News & Insights

After many years of not having public interface for exploring our extensive cyber threat intelligence data sets, Shadowserver are very excited to make available our new public Dashboard, kindly funded by the UK FCDO. Use our Dashboard to dig into two years of aggregated country level data about many different type of threats, including some unique data sets and vantage points, then visualize the data in various ways that can be easily shared via URLs. Free to use (with attribution) for research, informing policy makers and by journalists/news media in educating the public about cyber security threats.

We recently began scanning for middlebox devices that are vulnerable to Middlebox TCP reflection, which can be abused for DDoS amplification attacks.  Our results are now shared daily, filtered for your network or constituency in the new Vulnerable DDoS Middlebox report. We uncover over 18,800,000 IPv4 addresses responding to our Middlebox probes. In some cases the amplification rates can exceed 10,000!

A new reflection/amplification distributed denial of service (DDoS) vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch multiple high-impact DDoS attacks. Attacks have been observed on broadband access ISPs, financial institutions, logistics companies, gaming companies, and organizations in other vertical markets. Security researchers, network operators, and security vendors Akamai SIRT, Cloudflare, Lumen Black Lotus Labs, Mitel, NETSCOUT Arbor ASERT, TELUS, Team Cymru, and The Shadowserver Foundation formed a task force to investigate the new DDoS vector and provide mitigation guidance. Vendor Mitel has released software patches which disables the abusable test facility and are actively engaged in remediation efforts with their customers. Vulnerable device information is available through Shadowserver's free daily network reports.

We have started daily IPv4 /0 scanning for exposed MS-RDPEUDP instances on port 3389/UDP. Aside from the usual risks associated with exposing RDP services to the Internet, this UDP extension of the popular RDP services has been found to be susceptible to amplification DDoS abuse with an amplification factor of over 84. Over 12 000 instances of MS-RDPEUDP have been found to be accessible on the IPv4 Internet.

We have enabled a new scan for exposed CoAP (Constrained Application Protocol) devices on port 5683/UDP. The scan has uncovered around 460 000 exposed CoAP services that can be potentially abused for CoAP amplification DDoS attacks. These services may also leak information or expose other vulnerabilities. This is the third IoT scan implemented as part of the EU CEF VARIoT project.

This blog is the first in a series in which we will take a look at different world regions in order to demonstrate what taking a more holistic view of our data can reveal - starting with the African continent. The derived insight helps us better drive our outreach activities and hopefully allows National CSIRTs in the region, as well as numerous other authorities/partners and private enterprises, to enhance their incident response coordination and share information from our public benefit victim remediation network reports with local communities in a more effective manner.

Between May 2016 and April 2019, The Shadowserver Foundation participated in the SISSDEN EU Horizon 2020 project. The main goal of the project was to improve the cybersecurity posture of EU entities and end users through the development of situational awareness and sharing of actionable information. It exceeded KPIs, with 257 sensors in 59 countries, using 974 IP addresses across 119 ASNs and 383 unique /24 (Class C) networks, and collected 31TB of threat data. This blog post provides detail on Shadowserver's role in SISSDEN, including a 3 minute explainer video.

The huge Mirai Botnet #14 IoT botnet attacks were successfully stopped and sinkholed by the German BKA and The Shadowserver Foundation, and the actor behind them was identified, arrested and prosecuted in both Germany (with the BKA) and the UK (with the NCA). Sentencing details were made public in the UK today.