News & Insights

Over the years, Shadowserver’s report list has grown considerably from when we originally started. When some of these reports were originally set up, the requirements were different to those needed today. We have therefore decided to implement changes with some of the existing report types, especially those related to our sinkholes and honeypots, as well as remove some legacy reports. Changes will come into effect on 2021-06-01. On that day, the old reports will cease and only the new equivalents will be sent out. Until that time, starting 2021-04-05 both the old reports and new reports will function in parallel.

A new one-off Special Report covering efforts to identify additional vulnerable and compromised Microsoft Exchange servers and associated common web shell that are configured to use DNS based virtual hosting, rather than direct IPv4 /0 scanning for default web sites, containing data for the period 2021-03-16 to 2021-03-22.

Can you help Shadowserver sign up more countries/networks in Africa and the Info-Pacific to receive our free daily network reports and help secure the Internet? We are running a UK FCDO funded surge in Feb/March 2021, aimed at increasing outreach and expanding our honeypot sensor network in those regions. We are seeking introductions, contacts and hosting so please get in touch if you can help us achieve these goals.

Another internet wide scan based one-off Special Report identifying 59218 potentially vulnerable Microsoft Exchange Servers on 2021-03-14 courtesy of Kryptoslogic, with a comparison of the degree of overlap in coverage between this data set and our previous one-off Special Report that was just released. If your mail servers appear in either report - please patch immediately.

Another one-off Special Report identifying 73608 potentially vulnerable Microsoft Exchange Servers during the period 2021-03-13 and 2021-03-14, which corresponds to 63115 unique IP addresses in 211 countries. These exposed systems remain at very high risk and need patching immediately.

Another one off Shadowserver Special Report, this time in partnership with Kryptoslogic, provides critical information about compromised Microsoft Exchange Servers with exposed public web shells that were likely exploited using CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. Please remediate and patch/rebuild urgently!

Shadowserver one-off Special Reports are for reporting security events outside our usual 24-hour reporting window. Our second Special Report covers identification Microsoft Exchange Servers potentially vulnerable to CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 by scanning with DIVD after patches were released.

Announcing new Shadowserver one-off Special Reports, for reporting security events outside our usual 24-hour reporting window. First Special Report covers victims of alleged HAFNIUM exploitation of Microsoft Exchange Server via CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 between 2021-02-26 and 2021-03-03, but not subsequent mass exploitation after the patches were released.

We have started daily IPv4 /0 scanning for exposed MS-RDPEUDP instances on port 3389/UDP. Aside from the usual risks associated with exposing RDP services to the Internet, this UDP extension of the popular RDP services has been found to be susceptible to amplification DDoS abuse with an amplification factor of over 84. Over 12 000 instances of MS-RDPEUDP have been found to be accessible on the IPv4 Internet.

As everyone knows now, Shadowserver had a bit of a funding issue earlier this year which caused us to go through the process of needing a new space for our data operations.  A place to call home for all that storage and computing that we do daily.  A new data center was required.  This story will go through that recent history, the actual move, and a few after action and post move things that occurred.  This blog will be partially serious, some tongue in cheek, and some sad comedy, so enjoy our journey.