Media Coverage

Yesterday a court-authorized international law enforcement operation led by the U.S. Justice Department disrupted SocksEscort, a residential proxy network used to exploit thousands of residential routers worldwide and commit large-scale fraud. According to court documents, SocksEscort infected home and small business internet routers with malware. The malware allowed SocksEscort to direct internet traffic through the infected routers. SocksEscort sold this access to its customers.

The FBI Sacramento Field Office, the Department of Defense Office of Inspector General’s Defense Criminal Investigative Service, and IRS Criminal Investigation Oakland Field Office are investigating the case. Investigators and prosecutors from several jurisdictions provided assistance, including Europol, Eurojust, and authorities in the following countries: Austria, Bulgaria, France, Germany, Hungary, Netherlands and Romania.

Additionally, the Department of Justice offers its thanks to Lumen’s Black Lotus Labs and the Shadowserver Foundation for the assistance provided by each during the investigation and the operation.

A major phishing-as-a-service platform used to bypass multi-factor authentication (MFA) and enable large-scale account compromise has been disrupted following a coordinated international operation supported by Europol. The service, known as Tycoon 2FA, provided cybercriminals with a subscription-based toolkit designed to intercept live authentication sessions and gain unauthorised access to online accounts, including those protected by additional security layers.

The action was carried out by law enforcement partners and private sector stakeholders working hand in hand, coordinated by Europol’s European Cybercrime Centre (EC3). Law enforcement authorities: Latvia: State Police, Lithuania: Criminal Police Bureau, Portugal: Judicial Police, Poland: Central Cybercrime Bureau, Spain: National Police and Guardia Civil, United Kingdom: National Crime Agency. Private partners engaged through Europol: Cloudflare, Coinbase, Intel471, Microsoft, Proofpoint, Shadowserver Foundation, SpyCloud, Trend Micro.

The Cyber Intelligence Extension Programme (CIEP) strengthens public-private cooperation in tackling cybercrime by enabling private-sector partners to contribute actionable intelligence to support operational outcomes. This Europol programme – a first of its kind – brings together experts from the private sector to work temporarily side by side in The Hague on specific projects with EC3 analysts and investigators.

The Shadowserver Foundation has revealed that over 900 Sangoma FreePBX instances still remain infected with web shells as part of attacks that exploited a command injection vulnerability starting in December 2025. The non-profit entity said the compromises are likely accomplished via the exploitation of CVE-2025-64328 (CVSS score: 8.6), a high-severity security flaw that could enable post-authentication command injection.

The Common Good Cyber Fund (CGCF) is a multi-year funding initiative designed to strengthen global digital cybersecurity by supporting nonprofit organizations that deliver critical services underpinning the Internet’s core infrastructure and protecting civil society actors at high risk, including NGOs, journalists, and human rights defenders.

In late 2025, the Internet Society Foundation launched a pilot of the Common Good Cyber Fund grant strategy to serve as a proof of concept for the fund and to address urgent financial needs in the global cybersecurity nonprofit ecosystem. A small group of nonprofit cybersecurity-focused organizations was invited to apply for the pilot grants: Access Now, CyberPeace Institute, Forum of Incident Response and Security Teams (FIRST), Internet Security Research Group (ISRG), and The Shadowserver Foundation.

CISA flagged two Roundcube Webmail vulnerabilities as actively exploited in attacks and ordered U.S. federal agencies to patch them within three weeks. The first vulnerability tagged as actively abused by threat actors is a critical remote code execution flaw tracked as CVE-2025-49113, which was first flagged as exploited days after it was patched in June 2025, when Internet security watchdog Shadowserver warned that over 84,000 vulnerable Roundcube webmail installations were vulnerable to attacks.

Hackers have launched an unprecedented scanning operation, employing tens of thousands of IP addresses to hunt for vulnerable Ivanti Endpoint Manager Mobile (EPMM) instances. Dozens of organizations have already been compromised. Shadowserver reports over 1,200 exposed Ivanti EPMM instances worldwide without vulnerability assessment – it’s unclear how many remain vulnerable. Most instances are likely not directly exposed to the internet, as network administrators typically deploy them behind corporate firewalls.

“The massive attempt, via a botnet or residential proxy network, maybe, is quite unprecedented,” Piotr Kijewski, CEO at The Shadowserver Foundation, told Cybernews.

Over 170 SolarWinds Web Help Desk installations remain vulnerable to a critical remote code execution (RCE) flaw that has been actively exploited in the wild and recently added to CISA’s Known Exploited Vulnerabilities catalog. The vulnerability, tracked as CVE-2025-40551, carries a CVSS score of 9.8. The Shadowserver Foundation has been tracking and reporting vulnerable SolarWinds Help Desk installations through its Vulnerable HTTP reports, identifying approximately 170 exposed instances based on version checks.

Ivanti issued advisories Thursday for the code injection flaws, which impact the on-premises version of Ivanti EPMM. The vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, allow an attacker to achieve remote code execution if successfully exploited. The flaws have a severity score of 9.8.

On Saturday, researchers from the Shadowserver Foundation reported a spike in exploitation attempts against CVE-2026-1281. As of Tuesday, exposure has dropped to 1,400, but threat activities were still ongoing, “which include attempts to execute callbacks or set up reverse shells,” Shadowserver CEO Piotr Kijewski told Cybersecurity Dive.

Nonprofit security organization Shadowserver has found over 6,000 SmarterMail servers exposed online and likely vulnerable to attacks exploiting a critical authentication bypass vulnerability. Cybersecurity company watchTowr reported the security flaw to developer SmarterTools on January 8, which released a fix on January 15 without assigning an identifier. The vulnerability was later assigned CVE-2026-23760 and rated critical severity.

On Monday, Shadowserver revealed that it’s tracking over 6,000 SmarterMail servers (more than 4,200 across North America and nearly 1,000 in Asia) flagged as “likely vulnerable” to ongoing CVE-2026-23760 attacks. CISA added CVE-2026-23760 to its list of actively exploited vulnerabilities.

A proof-of-concept exploit for CVE-2026-24061, a critical remote code execution vulnerability in the GNU Inetutils telnetd, has surfaced, with security researchers warning that over 800,000 vulnerable instances remain publicly accessible on the internet.

The Shadowserver Foundation’s Accessible Telnet Report reveals the scale of the problem. Approximately 800,000 telnet instances remain exposed on port 23/TCP across the internet, presenting an attractive target surface for mass-exploitation campaigns. Shadowserver’s dashboard provides real-time statistics on accessible telnet instances by country, sector, and ASN.