Shadowserver received funding from the UK Foreign, Commonwealth and Development Office (FCDO) in Q1 2021 for a short surge. The purpose was to improve the support we offered to Africa and the Indo-Pacific regions. You can read more about that activity in our blog post about it.
Some of the successful outcomes that were achieved included:
- 30 target countries and territories being signed up for our free daily network reports:
- Africa (14): Angola, Burkina Faso, Botswana, Cameroon, Ethiopia, Gabon, Malawi, Mayotte, Reunion, Rwanda, Seychelles, Saint Helena, Sierra Leone, Togo
- Indo-Pacific (16): Brunei, Cocos Islands, Cook Islands, Christmas Island, Fiji, British Indian Ocean Territory, Kiribati, Laos, New Caledonia, Norfolk Island, Nepal, French Polynesia, Pitcairn, Solomon Islands, Tuvalu, Wallis and Futuna
- Outside of the FCDO-funded initiative scope, in parallel, 8 additional countries also signed up for our network reports during the same time period:
- Albania, French Guiana, Guadeloupe, Kuwait, Martinique, Myanmar, Saint Pierre and Miquelon, French Southern Territories
- Millions of additional Internet Protocol version 4 (IPv4) addresses and hundreds of new collections of networks, defined as Autonomous System Numbers (ASNs), now being covered by our daily reporting:
- Africa: 5,407,564 IPv4 addresses (331 ASNs)
- Indo-Pacific: 1,321,435 IPv4 addresses (282 ASNs)
- Additional Countries: 3,105,406 IPv4 addresses (324 ASNs)
- Total: 9,834,405 IPv4 addresses (937 ASNs)
- 85 additional honeypot sensors with enhanced Common Vulnerabilities and Exposures (CVE) emulation to detect network based attacks being deployed across 365 IP addresses in 28 countries:
- Australia, Bangladesh, Cambodia, Cameroon, Gabon, Ghana, India, Indonesia, Japan, Kenya, Laos, Madagascar, Malaysia, Mauritius, Mongolia, Morocco, Mozambique, Nepal, New Zealand, Nigeria, Philippines, Singapore, South Africa, South Korea, Taiwan, Thailand, Vietnam, Zimbabwe
Due to that FCDO funded surge, Shadowserver has been able to send out additional free daily network reports to these new recipients, which included:
- 124,087,922 scan events about exposed network services in those countries (average 415,010 per day)
- 25,138,582 events from malware/botnet infected systems connecting to our sinkholes from those countries (average 84,086 per day)
- 2,237,898 events detected by our Internet of Things (IoT) honeypots and 6,347,083 web application honeypots that originated from IP addresses in those countries
This has provided considerable volumes of no cost, timely, actionable cyber threat intelligence (CTI) and, hopefully, helped contribute to a more secure, free and open Internet for all.
IoT honeypot events detected from IP addresses in the above countries and reported out per day (Y-axis logarithmic):
Web application honeypot events detected from IP addresses in the above countries and reported out per day (Y-axis logarithmic):
Number of unique IP addresses in the above countries that were likely infected with malware/botnets and connected to our sinkholes that were reported out per day (downward trend due to infected devices being remediated over time):
Additional FCDO Funding
We are therefore very pleased to be able to continue to prioritize our outreach efforts in those regions through some additional funding provided by the UK Foreign, Commonwealth and Development Office (FCDO) through Q1 2022. This will allow us to build upon what has already been achieved, enabling us to engage with the remaining countries who do not yet benefit from Shadowserver’s services. Hopefully, we can assist the remaining countries – who do have Computer Emergency Response Team (CERT)/Computer Security Incident Response Team (CSIRT) capabilities – to get set up with our free daily network reports and start using them effectively.
In addition, we will also be:
- Extending and enhancing our honeypot sensor network to provide more event data for the benefit of all of our data feed recipients
- Producing improved outreach and training materials to help onboard new constituents and improve their ability to ingest and work with our free daily data
- Identifying the largest network owners in the target countries who do not already subscribe to our network reports and attempting to engage them directly, as well as at the National CSIRT level
- Providing enhanced support behind the scenes for anti-ransomware efforts
To kickstart these activities, throughout the past week, we have been participating in the two-week-long virtual 2021 African Commonwealth Virtual Conference and Workshops organized by the UK Home Office. This event is part of their National Cyber Risk Assessment initiative (NCRA), which is now in its fourth year and helps countries to effectively measure their cyber security maturity level. Through the event, we have been able to showcase some of our data and bring our free public benefit services to an even wider regional audience. Having the opportunity to share experiences with the CSIRT community across the Commonwealth countries in Africa has been very positive so far, and we look forward to next week and further presentations and discussions.
One of the things we have been keen to emphasize is that our network reports are available (for free) to all network owners – not just the National CSIRTs. This means that ASN operators and other network owners can better protect themselves, without needing to have potential issues highlighted to them by their responsible National CSIRT, allowing everyone to prioritize limited resources most effectively.
Next Steps
Over the coming months we will be focusing our efforts on Africa and the Indo-Pacific – both at the National CSIRT level and also at the ASN owner level. This will include participating in the 2021 FIRST & AfricaCERT Symposium for the African and Arab Regions in December. We will be reaching out directly to our remaining target countries, but we may also make another public call for assistance from the community to help make introductions to those countries we do not already have connections with.
We will be looking to add as many National CSIRTs, ASN operators and network owners as we can to the 6000+ organizations, 132 countries and 173 territories who already benefit from our daily reports. We would encourage everyone who already uses our daily network reports to tell others in their communities that the reports exist, are useful and are freely available for their constituencies on request.
Free Daily Network Reports
Do you represent a National CSIRT? Are you a network operator/owner (from the smallest network to the largest multinational company)? To sign up for our free daily network reports, simply complete the form here. These reports are available at no cost to the end user. They are funded by an alliance of like-minded organisations and individuals, who together recognise that a more secure Internet benefits all who use and depend upon it.