Pattern of network vulnerability scanning coming from all over the world

Reply
Highlighted
L2 Linker

Pattern of network vulnerability scanning coming from all over the world

In the last month or so we have seen lots of network vulnerability scanning for the following 3 Threat IDs coming from all over the world.  

 

- MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(30426)

- WebUI mainfile.php Arbitrary Command Injection Vulnerability(38836)

- Wireless IP Camera Pre-Auth Info Leak Vulnerability(33556)

 

We don't have products that would be vulnerable to these threats.  A single scanning interval seems to always look for only these 3 threats all within a few seconds, coming from the same source IP, and attacking the same destination IP. Then several hours later plus or minus a few hours (seems random), another scan interval occurs, but with a different source IP (and likely different region), and attacking a different destination IP from the last time it occurred.  Then it repeats.

 

Our action for these attacks is "reset-both".  Should we be doing some thing different?

 

We find it strange that this is coming from several regions around the world.  Are they all part of the same hacking group?

 

Has anyone else also seen this same pattern?


Accepted Solutions
Highlighted
L2 Linker

Re: Pattern of network vulnerability scanning coming from all over the world

Hi Curt,

we are experiencing the same thing. There has been a huge increase, uptick started from last weekend of vulnerability scanning, like: Apache Struts Content-Type Remote Code Execution Vulnerability, MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability, Wireless IP Camera Pre-Auth Info Leak Vulnerability, Bash Remote Code Execution Vulnerability, Microsoft IIS HTR ISAPI Extension Buffer Overflow Vulnerability

I've it for action to drop these attacks.
I'm also adding some of the worst looking source ip\ip subnets to our block list.

But I'm still concerned about the amount of these scans. We are also not vulnerable for those scans, but I wonder if there are other zero day attacks can come from these.
I would like to understand the reason for the increase. Found this article from Homeland security: https://www.us-cert.gov/ncas/alerts/TA17-293A
If you are in infrastructure\construction related business, it may apply to you. Sounds like there are increased targeted attachs.
With that said, I'm considering contacting Palo Alto for additional input.

View solution in original post


All Replies
Highlighted
L2 Linker

Re: Pattern of network vulnerability scanning coming from all over the world

Hi Curt,

we are experiencing the same thing. There has been a huge increase, uptick started from last weekend of vulnerability scanning, like: Apache Struts Content-Type Remote Code Execution Vulnerability, MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability, Wireless IP Camera Pre-Auth Info Leak Vulnerability, Bash Remote Code Execution Vulnerability, Microsoft IIS HTR ISAPI Extension Buffer Overflow Vulnerability

I've it for action to drop these attacks.
I'm also adding some of the worst looking source ip\ip subnets to our block list.

But I'm still concerned about the amount of these scans. We are also not vulnerable for those scans, but I wonder if there are other zero day attacks can come from these.
I would like to understand the reason for the increase. Found this article from Homeland security: https://www.us-cert.gov/ncas/alerts/TA17-293A
If you are in infrastructure\construction related business, it may apply to you. Sounds like there are increased targeted attachs.
With that said, I'm considering contacting Palo Alto for additional input.

View solution in original post

L2 Linker

Re: Pattern of network vulnerability scanning coming from all over the world

It is comforting to know we are not the only ones "targeted" with these, instead it seems to be more general "untargeted" scanning happening to everyone.

 

I will look into making exceptions for these Threat IDs with an action of either "drop" or "block-ip".

 

As far as blocking the source IPs in a policy, I am leaning towards creating a block policy based on region, mainly because there seems to be very little repeat from IP ranges.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!