Hackers Using Malware-Driven Scanning Attacks To Pinpoint Vulnerabilities

Attackers are now using malware-infected devices to scan target networks instead of directly scanning them. This approach helps them to hide their identity, evade geographical restrictions (geofencing), and grow their botnets.

Compromised hosts provide more resources to launch large-scale scans than a single attacker machine could manage. Systems can effectively detect established and novel scanning patterns by analyzing scan characteristics like request volume and matching them with known threat signatures. 

Attackers use scanning techniques to probe target networks for weaknesses, which can identify open ports, software vulnerabilities, and even operating systems.

By exploiting these vulnerabilities, attackers can gain unauthorized access or disrupt systems. 

In the example, the attacker scans random-university.edu using an HTTP POST request to identify the MOVEit vulnerability (CVE-2023-34362), which can lead to a compromise if successful. 

Analyzing traffic logs across multiple networks has identified a significant increase in scanning activity targeting potential vulnerabilities.

One example involved an unusually high request volume (7,147 times in 2023) to endpoints associated with the MOVEit vulnerability (CVE-2023-34362).

The requests appeared before the vulnerability was publicly known, and the telemetry further revealed over 66 million requests in 2023 that could be linked to scanning. 

Attackers were observed using novel URLs within their exploits to bypass security measures.

Palo Alto Networks identified two such instances: a Mirai variant using “103.245.236[.]188/skyljne.mips” and an attempt to exploit Ivanti vulnerabilities with “45.130.22[.]219/ivanti.js”. 

In both cases, the scanning requests preceded the detection of subsequent malicious payloads, highlighting the importance of proactive scanning detection for timely threat mitigation. 

Attackers use malware to hijack infected devices and turn them into scanning machines by communicating with attacker-controlled servers for instructions and scanning target domains upon receiving a scan command. 

The technique allows attackers to evade detection and use the resources of compromised devices for large-scale vulnerability scanning, where the targets can vary depending on the attacker’s goals, which could be focused attacks against specific entities or widespread scanning to infect more devices.  

A Mirai variant exploit takes advantage of a Zyxel router vulnerability that does not check inputs thoroughly enough to download a malicious file and copy itself, which was used in a distributed attack where 2,247 devices scanned 15,812 targets. 

The botnets keep incorporating new vulnerabilities and defenders need to patch vulnerabilities and update detection systems to block new variants, while monitoring scanning activities across multiple networks can help detect new scanning patterns more rapidly. 

Ivanti Vulnerability Scanning:

Chained vulnerabilities (CVE-2023-46805, CVE-2024-21887) were recently used in an attack campaign against Ivanti products, where the attackers used path traversal in a GET request to get around authentication for a path that had a command injection vulnerability. 

It allowed them to execute commands and potentially gain access to vulnerable systems by using the attack to harvest the IP addresses of potential targets from a DNS logging service. 

Attackers target common technologies like routers, web application frameworks, and collaboration tools, as data shows widespread vulnerability scans targeting routers, including recent attacks on Ubiquiti EdgeRouters and Cisco/NetGear routers by Russian and Chinese hackers, which are not limited to specific router brands.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.