News & Insights

Topic: Shadowserver

Shadowserver Special Reports – Exchange Scanning #2

March 12, 2021
Another one off Shadowserver Special Report, this time in partnership with Kryptoslogic, provides critical information about compromised Microsoft Exchange Servers with exposed public web shells that were likely exploited using CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. Please remediate and patch/rebuild urgently!

Shadowserver Special Reports – Exchange Scanning #1

March 11, 2021
Shadowserver one-off Special Reports are for reporting security events outside our usual 24-hour reporting window. Our second Special Report covers identification Microsoft Exchange Servers potentially vulnerable to CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 by scanning with DIVD after patches were released.

Shadowserver Special Reports - HAFNIUM Exchange Victims

March 11, 2021
Announcing new Shadowserver one-off Special Reports, for reporting security events outside our usual 24-hour reporting window. First Special Report covers victims of alleged HAFNIUM exploitation of Microsoft Exchange Server via CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 between 2021-02-26 and 2021-03-03, but not subsequent mass exploitation after the patches were released.

Scanning for Accessible MS-RDPEUDP services

January 25, 2021
We have started daily IPv4 /0 scanning for exposed MS-RDPEUDP instances on port 3389/UDP. Aside from the usual risks associated with exposing RDP services to the Internet, this UDP extension of the popular RDP services has been found to be susceptible to amplification DDoS abuse with an amplification factor of over 84. Over 12 000 instances of MS-RDPEUDP have been found to be accessible on the IPv4 Internet.

The Data Center Move - All the Gory Details and Extras

October 16, 2020
As everyone knows now, Shadowserver had a bit of a funding issue earlier this year which caused us to go through the process of needing a new space for our data operations.  A place to call home for all that storage and computing that we do daily.  A new data center was required.  This story will go through that recent history, the actual move, and a few after action and post move things that occurred.  This blog will be partially serious, some tongue in cheek, and some sad comedy, so enjoy our journey.

Fundraising Update - Avast (and Urgent 2020 Target Achieved)

September 8, 2020
Fundraising update: Avast has very generously committed $500,000 USD to support Shadowserver’s public benefit services in 2020, taking us to up to our $2.1M urgent 2020 operational target. Now we can start focusing on long term sustainability in 2021+

Supporting Shadowserver Through Optional Voluntary Invoicing

August 11, 2020
As a non-profit organization, Shadowserver has been funded to date by donations and sponsorship. However, some constituents find international donation logistics difficult. This post introduces the concept of optional voluntary invoicing to support our ongoing public benefit mission. This definitely does not mean that Shadowserver is going commercial in any way - our services continue to be freely available to all who need them. But it does provide organizations who appreciate our services with another potential complementary mechanism for financially supporting us.

The Data Center is Moving to its new Home

July 31, 2020
The Data Center is moving and we expect to be down from 2020-08-14 (Friday) to 2020-08-18 (Tuesday).  This will impact all of our services except incoming email.  Most of our data collection system will remain functional, but we will have no way of importing and reporting anything.  In fact, all reports will be suspended until we come back up.

Helping fight ransomware with NoMoreRansom

July 8, 2020
After successfully collaborating with founder partners Europol and the Dutch National Police on cybercrime disruption for many years, Shadowserver are very pleased to formally join their NoMoreRansom initiative. Available in 36 languages, supported by over 150 law enforcement agencies and business worldwide, and supporting decryption tools for over 120 different ransomware variants, NoMoreRansom is the go-to resource for education and helping victims battle ransomware. We highly recommend that you follow their advice and help support this great public benefit partnership.

Accessible Radmin Report - Exposed Radmin Services on the Internet

July 7, 2020
We have recently enabled a new IPv4 Internet-wide scan and report for accessible Radmin services on port 4899/TCP. Radmin is a remote access software product commonly in use today. Our daily scans uncover around 50,000 accessible Radmin services on port 4899/TCP. While Radmin is in general considered a secure mechanism for remote access, care should be taken as with all similar types of services to ensure no misconfiguration has taken place.