Many threat actors are turning to malware to scan software vulnerabilities that they can use in future cyber-attacks.
Security researchers at Unit 42, the threat intelligence branch of cybersecurity provider Palo Alto Networks, discovered a significant number of malware-initiated scans among the scanning attacks they detected in 2023.
Traditional Vulnerability Scanning Explained
Vulnerability scanning is a widespread reconnaissance step for malicious actors willing to deploy cyber-attacks.
Like port scanning and operation system (OS) fingerprinting, vulnerability scanning involves initiating network requests in an attempt to exploit the potential vulnerabilities of the target hosts.
Traditional vulnerability scanning approaches are initiated from a benign target host (OS, router…).
Routers, in particular, have been exceedingly popular among attackers. In recent incidents, Russian hackers attempted to hijack Ubiquiti EdgeRouters and a Chinese small office home office (SOHO) botnet has targeted Cisco and NetGear routers.
Read more: US Thwarts Volt Typhoon Cyber Espionage Campaign Through Router Disruption
Leveraging Compromised Devices for Vulnerability Scanning
However, Unit 42 researchers have noticed that in 2023 a growing number of threat actors conducted their vulnerability scanning activity from a previously compromised host.
This type of malware-based vulnerability scanning allows for a more stealthy and efficient endeavor:
By using a compromised host, threat actors can:
- Cover their traces more easily
- Bypass geofencing
- Expand the bot networks (botnets) they are using
- Leverage the resources of these compromised devices to generate a higher volume of scanning requests compared to what they could achieve using only their own devices
Unit 42’s telemetry showed that many vulnerability scanning activity clusters targeted vulnerabilities in commodity products such as Ivanti’s Connect Secure and Policy Secure solutions and Progress’ MOVEit Transfer.
Malware-Driven Scanning Attacks
Upon analyzing relevant logs, Unit 42 researchers discovered evidence of a new threat model for malware-driven scanning attacks.
In this model, attackers infect a device and use its resources to perform scanning.
The researchers explained: “Typically, once a device gets compromised by malware, this malware beacons to attacker-controlled control and command (C2) domains for instructions. Threat actors can instruct the malware to perform scanning attacks.”
After receiving this instruction, the malware initiates scanning requests to various targets using the infected device’s resources.
The ideal outcome for the attacker is to find and exploit vulnerable targets.
“Depending on the type of attack planned by the threat actor, the targets can vary. [Additionally], an attacker might also be trying to exploit as many websites as they can for various purposes, such as spreading a botnet. In that case, an attacker would broaden its scope for a variety of different targets,” added the researchers.
One of the most common botnets is Mirai, a malware discovered in 2016 by security research group MalwareMustDie.
Mirai turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks.