The Shadowserver Foundation, a non-profit security organization, has identified a significant uptick in high-severity activities involving hosts performing HTTP-based scans across diverse networks worldwide. These activities often include attempts to detect and potentially exploit vulnerabilities in targeted systems.
The report, originally developed as part of the EU Horizon 2020 SISSDEN Project and extended under the INEA CEF VARIoT initiative, provides detailed insights into observed attack patterns. It includes information on CVEs, CVSS scores, MITRE ATT&CK tactics and techniques, affected vendors, and exploit details linked to the HTTP requests.
While some HTTP scans serve legitimate purposes—such as search engine indexing, security research, or network diagnostics—others are indicative of malicious reconnaissance. Such activities are frequently linked to botnets actively seeking to identify and compromise vulnerable devices, including:
- Internet of Things (IoT) devices like routers, webcams, and VPN gateways
- Enterprise systems such as content management platforms and application servers
- Email infrastructure, notably Microsoft Exchange servers
The data collected in these activities provides a detailed picture of ongoing scanning efforts. It encompasses timestamps, source and destination IP addresses, geographic locations, and device information, which help security professionals understand the scale and scope of the activity. HTTP requests are analyzed for patterns that suggest vulnerability probing, such as specific URL paths or headers associated with known exploits. Many of these scans are linked to particular CVEs, with severity scores that assist organizations in prioritizing their response efforts. Additionally, raw request payloads and hashes of downloaded files support forensic investigations and threat attribution, aiding in the identification of malicious actors and their techniques.
Continuous monitoring and swift action remain essential in safeguarding networks against malicious scanning activities. It is important to note that these findings reflect observed network behavior and do not attribute malicious intent to specific actors. Instead, they serve as a critical resource for organizations seeking to improve their security posture against emerging and evolving threats.
Leave a Reply