Media Coverage

Shadowserver in the news

Kazakh companies using GeoServer are at risk

Register TV Kazakhstan, May 16, 2023

State Technical Service JSC reports that during the monitoring of the Kazakhstani segment of the Internet, 17 IP addresses were found that are presumably subject to critical vulnerabilities with identifiers CVE-2022-24816 and CVE-2023-25157. The detected IP addresses belong to large companies in the quasi-public sector of Kazakhstan. GeoServer is used in various industries such as geology, ecology, geodesy, agriculture, urban management, etc., where spatial data is an important component for making strategic decisions. The National Computer Incident Response Service (KZ-CERT) sent notifications to owners of IP addresses and telecom operators recommending the need to immediately apply updates to avoid possible risks and threats to information security. Failure to address vulnerabilities in a timely manner can lead to the compromise of sensitive data and further attacks on the network, including the introduction of malicious software into other systems, which will compromise the security of the entire network infrastructure. The Shadowserver Foundation (an information security organization that sends daily online reports to subscribers and cooperates with law enforcement agencies around the world in investigating cybercrime) published information about vulnerabilities in the GeoServer software. We recommend that all companies pay attention to updates of systems and software used in the infrastructure,” KZ-Cert noted.

Thousands of Microsoft servers are at risk from some serious security bugs

Techradar, May 10, 2023

IT teams operating Microsoft Exchange servers are very slow at patching their endpoints, resulting in thousands of devices still being vulnerable to some high-severity flaws. This is according to a new report on CyberNews, which claims more than 85,000 servers are still exposed to multiple remote code execution (RCE) vulnerabilities, namely CVE-2023-21529, CVE-2023-21706, and CVE-2023-21707. The report has described the flaws as “extremely dangerous” due to the fact that they can allow the threat actors to run malicious code and compromise people’s inboxes and email messages sitting on the servers. The flaws were discovered in mid-February 2023, with Microsoft being quick to release a patch to address the issue. However, many IT teams are yet to apply these patches, they’re saying. In fact, as per Shadowserver Foundation data, the number of vulnerable servers in February was 87,000, meaning the vast majority of IT teams basically disregarded this security threat and simply decided not to apply the fix.

Cybercriminal Network Fueling the Global Stolen Credit Card Trade is Dismantled

U.S. Attorneys Office Eastern District of New York, May 3, 2023

A four-count indictment was unsealed today in the United States District Court for the Eastern District of New York charging Denis Gennadievich Kulkov with access device fraud, computer intrusion and money laundering in connection with his operation of Try2Check, the primary service offering “card-checking” to cybercriminals in the stolen credit card trade.  The Try2Check platform catered to cybercriminals who purchased and sold stolen credit card numbers in bulk on the internet, offering criminals the ability to quickly determine what percentage of the cards were valid and active.  As such, Try2Check was a primary enabler of the trade in stolen credit card information, processing at minimum tens of millions of card numbers every year.  Today, the U.S. government worked with partners in Germany and Austria to take offline Try2Check’s websites, thus dismantling the defendant’s criminal network.  Along with the indictment and global website domain takedown, the State Department has announced a $10 million reward for information leading to the capture of Kulkov, who resides in Russia. Try2Check ran tens of millions of credit card checks per year and supported the operations of major card shops that made hundreds of millions in bitcoin in profits.  Over a nine-month period in 2018, the site performed at least 16 million checks, and over a 13-month period beginning in September 2021, the site performed at least 17 million checks. Through the illegal operation of his websites, the defendant made at least $18 million in bitcoin (as well as an unknown amount through other payment systems), which he used to purchase a Ferrari, among other luxury items.  In coordination with the unsealing of the charging documents in this case, Try2Check’s websites were taken offline and the State Department issued a $10 million reward for information leading to the defendant’s capture.  If convicted, Kulkov faces 20 years’ imprisonment. The charges in the indictment are allegations, and the defendant is presumed innocent unless and until proven guilty. The Office extends its appreciation to the German Federal Criminal Police Office (BKA), the German Federal Office for Information Security (BSI), the Austrian Criminal Intelligence Service – Cybercrime Competence Center (C4), and the French Central Directorate of the Judicial Police (DCPJ) and the governments of Austria, Germany and France for their assistance on this case, as well as to the Shadowserver Foundation for crucial technical assistance in addressing 

Cyber ​​threat: Morocco, the African country most affected by banking Trojans

Yabiladi, April 19, 2023

Interpol’s African Bureau of Cybercrime Operations report ranks Morocco as the African country most affected by Banking Trojans and Stealers. It is also the second most affected country by Ransomware on the continent. The African Cybercrime Operations Bureau of the International Criminal Police Organization (Interpol) recently unveiled its Africa Cyber Threat Assessment Report for the year 2022. A document that provides an overview of cyber threat trends in the African region. It shows that Morocco is the African country most affected by banking Trojans and Stealers, according to data from Trend Micro, a world leader in enterprise cloud security solutions, XDR and cybersecurity platform. The Interpol report even mentions 18,827 detections in the kingdom, which puts it ahead of South Africa (6,560 malware detections), Nigeria (5,366), Cameroon (1,462) and Algeria ( 691).  Banking Trojans and Stealers can be installed manually or remotely using techniques such as emails containing malicious links or attachments.  The report also revealed that the most prevalent banking Trojans and Stealers are Zbot and Fareit. The former accounts for 67.67% of all detections in the region, while the latter accounts for 15.39%.  The report also ranks Morocco in second place when it comes to Ransomware. Quoting Shadowserver, a non-profit security organization that collects and analyzes data on malicious activity on the Internet. South Africa is the country most targeted by these attacks. The country accounts for 42% of all detected attacks. It is followed by Morocco where 8% of the attacks took place, Botswana and Egypt (6%) as well as Tanzania and Kenya (4%). The kingdom is also cited for “online scams and extortion”. 

Patch now! QueueJumper vulnerability puts hundreds of thousands of Windows systems at risk

heise online, April 14, 2023

After worldwide scans, security researchers have discovered over 400,000 potentially vulnerable Windows systems. Security patches are available.

Windows admins should quickly take care of a ” critical ” vulnerability in the Microsoft Message Queuing Service (MSMQ) in Windows and Windows Server. If attacks are successful, attackers could execute malicious code and completely compromise systems. The vulnerability (CVE-2023-21554) was closed on Patchday in April . As a prerequisite for attacks, the MSMQ server must be active, which is not the case by default. However, the service is often activated in the course of Exchange installations, so the gap should not be underestimated. To check if systems are vulnerable, admins should check if the “Message Queuing” service is running and listening on TCP port 1801. According to a warning from Microsoft, Windows 10, 11 and many Windows server versions such as 20H2 are affected. Message Queuing is a messaging infrastructure and development platform. Message queuing applications can use this to communicate with PCs that may be offline. The service is designed to guarantee message delivery. Checkpoint security researchers discovered the vulnerability . According to them, attackers would only have to send their exploit code to TCP port 1801 of MSMQ servers to trigger an attack. Patch now! According to scans by Shadowsever, the MSMQ service is publicly available on over 400,000 Windows systems worldwide. If these systems are not yet patched, attackers could strike. The majority of these can be found in Hong Kong with 160,000 instances. In the US, there are around 57,000. Almost 8,000 systems are publicly accessible in Germany.

Hundreds of Thousands of Windows Systems Vulnerable to QueueJumper Bug in MSMQ

Hardware Info, April 14, 2023

Check Point Research recently discovered three vulnerabilities in the Microsoft Message Queuing service, a service that enables asynchronous communication between applications (such as systems that are sometimes offline). While MSMQ is not enabled by default and the bugs have been fixed since last Patch Day, hundreds of thousands of systems still appear to be vulnerable. The bugs have been assigned the codes CVE-2023-21554 , CVE-2023-21769 , and CVE-2023-28302 , with a score of 9.8 and 7.5 points out of 10 twice, respectively. The former is called QueueJumper and is categorized as critical given its high rating. This is because attackers can use modified MSMQ packets to execute malicious code on MSMQ-enabled systems. CPR recommends applying appropriate security updates as soon as possible. If this is not possible, system administrators should verify that the Message Queuing service is being used and that TCP port 1801 is open. Check Point has determined that this is the case for more than 360,000 systems. According to Shadowserver, there are no less than 403,000 vulnerable configurations, the vast majority of which are based in Hong Kong, South Korea and the US.

Finding Something New About CVE-2022-1388

VulnCheck, April 13, 2023

One of the things we do at VulnCheck is n-day analysis. That can include analysis of well-known, deeply researched, and widely exploited vulnerabilities. When we tackle that type of issue, we aim to learn something new, novel, or, at the very least, interesting. We recently took that approach analyzing CVE-2022-1388. CVE-2022-1388 is an authentication bypass vulnerability affecting F5 Big-IP products. When CVE-2022-1388 was disclosed in May 2022, there were only a few thousand internet-facing affected systems. But there was no stopping the infosec hype train. Multiple research organizations published redacted proof of concepts, Kevin Beaumont was tweeting about honeypot exploitation, randoms were dropping exploit screenshots, and reporters were mistaking jokes about an inside job for reality. Eventually, most of the speculation and fear-mongering were put to bed by an excellent deep-dive analysis from When all the hype died down, the vulnerability was quite well-known. It’s been featured in research write-ups. There’s a Metasploit module, and Greynoise tag. Shadow Server identifies the vulnerability in their honeypot network. It was even named one of the [top vulnerabilities in 2022, and added to the CISA KEV Catalog. What more could be said about this vulnerability? Well, if you don’t look, you’ll never know.

Rivian Hires Mike Johnson as Chief Information Security Officer

businesswire, April 5, 2023

Rivian Automotive, Inc. (NASDAQ: RIVN) today announced it has hired Mike Johnson as its Chief Information Security Officer (CISO). Johnson joins Rivian from Fastly where he was CISO for over 3 years, securing the network and platform of the edge cloud company. Johnson’s cybersecurity career spans more than 25 years, starting with prototyping intrusion detection systems for battlefield networks. Prior to Fastly, he served as ride-sharing company Lyft’s first CISO. Before Lyft, he spent nine years at Salesforce in various roles, ultimately building and growing their world class Detection and Response organization. Johnson currently serves on the Board of Directors for the non-profit Shadowserver Foundation, which gathers and analyzes data on malicious Internet activity. He also co-hosts the CISO Series podcast and is a frequent guest on industry podcasts.

Diane Lye, Chief Information Officer, Rivian, said:
“Mike brings an impressive track record of building and leading Cybersecurity programs across multiple different industries and is a thought-leader in this rapidly evolving space. I am delighted that he has chosen to join Rivian at this time in our growth.”

Rivian designs, develops, and manufactures category-defining electric vehicles and accessories and sells them directly to customers in the consumer and commercial markets. 

IBM Aspera Faspex High-Speed File Transfer Has a Killer Bug

The New Stack, April 5, 2023

You can’t say IBM didn’t warn us. On Jan. 26, 2023, Big Blue warned us of multiple security vulnerabilities in its ultrafast Aspera Faspex file transfer software. In particular, CVE-2022-47986, with a Common Vulnerability Scoring System (CVSS) critical rating of 9.8, is as bad a security hole as you can get. Making matters worse, the bug’s discoverers, security company Assetnote published a blog post on the Aspera Faspex vulnerability a week later. In it, they explained how an unauthenticated attacker could exploit it to execute arbitrary commands. Now in an ideal world, this would just be a good teaching moment. In it, they explain how a remote attacker can exploit a YAML deserialization flaw for arbitrary code execution using specially crafted API calls to a now obsolete API call Guess what? We don’t live in such a world. The non-profit Shadowserver Foundation Internet group reported seeing exploitation attempts in early February. The security company Rapid7 reported that it had discovered multiple exploitation incidents, including its use in the Linux and Windows IceFire ransomware campaign. This is a classic example of a solved security problem being ignored by administrators until it blew up in their faces. Specifically, IBM has identified affected products as Aspera Faspex 4.4.2 Patch Level 1 and earlier versions. The vulnerability is addressed in version 4.4.2 Patch Level 2. So you need to immediately update your software to the latest patch level to safeguard your systems. That’s it, kids.

Finding Exploitation Attempts To identify potential exploitation attempts, look at your logfiles in the default directory: /opt/aspera/faspex/log. If you see anything about the PackageRelayController#relay_package, look closely and treat it suspiciously. 

Ransomware Groups Hit Unpatched IBM File Transfer Software

Bank Info Security, March 30, 2023

Fresh warnings are sounding about the risk posed to users of unpatched IBM-built enterprise file transfer software as ransomware-wielding attackers continue to launch exploit attempts. The IBM Aspera Faspex file-exchange application is a widely adopted enterprise file-exchange application with a reputation for being able to secure and quickly move large files. Security experts warn that a flaw patched in the software by IBM on Dec. 8, 2022, which can be used to sidestep authentication and remotely exploit code, is being actively abused, including by multiple groups of attackers wielding crypto-locking malware. While the flaw was patched in December, IBM didn’t appear to have immediately detailed the vulnerability – one of many – fixed in that update. In a Jan. 26 security alert, IBM said that the flaw, designated CVE-2022-47986 and given a base CVSS score of 9.8, “could allow a remote attacker to execute arbitrary code on the system … by sending a specially crafted obsolete API call.” Malicious activity tracking group Shadowserver on Feb.13 warned that it was seeing active, in-the-wild attempts to exploit CVE-2022-47986 in vulnerable versions of Aspera Faspex. Software developer Raphael Mendonça reported Feb. 16 that a group called BuhtiRansom was “encrypting multiple vulnerable servers with CVE-2022-47986.” Buhti is a relatively new ransomware group that Palo Alto’s Unit 42 threat intelligence group has seen using crypto-locking malware written in the Go language that infects Linux systems. Targeting file transfer software or appliances is not a new tactic for ransomware groups.