Ciscos UDP-RCE
A short dissection on who's scanning for CVE-2016-1287, the latest IKEv1 and IKEv2 Buffer Overflow Vulnerability. vulgo: CISCO-UDP-RCE-Vuln
Since Scanning is expected (and startet short after the Advisory became public) we wanted to know (and publish) who's scanning and the results seems to be quite interesting.
The Scans we detected follow a similar pattern like those observed by ISC
UDP Port 500 Scans by 8ack
UDP Port 500 Scans by ISC
The most scans originated from Research-Facilities or scanners like Shodan (Top 5), following by low-rate-scanning from various sources (Germany, Ukraine, China), probably from compromised servers.
There is no "super-heavy internet-wide scanning" so far, just what should be expected; there is no need for scanning yourself when there is shodan with more than 1 Mio Cisco-Devices that are not HomeRouters
Shodan Search result for "cisco"
Scanners and its origin
158.130.6.191 <- University of Pensylvania
research-scan.cis.upenn.edu.
87.190.248.86 <- independent "Researcher"
e21r.de
85.25.43.94 <- Shodan
rim.census.shodan.io
71.6.135.131 <- Shodan
census7.shodan.io
198.20.70.114 <- Shodan
census3.shodan.io
198.20.69.98 <- Shodan
census2.shodan.io
188.138.17.205 <- real scanner
179.43.147.222 <- real scanner
46.219.52.152 <- real scanner
109.169.67.102 <- real scanner
Scanner-IPs
158.130.6.191
87.190.248.86
85.25.43.94
71.6.135.131
198.20.70.114
198.20.69.98
188.138.17.205
179.43.147.222
46.219.52.152
109.169.67.102
Fragen? Kontakt: info@zero.bs