News & Insights

Topic: Malware

Shadowserver Special Reports - Cyclops Blink

February 23, 2022
In May 2018, the US DoJ, FBI and industry partners sinkholed the modular network device infecting malware known as VPNFilter, which Shadowserver has been reporting out for remediation to nCSIRTs and network owners each day since. In February 2022 the UK NCSC, US FBI, CISA and NSA jointly announced the discovery of new network device malware, which they have called Cyclops Blink, and see as a more advanced replacement for VPNFilter. A new Shadowserver Cyclops Blink Special Report was issued to our free daily network report subscribers today, detailing IP addresses believed likely to be infected with the Cyclops Blink malware, and the associated C2 servers.

Log4j Scanning and CVE-2021-44228 Exploitation - Latest Observations (2021-12-16)

December 16, 2021
After our recent Special Report and blog post about vulnerable log4j servers, a quick and dirty update on the “log4shell” mass scanning and attempted CVE-2021-44228 exploitation activity we have been seeing across our global honeypot sensor network between Sunday December 11th and Thursday December 16th, including a quick analysis of the top ten Malware Callback URIs observed and server distribution.

Helping fight ransomware with NoMoreRansom

July 8, 2020
After successfully collaborating with founder partners Europol and the Dutch National Police on cybercrime disruption for many years, Shadowserver are very pleased to formally join their NoMoreRansom initiative. Available in 36 languages, supported by over 150 law enforcement agencies and business worldwide, and supporting decryption tools for over 120 different ransomware variants, NoMoreRansom is the go-to resource for education and helping victims battle ransomware. We highly recommend that you follow their advice and help support this great public benefit partnership.

The Shadowserver Foundation Threat Report: A Spotlight on Africa

April 30, 2020
This blog is the first in a series in which we will take a look at different world regions in order to demonstrate what taking a more holistic view of our data can reveal - starting with the African continent. The derived insight helps us better drive our outreach activities and hopefully allows National CSIRTs in the region, as well as numerous other authorities/partners and private enterprises, to enhance their incident response coordination and share information from our public benefit victim remediation network reports with local communities in a more effective manner.

Has The Sun Set On The Necurs Botnet?

March 15, 2020
Private sector partners Microsoft and Bitsight announced their disruption of the Necurs botnet on March 10th 2020. Shadowserver supported the operation, through the use of our Registrar of Last Resort (RoLR) for helping to deal with the millions of potential DGA C2 domains involved, and by making available our victim remediation reporting channels. In this blog post we provide our take on some of the more interesting aspects of this operation, analyze the sinkholed Necurs victim populations and compared their observed demographics with data from the previous decade of spambot takedowns.

Dridex update: The wheels of international Law Enforcement keep on turning

December 5, 2019
The Dridex botnet was sinkholed in October 2015 and the infected victims remediated via Shadowserver's free daily network reports. In December 2019, the US DoJ, FBI and UK NCA unsealed criminal charges against other actors alleged to be behind the Dridex botnet’s activities, via an organization self described as “Evil Corp”. This included a record US $5M FBI Most Wanted cyber criminal reward being offered.

Beyond the SISSDEN event horizon

October 1, 2019
Between May 2016 and April 2019, The Shadowserver Foundation participated in the SISSDEN EU Horizon 2020 project. The main goal of the project was to improve the cybersecurity posture of EU entities and end users through the development of situational awareness and sharing of actionable information. It exceeded KPIs, with 257 sensors in 59 countries, using 974 IP addresses across 119 ASNs and 383 unique /24 (Class C) networks, and collected 31TB of threat data. This blog post provides detail on Shadowserver's role in SISSDEN, including a 3 minute explainer video.

Goznym Indictments - action following on from successful Avalanche Operations

May 16, 2019
The US DoJ, FBI and international LE partners announce multiple indictments against the alleged operators and customers of the Goznym malware, controlled via the Avalanche platform. Sinkhole data continues to be available from The Shadowserver Foundation, as part of ongoing sinkholing over over 20 Avalanche malware strains.

Mirai Botnet #14: 1 Million German customers disrupted, Liberia taken off line and now the culprit has been convicted

January 12, 2019
The huge Mirai Botnet #14 IoT botnet attacks were successfully stopped and sinkholed by the German BKA and The Shadowserver Foundation, and the actor behind them was identified, arrested and prosecuted in both Germany (with the BKA) and the UK (with the NCA). Sentencing details were made public in the UK today.

One Billion Binaries

December 10, 2018
Breaking news: Shadowserver's malware repository now exceeds the One Billion Binaries milestone (and, spoiler alert - not everyone in the team is as excited by this news as some of us). We provide a little bit of history about the growth of our malware collection, and the some of the challenges we continue to face.