Attack Surface Management
,
Security Operations
Attackers Catalog IP Addresses With Open Ports, Seeking Exploitable Services
Someone – nobody knows who – is performing mass internet scans probing for MOVEit secure file-transfer installations, in what may be the precursor to a mass attack.
See Also: Combatting the Vulnerability Prioritization Challenge: A Guide to DVE Intelligence
Threat intelligence firm GreyNoise said it’s tracking a daily surge in unique IP addresses running scans in search of MOVEit software. This activity “may represent target validation or exploit testing,” and often precedes by two to four weeks the in-the-wild exploitation of previously unknown flaws, it said.
The surge began May 27, going from virtually no scans per day beforehand – fewer than 10 IPs observed doing such searches – to 100 unique IPs, before rising to 319 IPs on May 28. Since then, the scanning volume has remained constant at 200 to 300 IPs daily, which suggests that “MOVEit Transfer is once again in the crosshairs,” GreyNoise said.
Starting June 12, the firm recorded “low-volume exploitation attempts” targeting two known flaws in MOVEit: CVE-2023-34362 and CVE-2023-36934.
MOVEit, developed by Massachusetts firm Progress Software, has a history with hackers. Ransomware group Clop targeted it for a mass attack in 2023. Also known as Cl0P, the gang specializes in hitting zero-day vulnerabilities in managed file-transfer software, stealing data and demanding extortion money in exchange for a promise to delete it. The Russian-speaking gang earned an estimated $75 million to $100 million in its MOVEit-targeting campaign, which exploited a now-patched zero day allowing unauthenticated hackers to gain access. A more recent Clop mass attack targeted Cleo Communications’ Harmony, VLTrader and LexiCom MFT software in 2024 (see: Online Extortion Gang Clop Threatens Cleo Hacking Victims).
GreyNoise said the mass scanning for MOVEit traces to at least 682 unique IP addresses – it recommends blocking them – of which 44% resolve to address spaces controlled by Tencent Cloud networks, 17% to Cloudflare, 14% to Amazon and 5% to Google. Such concentrated scanning, especially from a single Tencent autonomous system number, “suggests that the scanning is deliberate and programmatically managed, rather than random or distributed probing,” it said.
The scanning activity observed by GreyNoise likely originates from compromised accounts. “Hackers usually sell stolen access to VPN servers with high bandwidth, which are then used for scanning,” said Milivoj Rajić, head of threat intelligence at DynaRisk.
For Real: Scanning as a Service
The firm’s alert is a reminder that hackers regularly scan the internet looking for public-facing systems with exploitable vulnerabilities. The mystery scanner could use this information to directly hack the systems or provide information to others.
“Absolutely, ‘scanning as a service’ is part of the cybercrime ecosystem,” perhaps as part of a “targets as a service” offering, said Ian Thornton-Trump, CISO of Inversion6. “The increased scanning for MOVEit, which has a long history of critical vulnerabilities, may be preparatory for a new exploit against patched systems by perhaps a reverse-engineering effort focused on a new vulnerability or a vulnerability derived from an existing patch.”
Voluminous amounts of IP scanning information are being bought, sold, traded or freely supplied on the cybercrime underground.
DynaRisk’s Rajić told Information Security Media Group he discovered in May a 1.6 gigabyte file swapped on a Telegram channel that contained about 76 million scanned IP addresses, for which one or more open ports were detected. “This file is circulating in hacker communities and could be extremely valuable – both for cybersecurity professionals and for malicious actors,” he said.
The information appeared to have been assembled by using publicly accessible internet of things scanners Shodan and Censys, as well as by “conducting independent scans to identify vulnerable ports,” Rajić said.
Multiple tools for Windows and Linux exist that can be used to scan specific networks and IP ranges for certain protocols. “To obtain better results, it’s necessary to configure the scanners with specific delays and to scan IP addresses over a longer period of time, using a defined max rate,” he said. “Some devices are not easy to detect, so the scanning time may need to be increased or decreased accordingly.”
In a test of 700 IP addresses taken from the list of 76 million, he found about 600 “were responsive, meaning from that sample that many likely remain active.” In a test involving fewer of the IP addresses, he also found a “significant” number of open ports, oftentimes including even more open ports than listed in the file.
“The next logical step for an attacker would be to identify the services or devices running behind these ports, and then search for known vulnerabilities associated with them,” he said. Internet-connected software uses ports to establish connections with web servers. Thousands of ports are officially or unofficially tied to particular uses. Attackers could glean from port data “whether a device is, for example, a database, a web server or some kind of industrial equipment – all of which could be targeted based on existing exploits.”
How much the mystery scanner might charge for lists of IP addresses detailing open ports and known vulnerabilities isn’t clear, although such lists sometimes get freely traded. “If hackers are offering them for free, it may mean they have already extracted everything valuable and are now giving away the IP addresses to gain greater reputation in the community or to attract more attention,” Rajić said.
As a defense against mass scanning and the threat it represents, Inversion6’s Thornton-Trump advocates using early warning services from organizations such as Britain’s National Cyber Security Center, attack surface enumeration tools that can spot and flag vulnerabilities, and deception technology, aka honeypots, to detect exploratory incursions. Threat intelligence feeds are available too offering the latest indicators of compromise, which organizations can apply against both inbound and outbound traffic.
Ensure all public-facing services remain patched, hardened and monitored, and protected using web application firewalls and content delivery networks, he told ISMG. Also key is to “back up all the things” online and offline and to remember that “snapshots in the same infrastructure are not backups.”
