Many threat actors turn to malware to scan for software vulnerabilities that they can use in future cyberattacks.
Security researchers at Unit 42, the threat intelligence arm of cybersecurity vendor Palo Alto Networks, discovered a significant number of malware-initiated scans among the scan attacks they detected in 2023.
Traditional Vulnerability Scanning Explained
Vulnerability scanning is a popular reconnaissance step for malicious actors wanting to deploy cyberattacks.
Like port scanning and operating system (OS) fingerprinting, vulnerability scanning involves initiating network queries to attempt to exploit potential vulnerabilities in target hosts.
Traditional vulnerability scanning approaches are launched from an innocuous target host (operating system, router, etc.).
Routers, in particular, are extremely popular among attackers. In recent incidents, Russian hackers attempted to hijack Ubiquiti’s EdgeRouters and a Chinese small home office (SOHO) botnet targeted Cisco and NetGear routers.
Read more: US foils Typhoon Volt cyberespionage campaign by disrupting router
Leveraging Compromised Devices for Vulnerability Scanning
However, Unit 42 researchers noticed that in 2023, an increasing number of malicious actors conducted their vulnerability scanning activities from a previously compromised host.
This type of malware-based vulnerability scanning enables a stealthier, more efficient business:
By using a compromised host, malicious actors can:
- Cover their tracks more easily
- Bypass geofencing
- Expand the botnets they use
- Leverage the resources of these compromised devices to generate a higher volume of scan requests than they could obtain using only their own devices.
Telemetry from Unit 42 showed that many clusters of vulnerability scanning activities targeted vulnerabilities in core products such as Ivanti Connect Secure and Policy Secure solutions and progress MOVEit transfer.
Malware-based scanning attacks
By analyzing relevant logs, Unit 42 researchers discovered evidence of a new threat model for malware-based scanning attacks.
In this model, attackers infect a device and use its resources to perform scanning.
The researchers explained: “Typically, once a device is compromised by malware, that malware heads to the command and control (C2) domains controlled by the attacker for instructions. Malicious actors can instruct the malware to perform scanning attacks.
After receiving this instruction, the malware initiates scanning requests to various targets using the infected device’s resources.
The ideal outcome for the attacker is to find and exploit vulnerable targets.
“Depending on the type of attack the threat actor is planning, the targets may vary. (In addition), an attacker can also attempt to exploit as many websites as possible for various purposes, for example to propagate a botnet. In this case, an attacker would expand their reach to a variety of different targets,” the researchers added.
One of the most common botnets is Mirai, a malware discovered in 2016 by security research group MalwareMustDie.
Mirai turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks.