Media Coverage

Shadowserver in the news

Apache HugeGraph-Server RCE Vulnerability Under Active Attack

Cyber Security News, July 16, 2024

Attackers are actively  exploiting a critical remote code execution (RCE) vulnerability in Apache HugeGraph-Server, which is tracked as CVE-2024-27348. The vulnerability affects versions 1.0.0 to 1.3.0 of the popular open-source graph database tool.

The flaw, which carries a severe CVSS score of 9.8, allows unauthenticated attackers to execute arbitrary operating system commands on vulnerable servers by  exploiting missing reflection filtering in the SecurityManager. This gives attackers complete control over the affected systems, potentially enabling data theft, network infiltration, ransomware deployment, and other malicious activities.

The Shadowserver Foundation has reported observing exploitation attempts of CVE-2024-27348 from multiple sources, specifically targeting the “/gremlin” endpoint with POST requests.

National Crime Agency leads international operation to degrade illegal versions of Cobalt Strike

National Crime Agency, July 3, 2024

The National Crime Agency has coordinated global action against illicit software which has been used by cybercriminals for over a decade to infiltrate victims’ IT systems and conduct attacks. Action was taken against 690 individual instances of malicious Cobalt Strike software located at 129 internet service providers in 27 countries. By the end of the week, 593 of these addresses had been taken down.

A number of private industry partners, including BAE Systems Digital Intelligence, Trellix, Shadowserver, Spamhaus and Abuse CH also supported law enforcement in identifying malicious instances and use of Cobalt Strike by cybercriminals.

Using a platform known as the Malware Information Sharing Platform, private sector organisations shared real time threat intelligence with law enforcement. More than 730 pieces of threat intelligence containing almost 1.2 million indicators of compromise were shared.

Europol coordinates global action against criminal abuse of Cobalt Strike

Europol, July 3, 2024

Law enforcement has teamed up with the private sector to fight against the abuse of a legitimate security tool by criminals who were using it to infiltrate victims’ IT systems. Older, unlicensed versions of the Cobalt Strike red teaming tool were targeted during a week of action coordinated from Europol’s headquarters between 24 and 28 June. Known as Operation MORPHEUS, this investigation was led by the UK National Crime Agency and involved law enforcement authorities from Australia, Canada, Germany, the Netherlands, Poland and the United States.

Cooperation with the private sector was instrumental in the success of this disruptive action. A number of private industry partners supported the action, including BAE Systems Digital Intelligence, Trellix, Spamhaus, and The Shadowserver Foundation. These partners deployed enhanced scanning, telemetry and analytical capabilities to help identify malicious activities and use by cybercriminals.

Batten down the hatches, it's time to patch some more MOVEit bugs

The Register, June 26, 2024

Thought last year’s MOVEit hellscape was well and truly behind you? Unlucky, buster. We’re back for round two after Progress Software lifted the lid on fresh vulnerabilities affecting MOVEit Transfer and Gateway.

In typical fashion, researchers at watchTowr have penned a comprehensive account of CVE-2024-5806 – the one affecting MOVEit Transfer – and the two damaging attacks it can facilitate. To the surprise of probably no one, within just a few hours of watchTowr’s writeup going live, attack attempts using CVE-2024-5806 began, according to Shadowserver’s telemetry.

As for how many MOVEit customers are currently exposed, different vendors’ telemetry will always vary. Shadowserver’s data suggests less than 2,000 are exposed to the internet, while Censys puts that figure more in the 2,700 region. Both agree that most are localized to North America, however.

Why DNS Needs to be Viewed as a Critical Infrastructure

Spiceworks, June 20, 2024

Michael Smith of Vercara delves into DNS’s critical role as foundational internet infrastructure and outlines essential steps to secure it against escalating cyber threats.

To safeguard DNS like we would traditional critical infrastructure, consider the following best practices and steps:

1) Ensure DNS redundancy; 2) Protect DNS servers from DDoS; 3) Scan DNS servers:

Vulnerability scanning services and some of the free scanning data provided by Shadowserver can help you identify these vulnerabilities and misconfigurations in your internet-accessible DNS servers.

4) Use DNSSEC; 5) Use protective DNS services; 6) Separate public and non-public zones ; and 7) Change control, audit, and rollback

256,000+ Publicly Exposed Windows Servers Vulnerable to MSMQ RCE Flaw

GB Hackers, June 13, 2024

Cybersecurity watchdog Shadowserver has identified 256,000+ publicly exposed servers vulnerable to a critical Remote Code Execution (RCE) flaw in Microsoft Message Queuing (MSMQ) services.

The flaw, designated CVE-2024-30080, poses a significant threat to global cybersecurity. It could allow malicious actors to execute arbitrary code on affected systems.

These servers span various industries, including finance, healthcare, and government sectors, highlighting the widespread risk posed by this vulnerability.

How We Cover Your Back, June 10, 2024

As a national CERT, one of our extremely important tasks is to proactively inform network operators about potential or confirmed security issues that could affect Austrian companies. 

As you can imagine, handling every possible case would be impossible. Therefore, we focus on the most typical issues and automate much of our processes. Our approach heavily relies on automated data processing and sending notifications via email. To accomplish this, we subscribe to data feeds from partners like ShadowServer.  Our partners who conduct scans ensure they do so legally and non-intrusively, typically operating their servers in countries where scanning isn’t prohibited. This is the approach chosen by ShadowServer, our main data source.

If we don’t scan, what exactly is our role? Simply put: we inform YOU. 

Over the past year, we developed a process that includes regular meetings of representatives from all involved teams. This new process and a one-time review of existing sources resulted in a significant increase in the types of issues we process. For our main provider, ShadowServer, we doubled the number of processed feeds in the last year, currently supporting about 70 of their feeds. 

Critical RCE Vulnerability (CVE-2024-4577) in PHP on Windows: Patch Now Available

SOCRadar, June 8, 2024

A remote code execution (RCE) vulnerability in PHP has been discovered by DEVCORE during their continuous offensive research. Due to the widespread use of PHP in the web ecosystem and the ease of exploitability, the severity of the vulnerability has been classified as critical (CVSS score 9.8). This issue was promptly reported to the PHP official team, who released a patch on June 6, 2024.

On June 7, The Shadowserver Foundation posted a tweet on X (formerly Twitter) that they have observed multiple IPs trying to exploit this vulnerability against their honeypots.

The critical PHP vulnerability, CVE-2024-4577, is currently being exploited to deploy TellYouThePass ransomware.

MIL-OSI Security: FBI Cyber Assistant Director Bryan Vorndran’s Remarks at the 2024 Boston Conference on Cyber Security, June 6, 2024

First, given the FBI’s history, it should not be surprising that one of our core focuses is investigating and attributing cyber activity to disrupt cybercriminals and raise their cost to operate. Bottom line, we want to punish cybercriminals and take them off of the playing field.

Next, we must gather and operationalize domestic intelligence to bolster victim recovery and support operational activity, or, as we say, we must pressure the common threats we face. We pressure these common threats by initiating joint and sequenced operations and on network operations to fight back against cyber adversaries from a domestic position and as a foothold for USIC [U.S. Intelligence Community] partners to engage. It’s an all-tools/all-partners approach. When I say “all-partners,” I mean it. We look to partner with domestic and global partners in both the public and private sectors. This is how we have the most significant impact on our adversaries.

For instance, in January, the FBI Field Office here in Boston led Operation Dying Ember, an international effort against Russian military intelligence: the GRU. In this case, the GRU was taking advantage of a botnet to target the U.S. government, cleared defense contractors, NATO allies, and the Ukrainian aid shipment network. Our court-authorized technical operation kicked the GRU off more than 1,000 home and small-business routers belonging to unwitting victims all over the world—including here in Massachusetts.

This was an operation we could not have accomplished without corporate partners, particularly Microsoft and the Shadowserver Foundation.

By killing the GRU’s access to a botnet they were using to run cyber operations around the world, we both helped to protect unwitting businesses and individuals and put a dent in Russia’s cyber-enabled intelligence operations.

Largest ever operation against botnets hits dropper malware ecosystem

Europol, May 30, 2024

Between 27 and 29 May 2024 Operation Endgame, coordinated from Europol’s headquarters, targeted droppers including, IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. The actions focused on disrupting criminal services through arresting High Value Targets, taking down the criminal infrastructures and freezing illegal proceeds. This approach had a global impact on the dropper ecosystem.

This is the largest ever operation against botnets, which play a major role in the deployment of ransomware. The operation, initiated and led by France, Germany and the Netherlands was also supported by Eurojust and involved Denmark, the United Kingdom and the United States. In addition, Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland and Ukraine also supported the operation with different actions, such as arrests, interviewing suspects, searches, and seizures or takedowns of servers and domains. The operation was also supported by a number of private partners at national and international level including Bitdefender, Cryptolaemus, Sekoia, Shadowserver, Team Cymru, Prodaft, Proofpoint, NFIR, Computest, Northwave, Fox-IT, HaveIBeenPwned, Spamhaus and DIVD.