This TSUBAME Report Overflow series discuss monitoring trends of overseas TSUBAME sensors and other activities which the Internet Threat Monitoring Quarterly Reports does not include. This article covers the monitoring results for the period of April to June 2024. The scan trends observed with TSUBAME sensors in Japan are presented in graphs here.
Activities to scan Telnet from TP-LINK routers
JPCERT/CC analyzes the data collected by TSUBAME every day. Since around early May, many scan packets from wireless LAN routers to Telnet were observed at a particular ISP. We investigated the source IP addresses of those packets and found many TP-LINK wireless LAN routers, particularly, AX3000 with its firmware version 1.0.0. Figure 1 shows the screenshot of the router.
Figure 1: Login screen of a TP-LINK router operating on a specific firmware version
We checked the WHOIS records for the source IP addresses which showed the screen like Figure 1 to identify which ISPs or network ranges they are mostly from, and there appeared to be particularly frequent communications from 5 network ranges of a certain ISP. Figure 2 shows the changes in the number of source IP addresses observed by TSUBAME for the 5 network ranges.
Figure 2: Changes in the number of source IP addresses of packets sent from the 5 networks to TSUBAME sensor
You can see that there was a significant change in the number of source IP addresses at the end of April. There were increases and decreases, but the problem has not been resolved as of June 30th. JPCERT/CC has been providing observation data to the ISP to resolve the problem.
TP-LINK AX3000 is still widely available at consumer electronics stores. Since many different users should have purchased this product, it is unlikely that only users of a particular ISP would continue to use a specific firmware version. Therefore, there is a possibility that a specific user who purchased a large number of the product for some reason, or a company that provides a certain service, is using a specific firmware version for the purpose of centralized management.
When using Internet-connected devices like routers, it is essential to select a product with support, update its firmware version, and make sure that it is properly configured. In particular, businesses are recommended to include such items in the management and maintenance list.
Comparison of the observation trends in Japan and overseas
Figure 3 is a monthly comparison of the average number of packets received in Japan and overseas. Overseas sensors received more packets than those in Japan.
Figure 3: Monthly comparison of the average number of packets received in Japan and overseas
Comparison of monitoring trends by sensor
A global IP address is assigned to each TSUBAME sensor. Table 1 shows the top 10 ports of each sensor which received packets the most. Although the order is different in each sensor, almost all the sensors observed the packets for 23/TCP, 8728/TCP, 22/TCP, 8080/TCP, 80/TCP and ICMP. This suggests that these protocols are being scanned in a wide range of networks.
Table 1: Comparison of top 10 packets by domestic and overseas sensors
Sensor in Japan #1Sensor in Japan #2Sensor in Japan #3Sensor overseas #1Sensor overseas #2Sensor overseas #3
#123/TCP23/TCP23/TCP23/TCPICMP23/TCP
#28728/TCP8728/TCP8728/TCP80/TCP23/TCPICMP
#36379/TCP80/TCP6379/TCP22/TCP8728/TCP80/TCP
#422/TCP6379/TCP22/TCP8728/TCP80/TCP8728/TCP
#580/TCP22/TCP80/TCP443/TCP22/TCP6379/TCP
#63389/TCP3389/TCP8443/TCP3389/TCP443/TCP22/TCP
#74719/TCPICMP3389/TCP8080/TCP8080/TCP443/TCP
#8ICMP8080/TCPICMPICMP3389/TCP8080/TCP
#98080/TCP443/TCP4719/TCP445/TCP2222/TCP3389/TCP
#10445/TCP2222/TCP8080/TCP8081/TCP8081/TCP2222/TCP
In closing
Monitoring at multiple locations enables us to determine if certain changes are occurring only in a particular network. Although we have not published any special alerts as an extra issue or other information this quarter, it is important to pay attention to scanners. We will continue to publish blog articles as the Internet Threat Monitoring Quarterly Report becomes available every quarter. We will also publish an extra issue when we observe any unusual change. Your feedback on this series is much appreciated. Please use the below comment form to let us know which topic you would like us to introduce or discuss further. Thank you for reading.
Keisuke Shikano
(Translated by Takumi Nakano)
Article Link: TSUBAME Report Overflow (Apr-Jun 2024) – JPCERT/CC Eyes | JPCERT Coordination Center official Blog
1 post – 1 participant
This TSUBAME Report Overflow series discuss monitoring trends of overseas TSUBAME sensors and other activities which the Internet Threat Monitoring Quarterly Reports does not include. This article covers the monitoring results for the period of April to June 2024. The scan trends observed with TSUBAME sensors in Japan are presented in graphs here.
Activities to scan Telnet from TP-LINK routers
JPCERT/CC analyzes the data collected by TSUBAME every day. Since around early May, many scan packets from wireless LAN routers to Telnet were observed at a particular ISP. We investigated the source IP addresses of those packets and found many TP-LINK wireless LAN routers, particularly, AX3000 with its firmware version 1.0.0. Figure 1 shows the screenshot of the router.
Figure 1: Login screen of a TP-LINK router operating on a specific firmware version
We checked the WHOIS records for the source IP addresses which showed the screen like Figure 1 to identify which ISPs or network ranges they are mostly from, and there appeared to be particularly frequent communications from 5 network ranges of a certain ISP. Figure 2 shows the changes in the number of source IP addresses observed by TSUBAME for the 5 network ranges.
Figure 2: Changes in the number of source IP addresses of packets sent from the 5 networks to TSUBAME sensor
You can see that there was a significant change in the number of source IP addresses at the end of April. There were increases and decreases, but the problem has not been resolved as of June 30th. JPCERT/CC has been providing observation data to the ISP to resolve the problem.
TP-LINK AX3000 is still widely available at consumer electronics stores. Since many different users should have purchased this product, it is unlikely that only users of a particular ISP would continue to use a specific firmware version. Therefore, there is a possibility that a specific user who purchased a large number of the product for some reason, or a company that provides a certain service, is using a specific firmware version for the purpose of centralized management.
When using Internet-connected devices like routers, it is essential to select a product with support, update its firmware version, and make sure that it is properly configured. In particular, businesses are recommended to include such items in the management and maintenance list.
Comparison of the observation trends in Japan and overseas
Figure 3 is a monthly comparison of the average number of packets received in Japan and overseas. Overseas sensors received more packets than those in Japan.
Figure 3: Monthly comparison of the average number of packets received in Japan and overseas
Comparison of monitoring trends by sensor
A global IP address is assigned to each TSUBAME sensor. Table 1 shows the top 10 ports of each sensor which received packets the most. Although the order is different in each sensor, almost all the sensors observed the packets for 23/TCP, 8728/TCP, 22/TCP, 8080/TCP, 80/TCP and ICMP. This suggests that these protocols are being scanned in a wide range of networks.
Table 1: Comparison of top 10 packets by domestic and overseas sensors
Sensor in Japan #1Sensor in Japan #2Sensor in Japan #3Sensor overseas #1Sensor overseas #2Sensor overseas #3
#123/TCP23/TCP23/TCP23/TCPICMP23/TCP
#28728/TCP8728/TCP8728/TCP80/TCP23/TCPICMP
#36379/TCP80/TCP6379/TCP22/TCP8728/TCP80/TCP
#422/TCP6379/TCP22/TCP8728/TCP80/TCP8728/TCP
#580/TCP22/TCP80/TCP443/TCP22/TCP6379/TCP
#63389/TCP3389/TCP8443/TCP3389/TCP443/TCP22/TCP
#74719/TCPICMP3389/TCP8080/TCP8080/TCP443/TCP
#8ICMP8080/TCPICMPICMP3389/TCP8080/TCP
#98080/TCP443/TCP4719/TCP445/TCP2222/TCP3389/TCP
#10445/TCP2222/TCP8080/TCP8081/TCP8081/TCP2222/TCP
In closing
Monitoring at multiple locations enables us to determine if certain changes are occurring only in a particular network. Although we have not published any special alerts as an extra issue or other information this quarter, it is important to pay attention to scanners. We will continue to publish blog articles as the Internet Threat Monitoring Quarterly Report becomes available every quarter. We will also publish an extra issue when we observe any unusual change. Your feedback on this series is much appreciated. Please use the below comment form to let us know which topic you would like us to introduce or discuss further. Thank you for reading.
Keisuke Shikano
(Translated by Takumi Nakano)
Article Link: TSUBAME Report Overflow (Apr-Jun 2024) – JPCERT/CC Eyes | JPCERT Coordination Center official Blog
1 post – 1 participant
Read full topic