Media Coverage

Shadowserver in the news

Securing Cyberspace: Minister Doughty speech

GOV.UK, October 9, 2024

In a world where we all live and work online, investing in cyber security and promoting responsible behaviour is an essential part of this mission, because fundamentally, and you will all know this, there is no national security, no economic security without cyber security. I wanted to highlight today and reflect on three key themes that will guide our approach as a new government.

The first of those is that partnerships are vital for success.

Secondly, I want to talk about responsible cyber behaviour. I will simply say that for the UK, this is about staying at the forefront of science and technology so we can understand threats and respond appropriately, and helping others do the same. For example, supporting cyber security nonprofit organisations like Shadowserver to share threat data.

Thirdly, I wanted to stress the importance of a whole of society approach.

That’s how we can ultimately keep our citizens safe, help our economies to flourish, protect our security and stand up for our values.

Active Exploits Target Zimbra Collaboration: Over 19K Systems Vulnerable to CVE-2024-45519

Cybersecurity News (securityonline.info), October 6, 2024

Proofpoint has issued a critical warning regarding active exploitation attempts against Synacor’s Zimbra Collaboration platform. A recently disclosed security flaw, tracked as CVE-2024-45519, has been under attack since late September 2024, prompting urgent calls for patching.

According to the Shadowserver Foundation, as of October 4, 2024, more than 19,600 unpatched Zimbra instances remain exposed to this vulnerability. Germany, the U.S., and Russia top the list of affected countries, each with over 1,500 vulnerable servers.

Common Good Cyber - Together, We Can Build A Stronger Internet

Common Good Cyber, October 1, 2024

Legions of unsung heroes work behind the scenes to secure the Internet. The Global Cyber Alliance, Cyber Threat Alliance, CyberPeace Institute, FIRST, the Global Forum on Cyber Expertise, the Institute for Security and Technology, and the Shadowserver Foundation formed the Common Good Cyber initiative together.

Help us build a stronger Internet.

Ivanti vTM flaw added to Known Exploited Vulnerabilities catalog

SC Media, September 25, 2024

A critical vulnerability in Ivanti Virtual Traffic Manager (vTM) was added to the Known Exploited Vulnerabilities (KEV) catalog by the Cybersecurity & Infrastructure Security Agency (CISA) on Tuesday.

The Shadowserver Foundation began tracking internet-exposed Ivanti vTM instances, regardless of patching status, in mid-August, and only discovered 31 exposed instances as of Aug. 17. However, they observed an exploit attempt based on the available PoC on Aug. 18, according to a post on X. As of Sept. 24, only 21 internet-exposed instances were detected, according to Shadowserver’s time series dashboard.

China's 'Earth Baxia' Spies Exploit Geoserver to Target APAC Orgs

Dark Reading, September 23, 2024

A China-linked cyber-espionage group has attacked Taiwanese government agencies, the Philippine and Japanese military, and energy companies in Vietnam, installing either the Cobalt Strike client or a custom backdoor known as EagleDoor on compromised machines.

Dubbed Earth Baxia by cybersecurity firm Trend Micro, the group primarily uses spear-phishing to compromise victims, but it has also exploited a vulnerability (CVE-2024-36401) in the open source GeoServer software used to distribute geospatial data. The GeoServer attacks appear to have started at least two months ago, with the Shadowserver Foundation noting that the attack first appeared in its logs on July 9. The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerability (KEV) catalog on July 15.

MIL-OSI Security: Principal Deputy Assistant Attorney General David Newman Delivers Remarks at 2024 U.S. Cyber Command Legal Conference

foreignaffairs.co.nz, September 21, 2024

It deserves emphasizing that this is a team sport: Even as the operations relied on Justice Department legal process, we are often not alone in planning or executing them. We are almost always joined by a coalition of U.S. government, private sector, and foreign partners in this work.

In disrupting the GRU botnet, for example, we planned and coordinated with the Shadowserver Foundation, Microsoft, and other private sector partners. Shortly after we announced the operation, the FBI, NSA, Cyber Command, and 11 foreign partner entities released a joint cybersecurity advisory providing device owners and network defenders with valuable threat intelligence about the GRU’s relevant tactics, techniques, and procedures. Many of these same partners provided invaluable assistance in eradicating portions of the botnet within their borders.

We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI

watchTowr Labs, September 11, 2024

We recently performed research that started off “well-intentioned” (or as well-intentioned as we ever are) – to make vulnerabilities in WHOIS clients and how they parse responses from WHOIS servers exploitable in the real world (i.e. without needing to MITM etc).

We hope you’ve enjoyed (and/or been terrified by) today’s post, in which we took control of a chunk of the Internet’s infrastructure, opened up a big slab of juicy attack surface, and found a neat way of undermining TLS/SSL – the fundamental protocol that allows for secure communication on the web.

We want to thank the UK’s NCSC and the ShadowServer Foundation for rapidly working with us ahead of the release of this research to ensure that the ‘dotmobiregistry.net’ domain is suitably handled going forwards, and that a process is put in place to notify affected parties.

Infosec industry calls for more public sector collaboration

TechTarget, August 27, 2024

While the private sector has increasingly contributed to law enforcement operations against cybercriminals and nation-state actors, infosec professionals agree there’s more to be done as threats continue to rise. In some cases, private sector collaborations made those law enforcement operations more successful through information sharing with government agencies.

One of the most significant botnet takedowns ever occurred in May. The international effort resulted in four arrests, more than 100 server seizures and 2,000 domain takeovers. Operation Endgame involved agencies from all over the world as well as private industry partners such as BitDefender, Proofpoint and the Shadowserver Foundation.

Attack on vulnerability in Ivanti Virtual Traffic Manager observed

Heise Online, August 20, 2024

Last week, a critical vulnerability in Ivanti’s Virtual Traffic Manager (vTM) became known. Now IT researchers have discovered an exploit attempt based on a publicly available proof-of-concept exploit. Admins should update the software quickly – updates are now available for all supported versions.

The Shadowserver Foundation has announced on X, formerly Twitter, that it has found very few Ivanti vTM devices openly accessible on the Internet. However, on Saturday last weekend, the group observed an attempt to abuse the vulnerability based on a publicly available proof-of-concept exploit.

Warnings Issued Over Cisco Device Hacking, Unpatched Vulnerabilities

Security Week, August 9, 2024

The US cybersecurity agency CISA on Thursday informed organizations about threat actors targeting improperly configured Cisco devices. The agency has observed malicious hackers acquiring system configuration files by abusing available protocols or software, such as the legacy Cisco Smart Install (SMI) feature.

After CISA published its alert, the non-profit cybersecurity organization The Shadowserver Foundation reported seeing over 6,000 IPs with the Cisco SMI feature exposed to the internet.