topic Re: Pattern of network vulnerability scanning coming from all over the world in Advanced Threat Prevention Discussions

Pattern of network vulnerability scanning coming from all over the world

CTW1983 — Fri, 20 Oct 2017 20:44:56 GMT

In the last month or so we have seen lots of network vulnerability scanning for the following 3 Threat IDs coming from all over the world.

- MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(30426)

- WebUI mainfile.php Arbitrary Command Injection Vulnerability(38836)

- Wireless IP Camera Pre-Auth Info Leak Vulnerability(33556)

We don't have products that would be vulnerable to these threats. A single scanning interval seems to always look for only these 3 threats all within a few seconds, coming from the same source IP, and attacking the same destination IP. Then several hours later plus or minus a few hours (seems random), another scan interval occurs, but with a different source IP (and likely different region), and attacking a different destination IP from the last time it occurred. Then it repeats.

Our action for these attacks is "reset-both". Should we be doing some thing different?

We find it strange that this is coming from several regions around the world. Are they all part of the same hacking group?

Has anyone else also seen this same pattern?

Re: Pattern of network vulnerability scanning coming from all over the world

Margit_Curtis — Sat, 21 Oct 2017 16:44:55 GMT

Hi Curt,

we are experiencing the same thing. There has been a huge increase, uptick started from last weekend of vulnerability scanning, like: Apache Struts Content-Type Remote Code Execution Vulnerability, MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability, Wireless IP Camera Pre-Auth Info Leak Vulnerability, Bash Remote Code Execution Vulnerability, Microsoft IIS HTR ISAPI Extension Buffer Overflow Vulnerability

I've it for action to drop these attacks.
I'm also adding some of the worst looking source ip\ip subnets to our block list.

But I'm still concerned about the amount of these scans. We are also not vulnerable for those scans, but I wonder if there are other zero day attacks can come from these.
I would like to understand the reason for the increase. Found this article from Homeland security: https://www.us-cert.gov/ncas/alerts/TA17-293A
If you are in infrastructure\construction related business, it may apply to you. Sounds like there are increased targeted attachs.
With that said, I'm considering contacting Palo Alto for additional input.

Re: Pattern of network vulnerability scanning coming from all over the world

CTW1983 — Tue, 24 Oct 2017 19:31:08 GMT

It is comforting to know we are not the only ones "targeted" with these, instead it seems to be more general "untargeted" scanning happening to everyone.

I will look into making exceptions for these Threat IDs with an action of either "drop" or "block-ip".

As far as blocking the source IPs in a policy, I am leaning towards creating a block policy based on region, mainly because there seems to be very little repeat from IP ranges.