News & Insights

Over 380 000 open Kubernetes API servers

May 17, 2022
We have recently started scanning for accessible Kubernetes API instances that respond with a 200 OK HTTP response to our probes. Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. We find over 380 000 Kubernetes API daily that allow for some form of access, out of over 450 000 that we are able to identify. Data on these is shared daily in our Accessible Kubernetes API Server Report.

Over 18.8 million IPs vulnerable to Middlebox TCP reflection DDoS attacks

April 25, 2022
We recently began scanning for middlebox devices that are vulnerable to Middlebox TCP reflection, which can be abused for DDoS amplification attacks.  Our results are now shared daily, filtered for your network or constituency in the new Vulnerable DDoS Middlebox report. We uncover over 18,800,000 IPv4 addresses responding to our Middlebox probes. In some cases the amplification rates can exceed 10,000!

More Free Cyber Threat Intelligence For National CSIRTs

April 25, 2022
The UK FCDO have been supporting The Shadowserver Foundation's efforts to provide more free, actionable, daily Cyber Threat Intelligence to National CSIRTs in Africa and the Indo-Pacific. After making some great progress over the past year, we are seeking support from the community to engage some additional countries in the region. Can you help connect us, and the Internet more secure for everyone?

CVE-2022-26143: TP240PhoneHome Reflection/Amplification DDoS Attack Vector

March 8, 2022
A new reflection/amplification distributed denial of service (DDoS) vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch multiple high-impact DDoS attacks. Attacks have been observed on broadband access ISPs, financial institutions, logistics companies, gaming companies, and organizations in other vertical markets. Security researchers, network operators, and security vendors Akamai SIRT, Cloudflare, Lumen Black Lotus Labs, Mitel, NETSCOUT Arbor ASERT, TELUS, Team Cymru, and The Shadowserver Foundation formed a task force to investigate the new DDoS vector and provide mitigation guidance. Vendor Mitel has released software patches which disables the abusable test facility and are actively engaged in remediation efforts with their customers. Vulnerable device information is available through Shadowserver's free daily network reports.

Shadowserver Special Reports - Cyclops Blink

February 23, 2022
In May 2018, the US DoJ, FBI and industry partners sinkholed the modular network device infecting malware known as VPNFilter, which Shadowserver has been reporting out for remediation to nCSIRTs and network owners each day since. In February 2022 the UK NCSC, US FBI, CISA and NSA jointly announced the discovery of new network device malware, which they have called Cyclops Blink, and see as a more advanced replacement for VPNFilter. A new Shadowserver Cyclops Blink Special Report was issued to our free daily network report subscribers today, detailing IP addresses believed likely to be infected with the Cyclops Blink malware, and the associated C2 servers.

Shadowserver Special Reports – Vulnerable Log4j Servers (2021-12-22 update)

December 22, 2021
A maximum risk critical vulnerability in the popular Apache Log4j open source logging software was made public as CVE-2021-44228 on December 9th 2021, potentially providing attackers with easy remote code execution on thousands of systems globally. Although Shadowserver decided not to scan for this vulnerability, our honeypots continue to detect IPv4 /0 scanning and exploitation attempts. A second run of our Vulnerable Log4j Servers Special Report provides updated data from Alpha Strike Lab's scanning activity performed during the week since our first Special Report. The updated Special Report is being distributed to National CSIRTs and network owners as a public benefit service to aid in rapid remediation.

Log4j Scanning and CVE-2021-44228 Exploitation - Latest Observations (2021-12-16)

December 16, 2021
After our recent Special Report and blog post about vulnerable log4j servers, a quick and dirty update on the “log4shell” mass scanning and attempted CVE-2021-44228 exploitation activity we have been seeing across our global honeypot sensor network between Sunday December 11th and Thursday December 16th, including a quick analysis of the top ten Malware Callback URIs observed and server distribution.

Shadowserver Special Reports – Vulnerable Log4j Servers

December 15, 2021
A maximum risk critical vulnerability in the popular Apache Log4j open source logging software was made public as CVE-2021-44228 on December 9th 2021, potentially providing attackers with easy remote code execution on thousands of systems globally. Although Shadowserver decided not to scan for this vulnerability, our honeypots detected rapid growth in IPv4 /0 scanning. This Special Report provides data from Alpha Strike Labs's scanning activity and is being distributed to National CSIRTs and network owners as a public benefit service to aid in rapid remediation.

Continuing Our Africa and Indo-Pacific Regional Outreach

December 1, 2021
Shadowserver received funding from the UK FCDO in Q1 2021 for a short surge to improve the support we offered to Africa and the Indo-Pacific region. We achieved some good results, so we are providing some public highlights in this blog post. We are also pleased to announce that we have received some additional FCDO funding to continue these efforts through Q4 2021 and Q1 2022, and hope to further expand our free public benefit service coverage to more National CSIRT and additional network owner (ASNs) in these target regions.

Announcing the Device Identification Report

September 8, 2021
We have introduced a new report type, the Device Identification Report. This report contains a list of devices we have identified in our daily Internet scans. The assessment is made based on all our IPv4-wide Internet scan types. All scan responses are processed by a scan signature engine that classifies IPs based on predefined rules that match various response fields. The report is intended for recipients to get a better understanding of device population types on networks they are responsible for