1. Overview
JPCERT/CC has placed multiple monitoring sensors across the Internet to monitor packets that are transmitted exhaustively to certain IP address ranges. It can be assumed that these packets are intended to scan for certain devices or service functions. Also, JPCERT/CC continuously gathers packets that are observed by the sensors, and these packets are categorized by the destination port number, source region, etc. Then this information is analyzed along with information about vulnerabilities, malware and attack tools to obtain information on attacking activities or preparatory activities. Data collected through sensors are analyzed, and if any problem subjected to an attack or used to carry out an attack is found, JPCERT/CC provides information to parties who may be able to solve the problem and asks them to take appropriate steps. This report will provide an overview of the results of monitoring activities by JPCERT/CC’s Internet threat monitoring system (TSUBAME) during this quarter and their analysis. The top 5 services scanned in Japan during this quarter are shown in [Table 1].
| Rank | Destination Port Numbers | Previous Quarter |
|---|---|---|
| 1 | Telnet(23/TCP) | 1 |
| 2 | http(80/TCP) | 2 |
| 3 | ssh(22/TCP) | 5 |
| 4 | https(443/TCP) | 3 |
| 5 | 8080/TCP | 9 |
*For details on services provided on each port number, please refer to the documentation provided by IANA (1).The service names listed are based on the information provided by IANA, but this does not always mean that the packets received are in a format relevant for that service / protocol.
The numbers of scan packets observed for the services listed in [Table 1] are shown in [Figure 1].
![[Figure 1: Number of observed packets targeted to the top 5 services (destination port numbers) frequently scanned (July through September 2025)]](./img/2025q2_report_fig1.png)
The service most frequently scanned this quarter was Telnet
(23/TCP).The second and fourth places were http (80/TCP) and https
(443/TCP), which are mainly used by websites.ssh (22/TCP) ranked third,
and the fifth place was 8080/TCP, which is often used as an alternative
port for web servers or an admin UI port. Next, the top 5 source regions
where scanning activities targeting Japan were seen most frequently
during this quarter are shown in [Table 2].
| Rank | Source Regions | Previous Quarter |
|---|---|---|
| 1 | USA | 1 |
| 2 | Bulgaria | 2 |
| 3 | Germany | 6 |
| 4 | Netherlands | 4 |
| 5 | China | 3 |
The trend of source regions for this quarter listed in [Table
2] are shown in [Figure 2].
![[Figure 2: Number of packets by source region (July through September 2025)]](./img/2025q2_report_fig2.png)
The USA remained at the top, and the second and fourth places
were also the same as in the previous quarter. Germany rose from the
sixth to third place, and China fell from the third to fifth
place.TSUBAME uses Regional Internet Registry (RIR) allocation data to
determine the region of each IP address.
2. Observation results of packets sent from TP-Link routers apparently infected with malware
JPCERT/CC believes that most of the packets observed by TSUBAME are
scan packets sent from devices infected with malware such as Mirai, and
the destination port is Telnet (23/TCP).
From among the packets
observed by TSUBAME, JPCERT/CC examined those targeted to Telnet daily
and found that they originated from around 200 nodes in Japan each day
(Figure 3).
![[Figure 3: Number of source IP addresses for Telnet packets sent from within Japan]](./img/2025q2_report_fig4.png)
Upon close observation, two notable trends can be identified.
First, there was a temporary decline in packets from August 12 to 26.
Second, from around September 17 there was an increase in Telnet packets
sent from malware-infected digital video recorders (DVRs) made by a
particular manufacturer. Investigation of these DVRs is still under way.
Figure 3 shows the changes in the number of source IP addresses for
Telnet packets sent from within Japan, excluding the packets sent from
these DVRs.
TP-Link routers have been prominent source nodes for packets observed by TSUBAME. Some of the product names that have been observed to date are shown in Table 3.
| Product name | Firmware version (example) |
|---|---|
| Archer AX10(AX1500) | 1.0.6 Build 20191115 Rel.13978(4A50) |
| Archer AX20(AX1800) | 1.3.1 Build 20210524 Rel.40909(4A50) |
| Archer AX50(AX3000) | 1.0.3 Build 20200724 Rel.65251(4555) |
| Archer AX4800(AX4800) | 1.2.2 Build 20220317 Rel.50456(4A50) |
| Archer AX73(AX5400) | 1.0.3 Build 20210717 Rel.64680(4A50) |
| Archer AX6000(AX6000) | Unknown |
| Archer AX11000(AX11000) | 1.1.1 Build 20200716 Rel.84595(4A50) |
| Archer A6(AC1200) | Unknown |
| Archer C5400(AC5400) | Unknown |
| Deco series (M4/M5/X20, etc.) | Unknown (updated via the cloud) |
When the status of source routers was examined, the admin web
console (admin screen) was directly accessible from the Internet.
Given its intended use, the admin screen should only be accessible from
inside a LAN. When the admin screen is accessible from a WAN, it
increases the risk of vulnerabilities hidden in the admin screen getting
exploited, and the risk of intrusion into the admin screen by brute
force attacks.
Either of the following factors is deemed to be
responsible for accessibility from the WAN side.
- The remote access feature (remote management) of the admin screen is enabled
- The admin screen is published to the iInternet due to an AP-mode router being connected to a LAN port by error, despite a network environment in which a global IP address is allocated by DHCP or other means
In addition, some of the observed routers were running on firmware
from 2022 or earlier, indicating that they have likely not been updated
for a long time. In this case, there is a risk of being subjected to
attacks exploiting known vulnerabilities, so devices that have been used
without updating firmware are at a very high risk of unauthorized access
and tampering, as well as being used as stepping stones for attacks due
to malware infection.
Due to the abovementioned problems related to
network configuration and operation management, JPCERT/CC believes that
some of the TP-Link routers may have already been turned into bots due
to unauthorized access and malware infection, and are being used as
stepping stones for external scanning and attack campaigns.
Internet-connected devices are not just accessible to users but subject
to access attempts by attackers as well. Be sure to keep the firmware
up-to-date, use proper authentication methods, set strong passwords, and
disable unnecessary services.
3. Request from JPCERT/CC
JPCERT/CC may contact users of IP addresses sending suspicious packets and ask them to take certain action via Internet service providers. If you ever receive such requests, we hope you understand the purpose of our investigation activities and, if possible, provide information such as products used, firmware versions, and any evidence of intrusion. There are a number of unknown scanning activities, including those discussed in this report. Your information may offer valuable insights leading to clarification.
4. References
1. Service Name and Transport Protocol Port Number
Registry
https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
