Media Coverage

Shadowserver in the news

Law enforcement infiltrates fraud platform used by thousands of criminals worldwide

Metropolitan Police, April 18, 2024

A website used by more than 2,000 criminals to defraud victims worldwide has been infiltrated in the Met’s latest joint operation to tackle large-scale online fraud. ‘LabHost’ is a service which was set up in 2021 by a criminal cyber network. It enabled the creation of “phishing” websites designed to trick victims into revealing personal information such as email addresses, passwords, and bank details.

But LabHost has now been infiltrated and disrupted as the result of a worldwide operation led by the Met.

Work began in June 2022 after detectives received crucial intelligence about LabHost’s activity from the Cyber Defence Alliance. Once the scale of site and the linked fraud became clear the Met’s Cyber Crime Unit joined forces with the National Crime Agency, City of London Police, Europol, Regional Organised Crime Units (ROCUs) across the country and other international police forces to take action.

Partners including Chainalysis, Intel 471, Microsoft, The Shadowserver Foundation and Trend Micro have also been at the centre of our efforts to bring down this platform.

Launch of Common Good Cyber Workshop Report: Mitigating the Systemic Underfunding of Cybersecurity Nonprofits

Common Good Cyber, April 10, 2024

The Common Good Cyber initiative, a collaborative effort aimed at addressing the challenge of sustaining nonprofit and public interest organizations involved in critical cybersecurity functions, announces the release of its workshop report. The report encapsulates insights and outcomes from a landmark gathering held in February 2024 at the National Press Club in Washington, D.C., United States.

The workshop, jointly organized by leading cybersecurity organizations including the Cyber Threat Alliance, the CyberPeace Institute, the Forum of Incident Response and Security Teams (FIRST), the Global Cyber Alliance, the Institute for Security and Technology (IST), and the Shadowserver Foundation, convened over 100 stakeholders representing various sectors including government, multilateral organizations, civil society, foundations, business, and academia. An additional 200 participants joined online to discuss the systemic underfunding of cybersecurity nonprofits and explore sustainable funding approaches.

Funding the Organizations That Secure the Internet

Dark Reading, April 2, 2024

Common Good Cyber is a global consortium connecting nonprofit, private sector, and government organizations to fund organizations focused on securing Internet infrastructure.

Much of our everyday lives, from banking to turning on the lights, would be impossible if the elaborate infrastructure underpinning the Internet were unavailable. However, unlike the electrical grid or financial institutions, there’s no single entity responsible for maintaining and securing the Internet. Instead, that task falls upon a diverse group of organizations and individuals that preserve this public utility with little funding or subsisting on tight budgets. The stakes are incredibly high, but the amount of resources available for keeping this infrastructure secure falls short.

The goal of Common Good Cyber is to find new ways to build adequate funding into law and policy, business policies and government, and other funding vehicles sufficient to meet the common need for cybersecurity. Supporting organizations include the Cyber Civil Defense Initiative, the Global Cyber Alliance, the Cyber Threat Alliance, the CyberPeace Institute, the Forum of Incident Response and Security Teams, the Institute for Security and Technology, and the Shadowserver Foundation.

SQL injection vulnerability in Fortinet software under attack

News ITN, March 26, 2024

A critical Fortinet vulnerability has been actively exploited since at least March 21 and was added to CISA’s Known Exploited Vulnerability catalog on Monday.

In a security advisory on March 12, Fortinet detailed a pre-authentication SQL injection vulnerability tracked as CVE-2023-48788 or what the vendor identifies internally as FR-IG-24-007. On March 21, Fortinet updated the advisory to warn users that CVE-2023-48788 was being exploited in the wild. On Sunday, the Shadowserver Foundation, a cybersecurity nonprofit organization, revealed its internet scans detected several vulnerable instances around the world.

“We have started scanning/reporting Fortinet FortiClient EMS CVE-2023-48788 (pre-auth SQL injection) vulnerable instances. 130 vulnerable found on 2024-03-23 Top: US with 30 IPs,”

That number is potentially higher. Shadowserver noted that its scans only detect the web interface version, and it does not check port 8013 access, which is required for exploitation.

Patching is vital as Fortinet products have been increasingly targeted by threat actors. Last week, exploitation activity escalated for another critical Fortinet flaw tracked as CVE-2024-21762, two days after a proof-of-concept (PoC) exploit was published.

167,500 Instances Vulnerable: Loop DoS Attack

Cyber Security News, March 22, 2024

A sweeping vulnerability has been uncovered, leaving an estimated 167,500 instances across various networks susceptible to a Loop Denial of Service (DoS) attack. This discovery underscores the ever-present and evolving threats in the digital landscape, prompting an urgent call to action for organizations worldwide.

The vulnerability was first identified by Shadowserver, a renowned entity in the cybersecurity realm dedicated to identifying and mitigating cyber threats. Through meticulous analysis and monitoring, Shadowserver’s team stumbled upon a pattern of weakness in a staggering number of instances. This flaw, if exploited, could allow attackers to initiate a Loop DoS attack, effectively crippling the targeted systems by overwhelming them with a flood of traffic.

“Today we started sharing data on IPs vulnerable to the novel “Loop DoS” attack discovered by @CISPA. Data is based on DNS, NTP & TFTP protocol scans. Over 167 500 vulnerable instances found on 2024-03-20.”

According to a recent tweet from Shadowserver, there are over 167,500 instances that are vulnerable to the “Loop DoS” attack. In response to this discovery, Shadowserver has issued a call to action for organizations worldwide. System administrators and IT professionals must assess their networks for the identified vulnerabilities and apply necessary patches or updates.


Critical Fortinet flaw may impact 150,000 exposed devices

Bleeping Computer, March 8, 2024

Scans on the public web show that approximately 150,000 Fortinet FortiOS and FortiProxy secure web gateway systems are vulnerable to CVE-2024-21762, a critical security issue that allows executing code without authentication. America’s Cyber Defense Agency CISA confirmed last month that attackers are actively exploiting the flaw by adding it to its Known Exploited Vulnerabilities (KEV) catalog.

Almost a month after Fortinet addressed CVE-2024-21762, The Shadowserver Foundation announced on Thursday that it found nearly 150,000 vulnerable devices. Shadowserver’s Piotr Kijewski told BleepingComputer that their scans check for vulnerable versions, so the number of affected devices may be lower if admins applied mitigations instead of upgrading. According to Shadowserver data, most vulnerable devices, more than 24,000, are in the United States, followed by India, Brazil, and Canada.


Earliest Reporter of Exploitation in the Wild

VulnCheck, March 7, 2024

As we explore over 20 years worth of publicly disclosed exploited vulnerabilities, the collaborative effort of global security teams becomes increasingly evident.

My latest data visualization underscores the remarkable contributions from organizations worldwide, including: – Government Agencies like Cybersecurity and Infrastructure Security Agency, National Cyber Security Centre, NHS, United States Department of Defense and Australian Cyber Security Centre. – Security Research Projects/Teams such as Palo Alto Networks Unit 42, Google Project Zero, CitizensLab e.V. , FortiGuard Labs, Cisco Talos Intelligence Group, Trend Micro, SANS Institute, Huntress, The Shadowserver Foundation, Akamai Technologies, and so many more.

In an effort to empower security teams, researchers, and the global security community, we’ve curated a comprehensive index comprising of over 8,500+ publicly cited references of vulnerabilities known to have been exploited in the wild.



ConnectWise ScreenConnect bug used in Play ransomware breach, MSP attack

SC Media, March 1, 2024

A critical ConnectWise ScreenConnect vulnerability that enables authentication bypass was used in a Play ransomware breach and an attempted supply chain attack involving LockBit malware, researchers say. One of the attacks targeted a managed service provider (MSP) for a potential wider supply chain breach against its customers, the At-Bay Cyber Research Team revealed in an article Thursday.

Amidst this spate of attacks, more than 3,800 ScreenConnect instances tracked by nonprofit cybersecurity organization Shadowserver remained vulnerable to CVE-2024-1709 as of Feb. 29. Notably, this is less than half the number Shadowserver reported on Feb. 21, when more than 8,200 vulnerable instances were detected

Critical ConnectWise RMM Bug Poised for Exploitation Avalanche

Dark Reading, February 21, 2024

Users of the ConnectWise ScreenConnect remote desktop management tool are under active cyberattack, after a proof-of-concept (PoC) exploit surfaced for a max-critical security vulnerability in the platform. The situation has the potential to blow up into a mass compromise event, researchers are warning. ScreenConnect can be used by tech support and others to authenticate to a machine as though they were the user. As such, it offers a conduit to threat actors looking to infiltrate high-value endpoints and any other areas of corporate networks to which they might have access.

Piotr Kijewski, CEO at the Shadowserver Foundation, confirmed seeing initial exploitation requests in the nonprofit’s honeypot sensors. “Check for signs of compromise (like new users added) and patch!” he stressed via the Shadowserver mailing list, adding that as of Tuesday, a full 93% of ScreenConnect instances were still vulnerable (about 3,800 installations), most of them located in the US.

Over 28,500 Exchange servers vulnerable to actively exploited bug

Bleeping Computer, February 19, 2024

Up to 97,000 Microsoft Exchange servers may be vulnerable to a critical severity privilege escalation flaw tracked as CVE-2024-21410 that hackers are actively exploiting. Microsoft addressed the issue on February 13, when it had already been leveraged as a zero-day. Currently, 28,500 servers have been identified as being vulnerable. Exchange Server is widely used in business environments to facilitate communication and collaboration among users, providing email, calendar, contact management, and task management services.

Today, threat monitoring service Shadowserver announced that its scanners have identified approximately 97,000 potentially vulnerable servers. Out of the total 97,000, the vulnerable state for an estimated 68,500 servers depends on whether administrators applied mitigations, while 28,500 are confirmed to be vulnerable to CVE-2024-21410.

Exploitation of CVE-2024-21410 can have serious consequences for an organization because attackers with elevated permissions an Exchange Server can access confidential data like email communication and use the server as a ramp for further attacks on the network.