors also are very adept and finding a new places from which to stage their activities, in this case shifting from a hosting provider in the Netherlands to a hosting provider based out of Hong Kong.
Targeting Trends
Figure 2 is a bump plot showing the change in traffic volume and position over the last twelve months. This shows very clearly the increase in scanning for CVE-2023-1389 since the start of the year, and the massive increase in the last two months. Also notable is the increase in CVE-2017-9841, with its total volume (seen in the width of the colored area) indicating that more scanning for this occurred last month than at any time in the previous eleven months.
Scanning for TP-Link Wifi Router Vulnerability Increases by 100%
Related Posts
Docusign API Abused in Widescale, Novel Invoice Attack
Cybercriminals are abusing a Docusign API in a widescale, innovative phishing campaign to send fake invoices to corporate users that appear authentic and likely would not trigger typical security defenses…
Metal Slug Tactics gives turn-based strategy a hyper-stylized shot of adrenaline
Metal Slug Tactics pushes hard on the boundaries of the vaunted run-and-gun arcade series. You can run when it’s your character’s turn, but it’s a certain number of tiles. You…