Media Coverage

Shadowserver in the news

42,000 Roundcube Webmail servers vulnerable to attacks, October 30, 2023

About 42,000 Roundcube Webmail servers contain a vulnerability that attackers are currently actively exploiting . Nine hundred of the servers are in the Netherlands, the Shadowserver Foundation states based on its own scans. Roudcube is open source webmail software and is used by all kinds of organizations. A vulnerability (CVE-2023-5631) in the software enables stored cross-site scripting (XSS).

Citrix Bleed exploit lets hackers hijack NetScaler accounts

Bleeping Computer, October 25, 2023

This Monday, Citrix issued a warning to administrators of NetScaler ADC and Gateway appliances, urging them to patch the flaw (CVE-2023-4966) immediately, as the rate of exploitation has started to pick up.

Today, researchers at Assetnote shared more details about the exploitation method of CVE-2023-4966 and published a PoC exploit on GitHub to demonstrate their findings and help those who want to test for exposure. Threat monitoring service Shadowserver reports spikes of exploitation attempts following the publication of Assetnote’s PoC, so the malicious activity has already started.

As these types of vulnerabilities are commonly used for ransomware and data theft attacks, it is strongly advised that system administrators immediately deploy patches to resolve the flaw.

Hackers update Cisco IOS XE backdoor to hide infected devices

Bleeping Computer, October 22, 2023

This week, Cisco warned that hackers exploited two zero-day vulnerabilities, CVE-2023-20198 and CVE-2023-20273, to hack over 50,000 Cisco IOS XE devices to create privileged user accounts and install a malicious LUA backdoor implant. On Saturday, multiple cybersecurity organizations reported that the number of Cisco IOS XE devices with a malicious implant has mysteriously dropped from approximately 60,000 devices to only 100-1,200, depending on the different scans.

Piotr Kijewski, the CEO of The Shadowserver Foundation, also told BleepingComputer that they have seen a sharp drop in implants since 10/21, with their scans only seeing 107 devices with the malicious implant. “The implant appears to have been either removed or updated in some way,” Kijewski told BleepingComputer via email.

Update 10/23/23: Today, cybersecurity firm Fox-IT explained that the cause of the sudden drop of detected implants is due to the threat actors rolling out a new version of the backdoor on Cisco IOS XE devices. According to Fox-IT the new implant version now checks for an Authorization HTTP header before responding.

Cisco Web UI Vulnerability Exploited Massly, Impacting Over 40K Devices

Hack Read, October 19, 2023

A critical cybersecurity threat disclosed by Cisco has resulted in mass exploitation of its devices, with the number of impacted systems surpassing 40,000 hosts worldwide. Nonprofit security group Shadowserver has detected over 32,800 devices compromised so far.

Cisco released a security advisory on October 16 to warn users about a critical zero-day privilege escalation vulnerability in its IOS XE Web UI software.

As per Censys, by October 18 the number of infections had increased from the previously reported 34,140 to 41,983 hosts, while 34,140 had backdoor installed It is tracked as CVE-2023-20198 and has been used to exploit tens of thousands of devices. The US had the highest number of compromised devices followed by the Philippines.


Number of Cisco Devices Targeted by Mass Exploitation Tops 30,000

PC Mag, October 18, 2023

The number of Cisco devices hijacked through a newly discovered attack has risen to over 30,000, according to the latest findings from security researchers. The IOS XE software is used across Cisco switches, routers, and wireless controller products, meaning a large swath of networking equipment has likely been hijacked. The vulnerability, dubbed CVE-2023-20198, is so powerful it can pave the way for a full takeover of a Cisco device, enabling a hacker to spy on traffic or serve users phishing pages loaded with malware.

On Wednesday, nonprofit security group Shadowserver said it’s also detected over 32,800 devices compromised through the vulnerability.

Alert - Vulnerability impacting Cisco devices (CVE-2023-20198) - Update 2

Canadian Centre for Cyber Security, October 18, 2023

On October 16, 2023, Cisco reported that a critical, 0-day privilege escalation vulnerability  in the web UI interface  of routers, switches and wireless controllers running IOS XE are being remotely exploited to gain privileged access. This vulnerability is tracked under CVE-2023-20198 and has the maximum security CVSS rating of 10.0. Open source is reporting that thousands of online, vulnerable devices have been compromised. This Alert is being published to raise awareness of this activity, highlight the potential impact to organizations and to provide guidance for organizations who may be impacted by this malicious activity.

Reference 6: Shadowserver IOS XE post

Credential Harvesting Campaign Targets Unpatched NetScaler Instances

Security Week, October 9, 2023

A credential harvesting campaign is targeting Citrix NetScaler gateways that have not been patched against a recent vulnerability, IBM reports. Tracked as CVE-2023-3519 (CVSS score of 9.8), the vulnerability was disclosed in July, but had been exploited since June 2023, with some of the attacks targeting critical infrastructure organizations. By mid-August, threat actors exploited this vulnerability as part of an automated campaign, backdooring roughly 2,000 NetScaler instances. According to the Shadowserver Foundation, at least 1,350 NetScaler instances compromised in previous attacks were appearing in scans last week.

In September, IBM observed a new malicious campaign targeting unpatched NetScaler devices to inject a script on the authentication page and steal user credentials. According to Shadowserver’s scans, there are at least 285 NetScaler instances compromised in this campaign.

Ransomware gangs now exploiting critical TeamCity RCE flaw

Bleeping Computer, October 2, 2023

Ransomware gangs are now targeting a recently patched critical vulnerability in JetBrains’ TeamCity continuous integration and deployment server. The flaw (tracked as CVE-2023-42793 and tagged with a 9.8/10 severity score) allows unauthenticated attackers to gain remote code execution (RCE) after successfully exploiting an authentication bypass weakness in low-complexity attacks that don’t require user interaction.

Security researchers at the nonprofit internet security organization Shadowserver Foundation found 1240 unpatched TeamCity servers vulnerable to attacks.

Ransomware, extortion and the cyber crime ecosystem

National Cyber Security Centre, September 11, 2023

When it comes to cyber security, a lot can change in six years.

In 2017, the National Cyber Security Centre (NCSC) published a detailed report examining the cyber crime business model. Since then, the growth in ransomware and extortion attacks has expanded dramatically, with cyber criminals adapting their business models to gain efficiencies and maximise profits.

This white paper, published by the NCSC and the National Crime Agency (NCA), examines how the tactics of organised criminal groups have evolved as ransomware and extortion attacks have grown in popularity.

Ransomware and the cyber crime ecosystem

National Cyber Security Centre, September 11, 2023

A new white paper, published by the NCSC and the National Crime Agency, examines how the tactics of organised criminal groups (OGCs) have evolved as ransomware and extortion attacks have grown in popularity. It’s particularly aimed at security professionals and resilience sector leads who need to be aware of changes in cyber criminal activity to better protect their systems and inform security policy.

We’d like to thank our industry partners that contributed to the paper, specifically Mandiant, SecureWorks, ShadowServer and PWC.