Getty Images

Unit 42: Malware-initiated scanning attacks on the rise

Palo Alto Networks' research team warned of threat actors compromising one victim and then using that victim's resources to discreetly scan for vulnerabilities on other systems.

Malware-initiated scanning attacks are on the rise, according to new research from Palo Alto Networks' Unit 42 research team.

Malware-initiated scanning attacks occur when threat actors compromise a system and use it to scan for vulnerabilities, open ports or operating systems via network requests to target other, oftentimes larger game. As Unit 42 researchers noted in a blog post, this has multiple uses; it enables the threat actors to cover their tracks, bypass geofencing, expand botnets and leverage the resources of compromise devices to generate more scanning requests.

Unit 42's research covers an increase, based on its telemetry, in this style of attack over more direct means of threat actor vulnerability scanning, as well as emerging methods in how these attacks are conducted.

The research includes a threat model offering insight into how attacks are generally carried out.

"Typically, once a device gets compromised by malware, this malware beacons to attacker-controlled C2 domains for instructions. Threat actors can instruct the malware to perform scanning attacks. Then, the malware on the compromised device initiates scanning requests to various target domains. For example, assume a host gets infected by a Mirai variant," the blog post read.

Researchers said the Mirai variant would than connect to its C2 server, where it would receive instructions to begin scanning. Then threat actors, as the victim, would scan targets via the initial victim device's resources.

In addition to researchers seeing an increase in the number of these types of attacks, Unit 42 telemetry also suggests threat actors are getting more efficient. Unit 42, in one case, saw thousands of requests related to MOVEit vulnerability CVE-2023-34362 using "benign" URLs ending with guestaccess.aspx.

"Our telemetry indicates that URLs ending with guestaccess.aspx have been requested 7,147 times in 2023 by at least 1,406 devices. This endpoint is tied to the MOVEit vulnerability CVE-2023-34362, which was published on June 2, 2023," the blog post read. "When we review our historic data, we observe this endpoint in our telemetry with different destination websites even before the CVE publish date. After reviewing our telemetry from multiple networks, we detected over 66 million requests in 2023 that were potentially associated with scanning activity."

Threat actors are also using previously unseen URLs to bypass defenders that may be otherwise prepared to detect and block scanning activity. Unit 42 saw relevant threat activity in January tied to the Mirai botnet and recent Ivanti vulnerabilities.

"We observed many scanning cases where attackers embedded previously unseen URLs for payload delivery or C2 together with the exploit request," Unit 42 said. "This reduces the possibility of subsequent payload or C2 URLs being blocked by security vendors. As these payload delivery or C2 URLs are new to security vendors, it is crucially important to detect and block such initial scanning requests as vendors are unlikely to block subsequent requests."

TechTarget Editorial has contacted Unit 42 for additional comment.

Unit 42 researchers emphasized the importance of proactive monitoring and other defenses against malicious scanning. The researchers also recommended advanced URL filtering to block malware-initiated scanning attacks.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.

Dig Deeper on Threats and vulnerabilities