Media Coverage

Shadowserver in the news

Over 28,500 Exchange servers vulnerable to actively exploited bug

Bleeping Computer, February 19, 2024

Up to 97,000 Microsoft Exchange servers may be vulnerable to a critical severity privilege escalation flaw tracked as CVE-2024-21410 that hackers are actively exploiting. Microsoft addressed the issue on February 13, when it had already been leveraged as a zero-day. Currently, 28,500 servers have been identified as being vulnerable. Exchange Server is widely used in business environments to facilitate communication and collaboration among users, providing email, calendar, contact management, and task management services.

Today, threat monitoring service Shadowserver announced that its scanners have identified approximately 97,000 potentially vulnerable servers. Out of the total 97,000, the vulnerable state for an estimated 68,500 servers depends on whether administrators applied mitigations, while 28,500 are confirmed to be vulnerable to CVE-2024-21410.

Exploitation of CVE-2024-21410 can have serious consequences for an organization because attackers with elevated permissions an Exchange Server can access confidential data like email communication and use the server as a ramp for further attacks on the network.

Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU)

US Department of Justice, February 15, 2024

A January 2024 court-authorized operation has neutralized a network of hundreds of small office/home office (SOHO) routers that GRU Military Unit 26165, also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, used to conceal and otherwise enable a variety of crimes.

The Department’s court-authorized operation leveraged the Moobot malware to copy and delete stolen and malicious data and files from compromised routers. Additionally, in order to neutralize the GRU’s access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers’ firewall rules to block remote management access to the devices, and during the course of the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation.

The FBI Philadelphia and Boston Field Offices and Cyber Division, U.S. Attorney’s Office for the Eastern District of Pennsylvania, and the National Security Division’s National Security Cyber Section led the disruption effort. The Criminal Division’s Computer Crime and Intellectual Property Section and Office of International Affairs, Shadowserver Foundation, Microsoft Threat Intelligence, and other partners provided valuable assistance.

World Govs, Tech Giants Sign Spyware Responsibility Pledge

Dark Reading, February 6, 2024

A coalition of dozens of countries including France, the UK, and the US, along with tech giants such as Google, Meta, and Microsoft, have signed a joint agreement to combat the use of commercial spyware in ways that violate human rights.

At a speech at the UK-France Cyber Proliferation conference at Lancaster House in London today, UK Deputy Prime Minister Oliver Dowden announced the kickoff for the spyware initiative, dubbed the “Pall Mall Process,” which will be a “multi-stakeholder initiative … to tackle the proliferation and irresponsible use of commercially available cyber-intrusion capabilities,” he explained.

He also announced that the UK will invest £1 million into the nonprofit Shadowserver Foundation, to “help them expand the access they provide to early warning systems, and to cyber resilience support for those impacted by cyberattacks.”

Newest Ivanti SSRF zero-day now under mass exploitation

Bleeping Computer, February 5, 2024

An Ivanti Connect Secure and Ivanti Policy Secure server-side request forgery (SSRF) vulnerability tracked as CVE-2024-21893 is currently under mass exploitation by multiple attackers. Exploitation of CVE-2024-21893 allowed attackers to bypass authentication and access restricted resources on vulnerable devices (versions 9.x and 22.x).

Threat monitoring service Shadowserver is now seeing multiple attackers leveraging the SSRF bug, with 170 distinct IP addresses attempting to exploit the flaw.

According to ShadowServer, there are currently almost 22,500 Ivanti Connect Secure devices exposed on the Internet. However, it is unknown how many are vulnerable to this particular vulnerability.

INTERPOL-led operation targets growing cyber threats

INTERPOL, February 1, 2024

Operation Synergia, which ran from September to November 2023, was launched in response to the clear growth, escalation and professionalisation of transnational cybercrime and the need for coordinated action against new cyber threats. The operation involved 60 law enforcement agencies from more than 50 INTERPOL member countries, with officers conducting house searches and seizing servers as well as electronic devices.

Operation Synergia demonstrated how cybersecurity is most effective when international law enforcement, national authorities, and private sector partners cooperate to share best practices and pro-actively combat cybercrime. INTERPOL and its Gateway Partners Group-IB, Kaspersky, TrendMicro, Shadowserver and Ad hoc partner Team Cymru provided analysis and intelligence support throughout the operation.

2nd critical GitLab patch of 2024 fixes arbitrary file writing bug

SC Media, January 31, 2024

A GitLab vulnerability enabling file writing to arbitrary locations on a server was patched last Thursday, two weeks after the company patched a critical account takeover bug. The latest vulnerability, tracked as CVE-2024-0402, received a CVSS score of 9.9 and allows authenticated users to write files anywhere on a GitLab server while creating a workspace.

The Shadowserver Foundation, which tracks malicious activity and vulnerabilities online, previously said it detected more than 5,300 GitLab instances vulnerable to CVE-2023-7028 on Jan. 23. As of Jan. 30, Shadowserver’s dashboard showed 4,826 GitLab instances still running unpatched versions. Shadowserver CEO Piotr Kijewski told SC Media that while the organization is not currently scanning for CVE-2024-0402, it is most likely that instances still vulnerable to CVE-2023-7028 are also vulnerable to the latest bug. “The total CVE-2024-0402 population will be expected to be higher, however,” Kijewski said.

45k Jenkins servers exposed to RCE attacks using public exploits

Bleeping Computer, January 29, 2024

Researchers found roughly 45,000 Jenkins instances exposed online that are vulnerable to CVE-2024-23897, a critical remote code execution (RCE) flaw for which multiple public proof-of-concept (PoC) exploits are in circulation. Jenkins is a leading open-source automation server for CI/CD, allowing developers to streamline the building, testing, and deployment processes. It features extensive plugin support and serves organizations of various missions and sizes.

Today, threat monitoring service Shadowserver reported that its scanners have “caught” roughly 45,000 unpatched Jenkins instances, indicating a massive attack surface. Most of the vulnerable internet-exposed instances are in China (12,000) and the United States (11,830), followed by Germany (3,060), India (2,681), France (1,431), and the UK (1,029).

Pakistan Telecommunication Authority Annual Report 2023

Pakistan Telecommunication Authority, January 29, 2024

In pursuit of comprehensive threat intelligence, PTA has subscribed to Shadowserver—a renowned platform that provides data pertaining to cyber threats within Pakistan. This subscription enables PTA to compile a holistic view of the threat landscape, and to take proactive measures to mitigate risks related to the telecom sector. Access to reliable threat intelligence is crucial in strengthening the country’s CS posture and safeguarding critical infrastructure.

More than 5,300 Gitlab servers were hit by a zero-click account takeover attack

CSIRT UMM, January 26, 2024

More than 5,300 GitLab servers connected to the internet are vulnerable to zero-click account takeover CVE-2023-7028 (CVSS score: 10.0) announced by GitLab earlier this month. This vulnerability allows an attacker to send a password reset email for a targeted account to an email address controlled by the attacker, allowing the attacker to change the password and take over the account. Account takeover will not be successful if the target has 2FA enabled, because the attacker will not be able to log in if they do not have control over two-factor authentication (2FA).

Currently, 13 days after the security update became available, threat monitoring service ShadowServer reports seeing 5,379 GitLab instances that are vulnerable to attack. Most servers with the vulnerability were in the United States (964), followed by Germany (730), Russia (721), China (503), France (298), the United Kingdom (122), India (117), and Canada (99 ).

Hackers start exploiting critical Atlassian Confluence RCE flaw

Bleeping Computer, January 22, 2024

Security researchers are observing exploitation attempts for the CVE-2023-22527 remote code execution flaw vulnerability that affects outdated versions of Atlassian Confluence servers.

Threat monitoring service Shadowserver reports today that its systems recorded thousands of attempts to exploit CVE-2023-22527, the attacks originating from a little over 600 unique IP addresses. The service says that attackers are trying out callbacks by executing the ‘whoami‘ command to gather information about the level of access and privileges on the system.

The total number of exploitation attempts logged by The Shadowserver Foundation is above 39,000, most of the attacks coming from Russian IP addresses. Shadowserver reports that its scanners currently detect 11,100 Atlassian Confluence instances accessible over the public internet. However, not all of those necessarily run a vulnerable version.