Many threat actors are turning to malware to scan software vulnerabilities that they can use in future cyber-attacks.
Security researchers at Unit 42, the threat intelligence branch of cybersecurity provider Palo Alto Networks, discovered a significant number of malware-initiated scans among the scanning attacks they detected in 2023.
Vulnerability scanning is a widespread reconnaissance step for malicious actors willing to deploy cyber-attacks.
Like port scanning and operation system fingerprinting, vulnerability scanning involves initiating network requests in an attempt to exploit the potential vulnerabilities of the target hosts.
Traditional vulnerability scanning approaches are initiated from a benign target host.
Routers, in particular, have been exceedingly popular among attackers.
In recent incidents, Russian hackers attempted to hijack Ubiquiti EdgeRouters and a Chinese small office home office botnet has targeted Cisco and NetGear routers.
Unit 42 researchers have noticed that in 2023 a growing number of threat actors conducted their vulnerability scanning activity from a previously compromised host.
Unit 42's telemetry showed that many vulnerability scanning activity clusters targeted vulnerabilities in commodity products such as Ivanti's Connect Secure and Policy Secure solutions and Progress' MOVEit Transfer.
Upon analyzing relevant logs, Unit 42 researchers discovered evidence of a new threat model for malware-driven scanning attacks.
In this model, attackers infect a device and use its resources to perform scanning.
After receiving this instruction, the malware initiates scanning requests to various targets using the infected device's resources.
The ideal outcome for the attacker is to find and exploit vulnerable targets.
One of the most common botnets is Mirai, a malware discovered in 2016 by security research group MalwareMustDie.
Mirai turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks.
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Tue, 09 Apr 2024 16:15:08 +0000