TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

A Single IP is Scanning Intensely, and Yields a List of Malware Loaders

2024-09-19 · Read original ↗

ATT&CK techniques detected

4 predictions
T1595.002Vulnerability Scanning
76%
"a single ip is scanning intensely, and yields a list of malware loaders introduction welcome to the august 2024 installment of the sensor intelligence series, our monthly summary of vulnerability intelligence based on distributed passive sensor data. last month, we observed the s…"
T1588.006Vulnerabilities
75%
"the ordinary, except for the intensity of the scanning activity and the use of a single ip address. we expanded our search for unique urls by looking for any url associated with the user - agent “ botpoke ”, and we ’ ve published a full list of the unique urls found, all 105, 797…"
T1595.002Vulnerability Scanning
75%
"the steady rise of scanning for cve - 2023 - 1389, which, although it continues to take the first place in our top 10, is itself falling off as well. in the lower right corner, you can see the average of all the other 110 cves we currently track, and note that these to have falle…"
T1046Network Service Discovery
41%
"ip scanning for a specific set of vulnerabilities, or at least a class of vulnerability, but this scanner seems to be trying to pull a lot of odd urls. there are 83, 193 distinct urls being scanned for by this ip, the majority of which appear to have a file extension present, for…"

Summary

Overall scanning for CVEs we track is down, but one specific scanner caught our attention. We dig into what it’s doing.