News & Insights

We recently began scanning for middlebox devices that are vulnerable to Middlebox TCP reflection, which can be abused for DDoS amplification attacks.  Our results are now shared daily, filtered for your network or constituency in the new Vulnerable DDoS Middlebox report. We uncover over 18,800,000 IPv4 addresses responding to our Middlebox probes. In some cases the amplification rates can exceed 10,000!

A maximum risk critical vulnerability in the popular Apache Log4j open source logging software was made public as CVE-2021-44228 on December 9th 2021, potentially providing attackers with easy remote code execution on thousands of systems globally. Although Shadowserver decided not to scan for this vulnerability, our honeypots continue to detect IPv4 /0 scanning and exploitation attempts. A second run of our Vulnerable Log4j Servers Special Report provides updated data from Alpha Strike Lab's scanning activity performed during the week since our first Special Report. The updated Special Report is being distributed to National CSIRTs and network owners as a public benefit service to aid in rapid remediation.

A maximum risk critical vulnerability in the popular Apache Log4j open source logging software was made public as CVE-2021-44228 on December 9th 2021, potentially providing attackers with easy remote code execution on thousands of systems globally. Although Shadowserver decided not to scan for this vulnerability, our honeypots detected rapid growth in IPv4 /0 scanning. This Special Report provides data from Alpha Strike Labs's scanning activity and is being distributed to National CSIRTs and network owners as a public benefit service to aid in rapid remediation.

We have introduced a new report type, the Device Identification Report. This report contains a list of devices we have identified in our daily Internet scans. The assessment is made based on all our IPv4-wide Internet scan types. All scan responses are processed by a scan signature engine that classifies IPs based on predefined rules that match various response fields. The report is intended for recipients to get a better understanding of device population types on networks they are responsible for

A new one-off Special Report covering efforts to identify additional vulnerable and compromised Microsoft Exchange servers and associated common web shell that are configured to use DNS based virtual hosting, rather than direct IPv4 /0 scanning for default web sites, containing data for the period 2021-03-16 to 2021-03-22.

Another internet wide scan based one-off Special Report identifying 59218 potentially vulnerable Microsoft Exchange Servers on 2021-03-14 courtesy of Kryptoslogic, with a comparison of the degree of overlap in coverage between this data set and our previous one-off Special Report that was just released. If your mail servers appear in either report - please patch immediately.

Another one-off Special Report identifying 73608 potentially vulnerable Microsoft Exchange Servers during the period 2021-03-13 and 2021-03-14, which corresponds to 63115 unique IP addresses in 211 countries. These exposed systems remain at very high risk and need patching immediately.

Another one off Shadowserver Special Report, this time in partnership with Kryptoslogic, provides critical information about compromised Microsoft Exchange Servers with exposed public web shells that were likely exploited using CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. Please remediate and patch/rebuild urgently!

Shadowserver one-off Special Reports are for reporting security events outside our usual 24-hour reporting window. Our second Special Report covers identification Microsoft Exchange Servers potentially vulnerable to CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 by scanning with DIVD after patches were released.

We have started daily IPv4 /0 scanning for exposed MS-RDPEUDP instances on port 3389/UDP. Aside from the usual risks associated with exposing RDP services to the Internet, this UDP extension of the popular RDP services has been found to be susceptible to amplification DDoS abuse with an amplification factor of over 84. Over 12 000 instances of MS-RDPEUDP have been found to be accessible on the IPv4 Internet.