Silent Threat: Malware-Initiated Scans

by ·

Experts at Palo Alto Networks have discovered that cybercriminals are increasingly resorting to so-called “scanning attacks,” initiated by malicious software, to detect vulnerabilities within target networks. Intriguingly, a significant majority of such attacks originate from legitimate devices within secure networks. How then do hackers manage to so deftly outmaneuver cybersecurity experts?

The company points out that to conduct widespread scans from secure and trusted networks, hackers initially infiltrate these networks and infect them with malicious software. However, these malware, functioning essentially as simple botnets, do not engage in DoS attacks or cryptocurrency mining; instead, they systematically scan the internet for devices susceptible to newly discovered methods of compromise.

The exploitation of legitimate infrastructure allows hackers to anonymously identify vulnerabilities across a variety of networks, effectively circumventing any geographical restrictions.

It’s noted that infected devices are utilized to generate a far greater number of scanning requests than could be achieved using the malicious actors’ own equipment.

This affords hackers a quicker identification of potential targets and a broader window for launching attacks, especially against large corporations that diligently address cybersecurity issues by promptly rectifying vulnerabilities.

As primary indicators of suspicious activity for such “malicious scanning,” experts have identified an unusually high volume of requests and the use of recognizable malicious signatures, frequently employed by attackers.

Through network traffic monitoring, Palo Alto Networks specialists have uncovered new scanning patterns, as well as the use of previously unknown URLs for delivering malicious software, which also serve as channels for operating command servers.

The analysis of malicious activity reveals that popular botnets, such as Mirai, are actively integrating new vulnerabilities to propagate, underscoring the importance of timely updates to detection and attack-blocking systems.

For instance, a marked increase in scanning activity was immediately observed following the dissemination of information in January about the existence of zero-day vulnerabilities in Ivanti products, indicating heightened criminal interest in newly discovered vulnerabilities.

Palo Alto Networks experts emphasize that through advanced monitoring systems and swift response mechanisms, organizations can timely detect and neutralize these threats, safeguarding their critical assets. The key to success lies in the continual enhancement of cybersecurity measures and well-coordinated communication about new threats, to prepare networks for imminent risks.