Media Coverage

Shadowserver in the news

Microsoft server hack hit about 100 organizations, researchers say

Reuters, July 22, 2025

A sweeping cyber espionage operation targeting Microsoft server software compromised about 100 organizations as of the weekend, two of the organizations that helped uncover the campaign said on Monday. Microsoft on Saturday issued an alert about “active attacks” on self-hosted SharePoint servers, which are widely used by organizations to share documents and collaborate within organizations. Vaisha Bernard, the chief hacker at Eye Security, a Netherlands-based cybersecurity firm, which discovered the hacking campaign targeting one of its clients on Friday, said that an internet scan carried out with the Shadowserver Foundation had uncovered nearly 100 victims altogether – and that was before the technique behind the hack was widely known.

New CrushFTP Critical Vulnerability Exploited in the Wild

Infosecurity Magazine, July 21, 2025

At least 10,000 CrushFTP instances are vulnerable to a critical flaw, which is currently being exploited by attackers, affecting the file transfer solution, according to cybersecurity experts. The vulnerability, tracked as CVE-2025-54309, involves a mishandling of AS2 validation in all versions of CrushFTP servers prior to 10.8.5 and prior to 11.3.4_23. It can be exploited when the demilitarized zone (DMZ) proxy feature is not used.  On July 21, the Shadowserver Foundation reported observing 1040 unpatched CrushFTP instances, with the top affected countries being the US, Germany and Canada.

FortiWeb Systems Compromised via Webshells After Public PoC Release

GB Hackers, July 17, 2025

A widespread cyberattack campaign has successfully compromised dozens of Fortinet FortiWeb instances through webshell deployment, exploiting a critical vulnerability for which proof-of-concept code became publicly available just days ago. The attacks center around CVE-2025-25257.  The Shadowserver Foundation, a prominent threat monitoring organization, has been tracking the exploitation campaign since it began on July 11. Their latest data reveals concerning statistics about the scope of compromised systems.

Global operation targets NoName057(16) pro-Russian cybercrime network

Europol, July 16, 2025

Between 14 and 17 July, a joint international operation, known as Eastwood and coordinated by Europol and Eurojust, targeted the cybercrime network NoName057(16). Law enforcement and judicial authorities from Czechia, France, Finland, Germany, Italy, Lithuania, Poland, Spain, Sweden, Switzerland, the Netherlands and the United States took simultaneous actions against offenders and infrastructure belonging to the pro-Russian cybercrime network. The investigation was also supported by ENISA, as well as Belgium, Canada, Estonia, Denmark, Latvia, Romania and Ukraine. The private parties ShadowServer and abuse.ch also assisted in the technical part of the operation.

Wing FTP Server Vulnerability Actively Exploited – 2000+ Servers Exposed Online

Cyber Security News, July 14, 2025

Security researchers have confirmed active exploitation of a critical vulnerability in Wing FTP Server, just one day after technical details were publicly disclosed. The flaw, tracked as CVE-2025-47812, has received the maximum CVSS score of 10.0 and enables unauthenticated remote code execution with root or SYSTEM privileges. The Shadowserver Foundation has identified around 2,000 IPs running exposed Wing FTP Server instances, though specific vulnerability checks have not been conducted on all identified systems.

Over 1,200 Citrix servers unpatched against critical auth bypass flaw

Bleeping Computer, June 30, 2025

Over 1,200 Citrix NetScaler ADC and NetScaler Gateway appliances exposed online are unpatched against a critical vulnerability believed to be actively exploited, allowing threat actors to bypass authentication by hijacking user sessions.On Monday, security analysts from the internet security nonprofit Shadowserver Foundation have discovered over the weekend that 2,100 appliances were still vulnerable to CVE-2025-5777 attacks. Shadowserver also found over 2,100 NetScaler appliances unpatched against another critical vulnerability (CVE-2025-6543), now actively exploited in denial-of-service (DoS) attacks.

 

New Common Good Cyber Fund Launches to Strengthen Internet Security Globally

Common Good Cyber, June 23, 2025

The Internet Society (ISOC) and Global Cyber Alliance (GCA), on behalf of the Common Good Cyber secretariat, today announce the launch of the Common Good Cyber Fund, an initiative to strengthen global cybersecurity by supporting nonprofits that deliver core cybersecurity services that protect civil society actors at high risk and the Internet as a whole. The Common Good Cyber secretariat members working to address this challenge are: Global Cyber Alliance, Cyber Threat Alliance, CyberPeace Institute, Forum of Incident Response and Security Teams, Global Forum on Cyber Expertise, Institute for Security and Technology, and Shadowserver Foundation.

In a Joint Statement Between the Prime Minister of the United Kingdom and the Prime Minister of Canada on June 15, 2025, the Prime Ministers announced that they would both invest in the Joint Canada-UK Common Good Cyber Fund.

84,000+ Roundcube Webmail Installation Vulnerable to Remote Code Execution Attacks

Cyber Security News, June 10, 2025

A critical security vulnerability affecting Roundcube webmail installations has exposed over 84,000 systems worldwide to remote code execution attacks. The Shadowserver Foundation has been actively monitoring and reporting instances of Roundcube installations affected by CVE-2025-49113 over the past several days. The Shadowserver Foundation’s dashboard visualization reveals clustering patterns that suggest both widespread deployment of Roundcube installations and varying levels of security maintenance across different regions.

U.S. Government seizes approximately 145 criminal marketplace domains

US Department of Justice, June 4, 2025

The U.S. Attorney’s Office for the Eastern District of Virginia announced today the seizure of approximately 145 darknet and traditional internet domains, and cryptocurrency funds associated with the BidenCash marketplace. The operators of the BidenCash marketplace use the platform to simplify the process of buying and selling stolen credit cards and associated personal information. The BidenCash marketplace had grown to support over 117,000 customers, facilitated the trafficking of over 15 million payment card numbers and personally identifiable information, and generated over $17 million in revenue during its operations.

The BidenCash marketplace domains will no longer be operational and will be redirected to a U.S. law enforcement-controlled server, preventing future criminal activity on these sites. The Department of Justice thanks the Dutch National High Tech Crime Unit, The Shadowserver Foundation and Searchlight Cyber for their assistance with the investigation.

Latrodectus malware detected on over 44,000 IP addresses

cybernews, May 30, 2025

Over 44,000 IP addresses were infected with dangerous Latrodectus malware, which is used to deploy banking trojans, before a law enforcement takedown during this month’s Operation Endgame, new data reveals. Operation Endgame is an ongoing, long-term oriented, large-scale operation conducted jointly by law enforcement agencies around the world. Shadowserver Foundation, a nonprofit security organization, has shared a special report on its tracking of the infected machines. ShadowServer shares the report with internet service providers, network owners, and other organizations, which helps to clean up infected devices.

“The data in this IcedID/Latrodectus Historical Bot Infections Special Report was provided to Shadowserver by the Operation Endgame Law Enforcement partners to disseminate to National CERTs/CSIRTs and network owners globally, to maximize remediation efforts,” Shadowserver explains.