Security researchers at Unit 42 [1], the threat intelligence branch of Palo Alto Networks [1], have identified a rise in malware-driven scanning attacks in 2023 [1].
Description
These attacks involve threat actors compromising systems to scan for vulnerabilities [4], open ports [4], and operating systems [4]. Infected devices are used to perform scanning activities instead of direct scans, allowing threat actors to cover their tracks, expand botnets [2] [4], and leverage compromised devices for more scanning requests [4]. Palo Alto Networks offers protection against such malicious scanning activity through their Next-Generation Firewall and Prisma SASE with Cloud-Delivered Security Services [3]. The Prisma Cloud WAAS module specifically helps protect cloud-native web applications and API endpoints from scanning attacks [3]. Mirai [1], a common botnet [1], turns Linux devices into remotely controlled bots for large-scale network attacks [1]. Unit 42 telemetry data has revealed thousands of requests related to the MOVEit vulnerability CVE-2023-34362 [4], with threat actors utilizing new URLs to bypass detection [4]. Additionally, threat actors are using previously unseen URLs for payload delivery and C2 communication to evade security measures [4].
Conclusion
It is crucial for individuals to remain vigilant against these evolving threats. If there is suspicion of compromise or an urgent matter, contacting the Unit 42 Incident Response team is recommended to address potential security breaches effectively.
References
[1] https://www.infosecurity-magazine.com/news/malware-hunt-software/
[2] https://www.443news.com/2024/04/critical-flaws-leave-92000-d-link-nas-devices-vulnerable-to-malware-attacks/
[3] https://unit42.paloaltonetworks.com/malware-initiated-scanning-attacks/
[4] https://www.techtarget.com/searchSecurity/news/366580312/Unit-42-Malware-initiated-scanning-attacks-on-the-rise