News & Insights

In May 2018, the US DoJ, FBI and industry partners sinkholed the modular network device infecting malware known as VPNFilter, which Shadowserver has been reporting out for remediation to nCSIRTs and network owners each day since. In February 2022 the UK NCSC, US FBI, CISA and NSA jointly announced the discovery of new network device malware, which they have called Cyclops Blink, and see as a more advanced replacement for VPNFilter. A new Shadowserver Cyclops Blink Special Report was issued to our free daily network report subscribers today, detailing IP addresses believed likely to be infected with the Cyclops Blink malware, and the associated C2 servers.

A maximum risk critical vulnerability in the popular Apache Log4j open source logging software was made public as CVE-2021-44228 on December 9th 2021, potentially providing attackers with easy remote code execution on thousands of systems globally. Although Shadowserver decided not to scan for this vulnerability, our honeypots continue to detect IPv4 /0 scanning and exploitation attempts. A second run of our Vulnerable Log4j Servers Special Report provides updated data from Alpha Strike Lab's scanning activity performed during the week since our first Special Report. The updated Special Report is being distributed to National CSIRTs and network owners as a public benefit service to aid in rapid remediation.

After our recent Special Report and blog post about vulnerable log4j servers, a quick and dirty update on the “log4shell” mass scanning and attempted CVE-2021-44228 exploitation activity we have been seeing across our global honeypot sensor network between Sunday December 11th and Thursday December 16th, including a quick analysis of the top ten Malware Callback URIs observed and server distribution.

A maximum risk critical vulnerability in the popular Apache Log4j open source logging software was made public as CVE-2021-44228 on December 9th 2021, potentially providing attackers with easy remote code execution on thousands of systems globally. Although Shadowserver decided not to scan for this vulnerability, our honeypots detected rapid growth in IPv4 /0 scanning. This Special Report provides data from Alpha Strike Labs's scanning activity and is being distributed to National CSIRTs and network owners as a public benefit service to aid in rapid remediation.

Shadowserver received funding from the UK FCDO in Q1 2021 for a short surge to improve the support we offered to Africa and the Indo-Pacific region. We achieved some good results, so we are providing some public highlights in this blog post. We are also pleased to announce that we have received some additional FCDO funding to continue these efforts through Q4 2021 and Q1 2022, and hope to further expand our free public benefit service coverage to more National CSIRT and additional network owner (ASNs) in these target regions.

We have introduced a new report type, the Device Identification Report. This report contains a list of devices we have identified in our daily Internet scans. The assessment is made based on all our IPv4-wide Internet scan types. All scan responses are processed by a scan signature engine that classifies IPs based on predefined rules that match various response fields. The report is intended for recipients to get a better understanding of device population types on networks they are responsible for

Position is for hands on, physical system administrator in the Oakland area.

The Shadowserver Foundation is seeking a new full-time employee team member who will focus on Shadowserver’s constituents and fundraising. These constituents leverage Shadowserver’s public benefit services to collaboratively protect their network, their customers, and the whole Internet. The Shadowserver Alliance Director will be very interactive with all of our constituents, providing them with briefings on the latest service updates, ensuring they are configured to maximize their benefits from Shadowserver, and exploring new ways they can support Shadowserver’s mission.

We have recently started to perform a full IPv4 Internet-wide scan for accessible SMTP services and will report out possible vulnerabilities that have been observed, with a current focus on Exim (in the future non-Exim vulnerabilities may be added). We scan by performing a connection to port 25, recognizing an SMTP response and collecting the banner served. These connections look just like a normal SMTP connection, there is not any attempt to exploit the port, only to collect the banner information from that connection to the server. Our scan uncovered 317,848 distinct Exim IPs that likely contain 21nails vulnerabilities (as discovered by Qualys) based on the connected banner identification.

A new opt-in feature in our reporting mechanism will allow for reporting only the changes of the data from day to day: the report delta mode option. In this mode, every Sunday we will continue to deliver a full set of reports on all events observed on a report recipients’s network. For the rest of the week, for every distinct report type we will report only the difference between events seen on that day relative to the Sunday report. This will continue throughout the week until the following Sunday, when everything is reset and a full report is delivered again.