Hackers deploy malware-driven scans to uncover vulnerabilities

Home/Internet Security, malicious cyber actors, Malware, Mobile Security, Security Advisory, Security Update, vulnerability/Hackers deploy malware-driven scans to uncover vulnerabilities

Hackers deploy malware-driven scans to uncover vulnerabilities

Hackers are employing malware-infected devices for scanning target networks rather than conducting direct scans. This strategy allows them to obscure their identity, circumvent geographical restrictions (geofencing), and expand their botnets.

Compromised hosts offer ample resources for conducting large-scale scans, surpassing the capacity of a single attacker machine. Effective detection systems analyze scanning patterns, such as request volume, to identify both established and new threats.

These scanning techniques uncover weaknesses in target networks, revealing open ports, software vulnerabilities, and operating system details.

Malware-Driven Scanning Attacks

Attackers exploit these vulnerabilities to gain unauthorized access or disrupt systems.

direct attack scanning

In this example, the attacker scans random-university.edu using an HTTP POST request to identify the MOVEit vulnerability (CVE-2023-34362), which, if successful, can lead to a compromise.

Examining traffic logs across various networks has revealed a notable surge in scanning activity aimed at potential vulnerabilities.

One instance saw a spike in requests (7,147 times in 2023) to endpoints linked with the MOVEit vulnerability (CVE-2023-34362). Additionally, telemetry data uncovered over 66 million requests in 2023, potentially tied to scanning activities.

Malware-driven scanning

Attackers employed new URLs in their exploits to evade security measures, as identified by Palo Alto Networks. Notable instances include a Mirai variant using “103.245.236[.]188/skyljne.mips” and an Ivanti vulnerability exploit attempt with “45.130.22[.]219/ivanti.js”.

In both instances, scanning requests preceded the detection of subsequent malicious payloads, underscoring the need for proactive scanning detection to mitigate threats promptly.

Attackers leverage compromised devices to conduct large-scale vulnerability scanning, evading detection while targeting various entities.

For instance, a Mirai variant exploit targets Zyxel routers, allowing for distributed attacks involving thousands of devices scanning numerous targets. Defenders must continuously patch vulnerabilities and update detection systems to counter evolving threats.

All about Ivanti Vulnerability Scanning

Chained vulnerabilities (CVE-2023-46805, CVE-2024-21887) enabled attackers to bypass authentication and execute commands in an attack campaign targeting Ivanti products.

Using the attack to harvest potential target IP addresses from a DNS logging service, attackers could execute commands and potentially gain access to vulnerable systems.

Common technologies like routers, web application frameworks, and collaboration tools are targeted, with recent attacks on Ubiquiti EdgeRouters and Cisco/NetGear routers by Russian and Chinese hackers indicating widespread vulnerability scans across various router brands.

Indicators of Compromise

IP addresses/URLs/SHAs that have hosted Mirai malware

  • 45.66.230[.]32
  • 85.208.139[.]73
  • 87.120.88[.]13
  • 95.214.27[.]244
  • 103.110.33[.]164
  • 103.95.196[.]149
  • 103.131.57[.]59/mips
  • 103.212.81[.]116
  • 103.228.126[.]17
  • 145.40.126[.]81/mips
  • 146.19.191[.]85
  • 146.19.191[.]108
  • 176.97.210[.]211/mips
  • 185.112.83[.]15
  • 193.31.28[.]13
  • 193.47.61[.]75
  • 217.114.43[.]149
  • 23190d722ba3fe97d859bd9b086ff33a14ae9aecfc8a2c3427623f93de3d3b14

Domain and URL associated with Ivanti vulnerability scans

  • dnslog[.]store
  • hxxp://45.130.22[.]219/ivanti.js
  • 137.220.130[.]2/doc

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!