Note the large increase in the number of unique source IPs and source ASNs. Between May and June, 38 different source ASNs dropped from the scanning activity, and 179 were added. This is unusual. While scanners will abandon infrastructure as takedowns happen, or access is revoked, they typically do not make such massive changes without need. We suspect that this is may be a case where the directors of this scanning activity have decided that they require far more resources and infrastructure than they have had before, and have further decided to diversify their sources. Why they would do this remains a mystery, but perhaps they are building in resiliency against actions against them.
It is interesting to note that most of the scanning infrastructure is in just a handful of countries – specifically the US (35 ASNs), China (20 ASNs), Russia (18 ASNs), Hong Kong (17 ASNs), Germany (14 ASNs), Vietnam (12 ASNs) and Singapore (11 ASNs). Of the remaining countries, 23 had ASN counts greater than one, and the rest of the countries, 19 in all, had just one ASN involved.
Nevertheless, the breadth of source ASNs is somewhat astonishing – many of the scanners we track have just a handful of ASNs in use, but this group has a large geographic distribution, with infrastructure in ASNs in Kazakhstan, Moldova, the Seychelles, and Cyprus, among others.
It is difficult to ascertain if this is all the activity of one actor or a group of unrelated ones. We surmise that given the consistency of the targeting (hitting only about half of the sensors we have deployed from a country-by-country basis), as well as the unusual consistency of only one set of headers that this is likely just one actor, but we can’t be 100% certain.
Looking at what this set of scanners is looking for, we find an emphasis on variations of the PHPUnit vulnerability. However, these scanners are also doing some other types of scans, specifically “credential finding” type scans, looking for unsecured “.env” files, git configuration directories, and exposed log files, although at drastically lower levels.
Targeted URL
n
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
3078
/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php
2182
/vendor/phpunit/src/Util/PHP/eval-stdin.php
2156
/vendor/phpunit/Util/PHP/eval-stdin.php
2131
/vendor/phpunit/phpunit/LICENSE/eval-stdin.php
2106
/vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
2104
/phpunit/phpunit/src/Util/PHP/eval-stdin.php
2084
/phpunit/phpunit/Util/PHP/eval-stdin.php
2072
/phpunit/src/Util/PHP/eval-stdin.php
2059
/phpunit/Util/PHP/eval-stdin.php
2056
/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php
2045
/lib/phpunit/phpunit/Util/PHP/eval-stdin.php
2038
/lib/phpunit/src/Util/PHP/eval-stdin.php
2030
/lib/phpunit/Util/PHP/eval-stdin.php
2019
/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
2013
/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
2011
/www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
2003
Table 3: Top targeted URLs for scanners associated with CVE-2017-9841, primarily PHPUnit related.
We don’t currently understand the reasons behind the intensity of the scanning for this vulnerability, nor the dramatic increase in scanner infrastructure but clearly something is going on. We’ll keep digging into this and see what we can find for next month.
June Vulnerabilities by the Numbers
Figure 1 shows June attack traffic for the top ten CVEs that we track. Note the continued presence of CVE-2023-1389, but also the enormous amount of scanning for CVE-2017-9841, continuing a rise that’s been increasing, albeit slowly, since March 2024.