News & Insights

Topic: Shadowserver

Introducing Report Severity Levels

October 12, 2023
To make it easier for organizations to consume and prioritize on our daily reports we are introducing report and event severity levels. Each report type and event in the report will have a severity level assigned. This will make it possible to filter all our daily reporting based on the severity of the actual event being reported.

Qakbot Historical Bot Infections Special Report

September 8, 2023
On Tuesday 29th August 2023, the US DoJ and FBI, together with other global law enforcement partners, announced a disruption action against the Qakbot botnet. This involved the FBI deleting the Qakbot malware from infected victim computers under US court order. As part of their operation, the FBI acquired a copy of the threat actor’s database of historical Qakbot infections, which covered the period July 2019 to August 2023. This database contains a record of over 700,000 discrete Qakbot bot infections in 230 countries. Shadowserver is sharing elements of this dataset as a one-off Special Report, to allow historical Qakbot infections to be investigated and any secondary malware identified and remediated by system defenders.

Technical Summary of Observed Citrix CVE-2023-3519 Incidents

August 7, 2023
The Shadowserver Foundation and trusted partners have observed three different malicious campaigns that have exploited CVE-2023-3519, a code injection vulnerability rated CVSS 9.8 critical in Citrix NetScaler ADC and NetScaler Gateway. The summary below is based on collaboration with the individual compromised organizations, as well as their commercial incident response teams. All timestamps in this write-up are in UTC timezone, and they have all been slightly adjusted to not disclose the actual times. If you own a Citrix NetScaler or have those in your constituency, please follow the detection and hunting advice for signs of compromise and webshells!

Multiple language Dashboard support

June 2, 2023
We are happy to announce the addition of the support for multiple languages in our public Dashboard. Five different languages have been added: Arabic, Indonesian (Bahasa Indonesia), Malaysian (Bahasa Melayu), Filipino (Tagalog), Thai. This work was kindly supported by the UK Foreign, Commonwealth & Development Office (FCDO). If you are a National CSIRT or network owner who would like to see your own language added, please contact us to discuss helping to make that happen. Likewise, if you are a user with language/technical feedback on these translations, please do get in touch with suggestions and improvements.

Observations on cyber threat activity and vulnerabilities in the Gulf Region

May 31, 2023
We are happy to continue our efforts in collaboration with the UK FCDO, building on our previous global outreach to Africa, Indo-Pacific, Central and Eastern Europe (CEEC), and Association of Southeast Asia Nations (ASEAN) regions to produce a cyber security spotlight on the Gulf Region. For a review of previous UK FCDO supported activities please read a) UK Foreign, Commonwealth & Development Office funds Shadowserver surge in Africa and Indo-Pacific regions, b) Continuing Our Africa and Indo-Pacific Regional Outreach, c) More Free Cyber Threat Intelligence For National CSIRTs and d) Shadowserver’s New Public Dashboard.

Observations on cyber threat activity and vulnerabilities in Indonesia, Malaysia, Philippines and Thailand

May 30, 2023
Shadowserver has recently been funded by the UK Foreign, Commonwealth & Development Office (FCDO) to provide more detailed and tailored cyber threat insight support to countries in the Association of Southeast Asia Nations (ASEAN), specifically Indonesia, Malaysia, Philippines and Thailand. These activities included obtaining a better understanding of the device makeup of the exposed attack surface in those countries, vulnerability exposure (especially relating to emerging threats) and observed attacks/infected devices - coming both from and directed at the region. The intention is to enrich Shadowserver's free daily threat feeds and public benefit services to the region, providing National CSIRTs and other system defender entities (organizations that are network owners) with a better awareness of their threat and vulnerability landscape, thus helping them to improve their cybersecurity posture.

UK/US Joint Announcements Remind Us That Un-Remediated Vulnerabilities Snowball

April 20, 2023
The UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on nation-state sponsored exploitation of router infrastructure. The alert calls out SNMP public exposure and one vulnerability in particular - CVE-2017-6742 - which relates to a long known “remote code execution” opportunity on certain Cisco routers. This alert is a timely reminder for all with unpatched equipment to think broadly! We use this opportunity to highlight our data and free daily reports that provide information on the SNMP and Cisco device exposed attack surface (and more!).

New Dashboard Attack Statistics Enhancements

April 3, 2023
We are happy to announce multiple enhancements to our public Dashboard, particularly to the Exploited Vulnerability data collected by our server-side honeypot sensors, thanks to funding provided by the UK Foreign Commonwealth and Development Office (FCDO).

Craig Newmark Makes $500,000 Grant to Shadowserver

March 30, 2023
The Shadowserver Foundation is grateful for the continued support and generosity of craigslist founder, Craig Newmark. Earlier this month, Craig Newmark provided Shadowserver with a substantial donation of $500,000.

Shadowserver Alliance Launch

October 4, 2022
The Shadowserver Foundation today launched its new Alliance to Continue to Build a Safer, More Secure Internet. The new Shadowserver Alliance partner program will accelerate growth and scale up delivery of no cost cybersecurity and cyber threat intelligence services to internet defender organizations and law enforcement. The Alliance represents a significant expansion to Shadowserver's freely provided internet security services and enables partners, including some of the world’s most trusted organizations such as Mastercard, Craig Newmark Philanthropies, Avast, Trend Micro and Akamai, to aid its mission to create a safer, more secure Internet. The Shadowserver Alliance is actively seeking new partners to join us now in the next phase of our journey. As a strong community, we can continue to raise the bar on global cyber security together.