News & Insights

Topic: Technology

Shadowserver Special Reports – Vulnerable Log4j Servers (2021-12-22 update)

December 22, 2021
A maximum risk critical vulnerability in the popular Apache Log4j open source logging software was made public as CVE-2021-44228 on December 9th 2021, potentially providing attackers with easy remote code execution on thousands of systems globally. Although Shadowserver decided not to scan for this vulnerability, our honeypots continue to detect IPv4 /0 scanning and exploitation attempts. A second run of our Vulnerable Log4j Servers Special Report provides updated data from Alpha Strike Lab's scanning activity performed during the week since our first Special Report. The updated Special Report is being distributed to National CSIRTs and network owners as a public benefit service to aid in rapid remediation.

Log4j Scanning and CVE-2021-44228 Exploitation - Latest Observations (2021-12-16)

December 16, 2021
After our recent Special Report and blog post about vulnerable log4j servers, a quick and dirty update on the “log4shell” mass scanning and attempted CVE-2021-44228 exploitation activity we have been seeing across our global honeypot sensor network between Sunday December 11th and Thursday December 16th, including a quick analysis of the top ten Malware Callback URIs observed and server distribution.

Shadowserver Special Reports – Vulnerable Log4j Servers

December 15, 2021
A maximum risk critical vulnerability in the popular Apache Log4j open source logging software was made public as CVE-2021-44228 on December 9th 2021, potentially providing attackers with easy remote code execution on thousands of systems globally. Although Shadowserver decided not to scan for this vulnerability, our honeypots detected rapid growth in IPv4 /0 scanning. This Special Report provides data from Alpha Strike Labs's scanning activity and is being distributed to National CSIRTs and network owners as a public benefit service to aid in rapid remediation.

Continuing Our Africa and Indo-Pacific Regional Outreach

December 1, 2021
Shadowserver received funding from the UK FCDO in Q1 2021 for a short surge to improve the support we offered to Africa and the Indo-Pacific region. We achieved some good results, so we are providing some public highlights in this blog post. We are also pleased to announce that we have received some additional FCDO funding to continue these efforts through Q4 2021 and Q1 2022, and hope to further expand our free public benefit service coverage to more National CSIRT and additional network owner (ASNs) in these target regions.

Changes in Sinkhole and Honeypot Report Types and Formats

April 1, 2021
Over the years, Shadowserver’s report list has grown considerably from when we originally started. When some of these reports were originally set up, the requirements were different to those needed today. We have therefore decided to implement changes with some of the existing report types, especially those related to our sinkholes and honeypots, as well as remove some legacy reports. Changes will come into effect on 2021-06-01. On that day, the old reports will cease and only the new equivalents will be sent out. Until that time, starting 2021-04-05 both the old reports and new reports will function in parallel.

UK Foreign, Commonwealth & Development Office funds Shadowserver surge in Africa and Indo-Pacific regions

March 18, 2021
Can you help Shadowserver sign up more countries/networks in Africa and the Info-Pacific to receive our free daily network reports and help secure the Internet? We are running a UK FCDO funded surge in Feb/March 2021, aimed at increasing outreach and expanding our honeypot sensor network in those regions. We are seeking introductions, contacts and hosting so please get in touch if you can help us achieve these goals.

Scanning for Accessible MS-RDPEUDP services

January 25, 2021
We have started daily IPv4 /0 scanning for exposed MS-RDPEUDP instances on port 3389/UDP. Aside from the usual risks associated with exposing RDP services to the Internet, this UDP extension of the popular RDP services has been found to be susceptible to amplification DDoS abuse with an amplification factor of over 84. Over 12 000 instances of MS-RDPEUDP have been found to be accessible on the IPv4 Internet.

The Data Center Move - All the Gory Details and Extras

October 16, 2020
As everyone knows now, Shadowserver had a bit of a funding issue earlier this year which caused us to go through the process of needing a new space for our data operations.  A place to call home for all that storage and computing that we do daily.  A new data center was required.  This story will go through that recent history, the actual move, and a few after action and post move things that occurred.  This blog will be partially serious, some tongue in cheek, and some sad comedy, so enjoy our journey.

The Data Center is Moving to its new Home

July 31, 2020
The Data Center is moving and we expect to be down from 2020-08-14 (Friday) to 2020-08-18 (Tuesday).  This will impact all of our services except incoming email.  Most of our data collection system will remain functional, but we will have no way of importing and reporting anything.  In fact, all reports will be suspended until we come back up.

Accessible Radmin Report - Exposed Radmin Services on the Internet

July 7, 2020
We have recently enabled a new IPv4 Internet-wide scan and report for accessible Radmin services on port 4899/TCP. Radmin is a remote access software product commonly in use today. Our daily scans uncover around 50,000 accessible Radmin services on port 4899/TCP. While Radmin is in general considered a secure mechanism for remote access, care should be taken as with all similar types of services to ensure no misconfiguration has taken place.