Media Coverage

An action day performed in Latvia on 10 October 2025 led to the arrest of five cybercriminals of Latvian nationality and the seizure of infrastructure used to enable crimes against thousands of victims across Europe. During the operation codenamed ‘SIMCARTEL’, law enforcement arrested two further suspects, took down five servers and seized 1 200 SIM box devices alongside 40 000 active SIM cards. Investigators from Austria, Estonia and Latvia, together with their colleagues at Europol und Eurojust, were able to attribute to the criminal network more than 1 700 individual cyber fraud cases in Austria and 1 500 in Latvia, with a total loss of several million euros.

To prepare for the action day in Latvia, Eurojust and Europol leveraged their strengths to enhance the international law enforcement effort. They assisted in planning and administering the action day, with support from Joint Investigation Team partners Austria, Estonia and Latvia, as well as Finland. During the operation, the technical infrastructure of the organised criminal network was dismantled in collaboration between Europol and the Shadowserver Foundation.

A recent breach of F5 Networks’ infrastructure has left more than 269,000 devices exposed and vulnerable to attack. Security researchers first detected unusual activity on F5’s management portal, prompting the company to issue an alert and patch critical vulnerabilities.

Shadowserver’s Device Identification report, which tracks vulnerable or misconfigured network equipment, now lists more than 269,000 F5 devices still online and unpatched. Shadowserver provides an interactive dashboard that breaks down the geographic distribution of exposed F5 gear.

A threat actor named Detour Dog has been outed as powering campaigns distributing an information stealer known as Strela Stealer. That’s according to findings from Infoblox, which found the threat actor to maintain control of domains hosting the first stage of the stealer, a backdoor called StarFish. Infoblox said it worked with the Shadowserver Foundation to sinkhole two of Detour Dog’s C2 domains (webdmonitor[.]io and aeroarrows[.]io) on July 30 and August 6, 2025.

Cisco has confirmed two serious vulnerabilities impacting its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls. Tracked as CVE-2025-20333 and CVE-2025-20362, both issues allow attackers to run arbitrary code on unpatched devices. Cisco security advisories warn that exploits for both flaws are already in the wild. Shadowserver’s daily vulnerable HTTP report now includes a live list of ASA/FTD instances susceptible to these 0-day bugs. On September 29, security researchers discovered 48,800+ publicly reachable IPs still running outdated firewall versions. Network teams should subscribe for daily updates and cross-check their public IP ranges against Shadowserver’s list.

Fortra has released security updates to patch a maximum severity vulnerability in GoAnywhere MFT’s License Servlet that can be exploited in command injection attacks. GoAnywhere MFT is a web-based managed file transfer tool that helps organizations securely transfer files and maintain audit logs of who accesses the shared files. Security analysts at the nonprofit Shadowserver Foundation are monitoring over 470 GoAnywhere MFT instances. However, it is unclear how many of these have already been patched or have their admin console exposed online.

Hackers are increasingly using a new AI-powered offensive security framework called HexStrike-AI in real attacks to exploit newly disclosed n-day flaws. According to ShadowServer Foundation’s data, nearly 8,000 endpoints remain vulnerable to CVE-2025-7775 as of September 2, 2025, down from 28,000 the previous week. This activity is reported by CheckPoint Research, which observed significant chatter on the dark web around HexStrike-AI, associated with the rapid weaponization of newly disclosed Citrix vulnerabilities.

Experts at the Shadowserver Foundation warn that more than 28,200 Citrix instances are vulnerable to the vulnerability CVE-2025-7775, which is under active exploitation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the Citrix NetScaler flaw to its Known Exploited Vulnerabilities (KEV) catalog. Shadowserver Foundation researchers reported that most of the vulnerable instances are located in the United States (10,100), followed by Germany (4,300), the United Kingdom (1,400), the Netherlands (1,300), and Switzerland (1,300).

In a sweeping INTERPOL-coordinated operation, authorities across Africa have arrested 1,209 cybercriminals targeting nearly 88,000 victims. The crackdown recovered USD 97.4 million and dismantled 11,432 malicious infrastructures, underscoring the global reach of cybercrime and the urgent need for cross-border cooperation. Operation Serengeti 2.0 (June to August 2025) brought together investigators from 18 African countries and the United Kingdom to tackle high-harm and high-impact cybercrimes including ransomware, online scams and business email compromise (BEC).

The operation was strengthened by private sector collaboration, with partners providing intelligence, guidance and training to help investigators act on intelligence and identify offenders effectively. Operation Serengeti 2.0 was held under the umbrella of the African Joint Operation against Cybercrime, funded by the United Kingdom’s Foreign, Commonwealth and Development Office.

Operational partners:
Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro, TRM Labs and Uppsala Security.

Participating countries:
Angola, Benin, Cameroon, Chad, Côte D’Ivoire, Democratic Republic of Congo, Gabon, Ghana, Kenya, Mauritius, Nigeria, Rwanda, Senegal, South Africa, Seychelles, Tanzania, United Kingdom, Zambia and Zimbabwe.

Two security vulnerabilities have been discovered in the remote monitoring and management software (RMM) N-central from N-able, which allow attackers to inject commands into the operating system or execute malicious code that has been smuggled in. The Shadowserver Foundation published an evaluation of the Internet scans for X on the weekend. According to this, 1077 IP addresses were vulnerable to the vulnerabilities CVE-2025-8875 and CVE-2025-8876 last Friday. Last week, the US IT security authority CISA included the vulnerabilities in the “Known Exploited Vulnerabilities” catalog.

Cybersecurity researchers have identified a significant increase in malicious scanning activities originating from compromised consumer and enterprise networking equipment, with particular focus on Cisco, Linksys, and Araknis router models. The Shadowserver Foundation, a prominent threat intelligence organization, has reported observing unusual scanning patterns that suggest widespread compromise of these networking devices.