A member of the Russian Karakurt ransomware group has been charged in the U.S. for money laundering, wire fraud, and extortion crimes. […] Read More
The all in one place for non-profit security aid.
A member of the Russian Karakurt ransomware group has been charged in the U.S. for money laundering, wire fraud, and extortion crimes. […] Read More
Hackers Using Malware-Driven Scanning Attacks To Pinpoint Vulnerabilities
[[{“value”:”
Attackers are now using malware-infected devices to scan target networks instead of directly scanning them. This approach helps them to hide their identity, evade geographical restrictions (geofencing), and grow their botnets.
Compromised hosts provide more resources to launch large-scale scans than a single attacker machine could manage. Systems can effectively detect established and novel scanning patterns by analyzing scan characteristics like request volume and matching them with known threat signatures.
Attackers use scanning techniques to probe target networks for weaknesses, which can identify open ports, software vulnerabilities, and even operating systems.
By exploiting these vulnerabilities, attackers can gain unauthorized access or disrupt systems.
In the example, the attacker scans random-university.edu using an HTTP POST request to identify the MOVEit vulnerability (CVE-2023-34362), which can lead to a compromise if successful.
Analyzing traffic logs across multiple networks has identified a significant increase in scanning activity targeting potential vulnerabilities.
One example involved an unusually high request volume (7,147 times in 2023) to endpoints associated with the MOVEit vulnerability (CVE-2023-34362).
The requests appeared before the vulnerability was publicly known, and the telemetry further revealed over 66 million requests in 2023 that could be linked to scanning.
Attackers were observed using novel URLs within their exploits to bypass security measures.
Palo Alto Networks identified two such instances: a Mirai variant using “103.245.236[.]188/skyljne.mips” and an attempt to exploit Ivanti vulnerabilities with “45.130.22[.]219/ivanti.js”.
In both cases, the scanning requests preceded the detection of subsequent malicious payloads, highlighting the importance of proactive scanning detection for timely threat mitigation.
Attackers use malware to hijack infected devices and turn them into scanning machines by communicating with attacker-controlled servers for instructions and scanning target domains upon receiving a scan command.
The technique allows attackers to evade detection and use the resources of compromised devices for large-scale vulnerability scanning, where the targets can vary depending on the attacker’s goals, which could be focused attacks against specific entities or widespread scanning to infect more devices.
A Mirai variant exploit takes advantage of a Zyxel router vulnerability that does not check inputs thoroughly enough to download a malicious file and copy itself, which was used in a distributed attack where 2,247 devices scanned 15,812 targets.
The botnets keep incorporating new vulnerabilities and defenders need to patch vulnerabilities and update detection systems to block new variants, while monitoring scanning activities across multiple networks can help detect new scanning patterns more rapidly.
Chained vulnerabilities (CVE-2023-46805, CVE-2024-21887) were recently used in an attack campaign against Ivanti products, where the attackers used path traversal in a GET request to get around authentication for a path that had a command injection vulnerability.
It allowed them to execute commands and potentially gain access to vulnerable systems by using the attack to harvest the IP addresses of potential targets from a DNS logging service.
Attackers target common technologies like routers, web application frameworks, and collaboration tools, as data shows widespread vulnerability scans targeting routers, including recent attacks on Ubiquiti EdgeRouters and Cisco/NetGear routers by Russian and Chinese hackers, which are not limited to specific router brands.
Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.
The post Hackers Using Malware-Driven Scanning Attacks To Pinpoint Vulnerabilities appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
Roll out the red carpet for cyber regulations.
Valerie Abend, Global Cyber Strategy Lead from Accenture sits down to discuss the Securities and Exchange Commission’s recently announced cyber regulations. Ben shares the story of an interesting case concerning internet preservation law. Dave takes a look at an article from Lawfare that ponders the cybersecurity insurance market. Read More
The CyberWire
Moroccan Cybercrime Group Steals Up to $100K Daily Through Gift Card Fraud
Microsoft is calling attention to a Morocco-based cybercrime group dubbed Storm-0539 that’s behind gift card fraud and theft through highly sophisticated email and SMS phishing attacks.
“Their primary motivation is to steal gift cards and profit by selling them online at a discounted rate,” the company said in its latest Cyber Signals report. “We’ve seen some examples where Read More