Media Coverage

Shadowserver in the news

Fraudulent shopping sites tied to cybercrime marketplace taken offline

Europol, December 5, 2024

Europol has supported the dismantling of a sophisticated criminal network responsible for facilitating large-scale online fraud. In an operation led by the Hanover Police Department (Polizeidirektion Hannover) and the Verden Public Prosecutor’s Office (Staatsanwaltschaft Verden) in Germany, and supported by law enforcement authorities across Europe, over 50 servers were seized, significant digital evidence was secured, and two key suspects were placed in pretrial detention.

Cybercriminal Network Dismantled – Successful "Action Day" in the Fight Against Phishing and Data Trafficking

Polizeidirektion Hannover, December 5, 2024

On Wednesday, December 4, 2024, law enforcement authorities dismantled key structures of an extensive network for committing cybercrime during a coordinated operation. In close collaboration with Europol and police forces across Europe, the Lower Saxony prosecution authorities shut down over 50 servers, secured extensive digital evidence, and placed two suspects in pretrial detention.

The operation involved police authorities from the Netherlands, Finland, Austria, Czech Republic, Poland, and Norway, as well as Europol task forces, alongside the Verden Public Prosecutor’s Office and Hanover Police Directorate. The investigative authorities were also supported by the nonprofit organization The Shadow Server Foundation.

How the Shadowserver Foundation helps network defenders with free intelligence feeds

Help Net Security, December 5, 2024

In this Help Net Security interview, Piotr Kijewski, CEO of The Shadowserver Foundation, discusses the organization’s mission to enhance internet security by exposing vulnerabilities, malicious activity, and emerging threats. Kijewski explains the foundation’s automated efforts to track and disrupt cybercrime.

By providing actionable intelligence we help equip CSIRTs and network defenders worldwide with the information needed to secure their networks and/or constituencies. We also provide free technical support to law enforcement cybercrime disruption operations. We provide cybersecurity capacity building services around the world (typically funded through various grants, such as from the UK Foreign, Commonwealth and Development Office – FCDO) in areas of threat detection, cyber threat intelligence and incident response.

Shadowserver’s free daily network reports help provide organizations with a baseline of timely, actionable and often unique cyber threat intelligence – even for those organizations without big budgets.

Warning: Over 2,000 Palo Alto Networks Devices Hacked in Ongoing Attack Campaign

The Hacker News, November 21, 2024

As many as 2,000 Palo Alto Networks devices are estimated to have been compromised as part of a campaign abusing the newly disclosed security flaws that have come under active exploitation in the wild.

According to statistics shared by the Shadowserver Foundation, a majority of the infections have been reported in the U.S. (554) and India (461), followed by Thailand (80), Mexico (48), Indonesia (43), Turkey (41), the U.K. (39), Peru (36), and South Africa (35).

Botnet exploits GeoVision zero-day to install Mirai malware

Bleeping Computer, November 15, 2024

A malware botnet is exploiting a zero-day vulnerability in end-of-life GeoVision devices to compromise and recruit them for likely DDoS or cryptomining attacks. The flaw is tracked as CVE-2024-11120 and was discovered by Piotr Kijewski of The Shadowserver Foundation. It is a critical severity (CVSS v3.1 score: 9.8) problem.

“Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device,” warns Taiwan’s CERT.

Kijewski told BleepingComputer that the botnet appears to be a Mirai variant, which is usually used as part of DDoS platforms or to perform cryptomining.

 

CVE-2024-10914: Critical Flaw in D-Link NAS Devices Actively Exploited, No Patch!

Cybersecurity News (securityonline.info), November 13, 2024

A critical command injection vulnerability (CVE-2024-10914) impacting numerous end-of-life D-Link network-attached storage (NAS) devices is currently under active exploitation. The Shadowserver Foundation has reported observing active exploitation attempts targeting these devices since November 12th, with nearly 1,100 devices confirmed as exposed.

Palo Alto Networks warns over possible PAN-OS RCE: Says get your blooming interface off the internet

The Stack, November 12, 2024

Palo Alto Networks said it has seen a “claim of a remote code execution vulnerability via the PAN-OS management interface” but does not have details yet. It urged customers to ensure access “is possible only from trusted internal IPs and not from the Internet…” A search by the Shadowserver Foundation however showed some 11,000 PAN-OS management interfaces publicly exposed to the internet. The majority are in the US (4,000) and India (1,000) with 200  in the UK.

The Internet's Defenders Are Running Out of Money—And We're All at Risk

The International Business Times, November 5, 2024

The average person might think for-profit companies like Apple, Google and Microsoft are responsible for keeping digital ecosystems together. In reality, hundreds of nonprofits maintain critical cybersecurity functions for the good of the Internet and all its users,

Many of the tools small businesses depend on are run or supported by nonprofits. They may use Quad9 to block malicious websites, Let’s Encrypt to encrypt their websites, or Shadowserver to fix network vulnerabilities. If you value accessible and secure online experiences, now is the time to show your support.

FortiManager Devices Mass Compromise Exploiting CVE-2024-47575 Vulnerability

Cyber Security News, October 25, 2024

Shadowserver has issued a critical warning about the widespread exploitation of Fortinet FortiManager devices using the recently disclosed CVE-2024-47575 vulnerability. With a CVSS score of 9.8/10, this critical flaw allows unauthenticated remote attackers to execute arbitrary code or commands on affected systems.

Chris Gibson: “If FIRST disappeared, you would need to invent another forum of incident response.”

Common Good Cyber, October 23, 2024

Chris Gibson (FIRST) in an interview with Common Good Cyber.

Our vision is to make the Internet safer through building relationships and networks of teams worldwide. These teams support, train, and mentor each other, helping new groups develop until they can maintain incident response capabilities within their own countries or regions. Our members, company teams and incident response teams worldwide rely on data. They can gather some of it themselves. Some of the more mature teams have that set up within their jurisdictions. They’re pulling feeds, but many of them rely heavily on companies like Shadowserver

The data Shadowserver delivers, as a public service, is just fantastic. If Shadowserver disappeared, our membership’s ability to deliver safety on the internet would be significantly impacted.