Attacker Hunting Firewalls
Firewalls and other perimeter devices are a huge target these days. Ivanti, Forigate, Citrix, and others offer plenty of difficult-to-patch vulnerabilities for attackers to exploit. Ransomware actors and others are always on the lookout for new victims. However, being and access broker or ransomware peddler is challenging: The competition for freshly deployed vulnerable devices, or devices not patched for the latest greatest vulnerability, is immense. Your success in the ransomware or access broker ecosystem depends on having a consistently updated list of potential victims.
As a result, certain IP addresses routinely scan the internet for specific types of vulnerabilities. One such example is 77.90.185.152. This IP address has been scanning for a different vulnerability each day. For example:
December 7th, 2023: We see this IP address for the first time doing widespread scans. It starts with scans for the URL "/remote/login". This URL is commonly associated with Fortinet's FortiOS. A few days later, on December 12th, Foritgate released several patches.
December 12th, 2023: Scans for "/login". This is a bit too generic to link it with a specific vulnerability
The next big scan from this IP address doesn't show up until March 9th. The attacker is still looking for "/remote/login", which is a good hint that the same actor still controls this system. These last few days, the activity from this IP address heated up, and we now see some diversity in scans. The URLs include, for example:
URL | Possible Target Device |
/+CSCOE+/login.html | Cisco devices |
/logon/LogonPoint/custom.html | Citrix Gateways |
/my.policy | F5 Devices |
/dana-na/auth/url_2/welcome.cgi | PulseVPN/Ivanti |
/global-protect/login.esp | Palo Alto Networks |
/sslmgr | Palo Alto Networks |
/sslvpn_logon.shtml | Watchguard firewalls |
All of these URLs are related to different perimeter security devices. Of course, they had all their share of vulnerabilities in the past. But this actor (researcher?) now has a list of potentially vulnerable devices. The URL will often allow fingerprinting to detect firmware versions and make it even easier to match devices to vulnerabilities.
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Comments