*** NOTE This data and analysis is done by LLMs including the generation of the YARA Rules. This is an experiment and all data should be double checked before using. ***
Executive Summary
Recent analysis of internet-wide scanning activity reveals a sharp spike in reconnaissance efforts targeting critical network perimeter devices, including Cisco Adaptive Security Appliances (ASA) and various OpenWrt/LuCI-based routers. The observed traffic patterns indicate a blend of two distinct threat types: high-volume, opportunistic botnet recruitment campaigns and targeted, pre-exploitation probing by potential Initial Access Brokers (IABs) and Advanced Persistent Threats (APTs). Defenders must prioritize patching, particularly for critical vulnerabilities such as CVE-2023-1389 and actively exploited Cisco ASA flaws.
Technical Analysis of Observed Indicators
The raw data provided offers a clear signature of malicious scanning. The high volume of requests directed at specific, highly vulnerable endpoints confirms attackers are leveraging known public exploits.
Observed URLs and Targets
The requested paths point directly to attempts to compromise network edge devices and web application configurations:
| URL Path Pattern | Target System | Threat Objective |
|---|---|---|
| */cgi-bin/luci/;stok=/locale | OpenWrt/LuCI Routers (e.g., TP-Link Archer) | Unauthenticated Command Injection (RCE) for botnet enrollment. |
| */.env | Web Applications (e.g., Laravel, Flask) | Configuration Exposure to steal database credentials, API keys, and secret keys. |
| /+CSCOE+/ and /+CSCOL+/ | Cisco ASA/FTD/AnyConnect VPN | Initial Access via credential spraying, file retrieval, or exploitation of authentication bypass flaws. |
| The cluster of Cisco-specific paths (logon_forms.js, transfer.js, Java.jar, a1.jar) is characteristic of attempts to exploit file disclosure or authentication bypass flaws to gain a foothold on the VPN concentrator. | ||
| User-Agent Fingerprints | ||
| The User-Agents involved illustrate the automated and heterogeneous nature of the scanning operation: |
- Opportunistic Scanners: User-Agents like l9scan/2.0 and l9explore/1.2.2 (associated with the LeakIX platform) and zgrab/0.x are indicative of general internet-wide reconnaissance conducted by security researchers, botnet operators, and IABs looking to create target lists.
- Custom/Scripted Clients: The prevalent use of Go-http-client/1.1 signals custom, lightweight scanning tools designed for speed and scale, often favored by Mirai-like botnets.
- Evasive/Unknown: The large percentage of Unknown or (empty) UAs suggests simple curl or hand-crafted scripts used to minimize network noise and bypass simple filtering.
Known Vulnerabilities and Exploitation
The observed activity is directly tied to several high-profile, actively exploited vulnerabilities (KEX).
- TP-Link Router Command Injection (CVE-2023-1389)
The volume of requests targeting /cgi-bin/luci/;stok=/locale strongly suggests exploitation of CVE-2023-1389.
- Vulnerability: A critical Unauthenticated Remote Code Execution (RCE) flaw (CVSS 9.8) affecting TP-Link Archer AX21 and similar devices running OpenWrt/LuCI.
- Exploitation: Attackers inject commands into the country parameter during a write operation. This allows them to execute commands with root privileges, typically to download and execute shell scripts for botnet enrollment.
- Cisco ASA/FTD Initial Access Vulnerabilities
The reconnaissance against Cisco paths targets a history of critical flaws used for gaining remote access:
CVE Target Type of Exploit Threat Impact
CVE-2020-3452 ASA/FTD VPN Path Traversal / File Disclosure Unauthenticated file read, including WebVPN cookies.
CVE-2023-20273 ASA/FTD VPN Path Traversal Remote attacker can perform directory traversal and delete files.
General Probing ASA Login Pages Credential Brute-forcing Used to extract valid usernames and perform credential spraying against the VPN.
Associated Campaigns and Threat Actors
Botnet Campaigns (Mirai & Condi)
The activity against LuCI endpoints is a hallmark of Mirai and its variants (like Condi), which constantly scan the internet for vulnerable IoT and network devices. Successful exploitation of CVE-2023-1389 leads to the device being drafted into a massive Distributed Denial-of-Service (DDoS) botnet, leveraging the router’s bandwidth for attack infrastructure.
Ransomware & APTs (Initial Access Brokers)
The persistent targeting of Cisco ASA devices is primarily driven by financially motivated actors and nation-state groups.- Ransomware Groups: Groups like Akira and LockBit have historically leveraged exploited VPN devices as a primary initial access vector into corporate networks. A successful exploit grants them a network foothold, often bypassing multi-factor authentication if a vulnerable credential is recovered.
- APTs: Various state-sponsored APTs frequently target VPN infrastructure for espionage, aiming for persistent access into organizations, particularly those in critical infrastructure and defense sectors. The reconnaissance detected suggests an IAB or APT is building a list of vulnerable or weak-credentialed Cisco endpoints for future targeted attacks.
Mitigation and Recommendations 🚨
Organizations must act immediately to secure exposed perimeter devices against these high-volume, automated threats. - Patch Critical Systems Immediately:
- Cisco ASA: Ensure all Cisco Adaptive Security Appliances (ASA) and Firepower Threat Defense (FTD) software are updated to the latest, patched versions to mitigate known vulnerabilities (e.g., CVE-2020-3452, CVE-2023-20273).
- Routers: For consumer or small business routers running OpenWrt/LuCI, check for firmware updates to address CVE-2023-1389. If a patch is unavailable or the device is End-of-Life (EOL), replace it immediately.
- Harden Authentication:
- Implement Multi-Factor Authentication (MFA) on all VPN/remote access portals, including Cisco ASA WebVPN.
- Enforce strong, unique passwords for all router and network device administration interfaces.
- Network Monitoring & Filtering:
- Block Known Scanning User-Agents: Filter requests from identified scanning tools like l9scan and zgrab.
- Monitor Specific Paths: Create high-priority alerts for attempted access to sensitive paths like /cgi-bin/luci/*, /.env, and any Cisco-specific paths (+CSCOE+, +CSCOL+) from external IPs.
- Review Web Application Configuration:
- Ensure web server configurations explicitly prevent external access to sensitive files like .env and other configuration files.