Media Coverage

Shadowserver in the news threat intelligence feeds, November 5, 2019 receives threat intelligence for Austrian IP networks from a variety of sources. As we receive data in different formats we harmonize and deduplicate it before forwarding it. The NGO Shadowserver ( is our biggest threat intel source

CAIDA ASPIRE - Augment Spoofer Project to Improve Remediation Efforts

CAIDA, October 23, 2019

“Augment Spoofer Project to Improve Remediation Efforts (ASPIRE)” – a collaborative project co-led by Professor Matthew Luckie of the University of Waikato‘s Computing & Mathematical Sciences Department. Reaching out to security risk management companies, e.g., FICO, BitSight, Security Scorecard, Shadowserver, and Redseal, to discuss the potential for commercial use of Spoofer data or other technology transition relationships.


‘Security’ Cameras Are Dry Powder for Hackers. Here’s Why

Fortune, September 19, 2019

Researchers have long bemoaned the insecurity of certain “security” cameras. Ostensibly installed to deter and thwart intruders, many actually can be transformed into an arsenal that hackers use for Web warfare. The latest cause for concern: A vulnerability that enables hackers to summon a firehose of network traffic from hundreds of thousands of such devices for “distributed denial of service” attacks. Scanning the Internet for devices vulnerable to “LDAP” hacking using Shadowserver, a search tool provided by a nonprofit security group of the same name, reveals nearly 15,000 devices ready for abuse. For WS-Discovery, the newly discovered attack method, more than 800,000 vulnerable devices appear to be open to abuse.

Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites

TrendMicro, September 18, 2019

We discovered a series of incidents where the credit card skimming attack Magecart was used to hit the booking websites of chain-brand hotels — the second time we’ve seen a Magecart threat actor directly hit ecommerce service providers instead of going for individual stores or third-party supply chains. With special thanks to our colleagues at and The Shadowserver Foundation for helping to take down the Magecart domain.

TLDCON 2019: Collaboration, security and forecasts

Baltic Times, September 17, 2019

On September 11-12, 2019, Vilnius, the capital of Lithuania, hosted the 12th international conference for ccTLD registries and registrars from CIS, Central and Eastern Europe, TLDCON 2019. The two-day conference brought together 120 participants from 20 countries. It was organized by the Coordination Center for TLD .RU/.РФ with the support of DOMREG.LT (host), the Technical Center of Internet (general partner), ICANN and the Vilnius Convention Bureau.

A Brief History of Internet Wide Scanning

Hacker Target, July 1, 2019

In the beginning there were Google Dorks; as far back as 2002 security researches discovered that specific Google queries could reveal Internet connected devices. Seventeen years later it is still possible to find thousands of unsecured remotely accessible security cameras and printers via simple Google searches. In 2004 the Shadowserver was started by a group of volunteers. Working from the principle that sharing Internet Attack Data can only enhance the overall security of the Internet they quickly became a primary source for security researchers. Over the years they have been publishing reports, sharing cyber crime data and scanning the Internet. With a focus on cyber crime they share reports of C2 services, DDOS botnet services and other attack based infrastructure.

TU Delft uses honeypots to map IoT botnets

Security NL, June 25, 2019

Together with Dutch internet providers, TU Delft sets up a honeypot network to map compromised Internet of Things devices. The honeypot network is specially developed to gain insight into infected IoT devices in the Netherlands. Information about contaminated IoT devices is shared with the relevant internet providers. This is done via the AbuseHUB of the Abuse Information Exchange . The project not only provides information about infected Dutch IoT devices, but also about foreign devices. It is possible that this information will be shared with a party such as the Shadowserver Foundation, that informs affiliated providers about infections in their network.

Magecart skimmers found on Amazon CloudFront CDN

MalwareBytes, June 4, 2019

Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network (CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers. The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent supply-chain attacks. RiskIQ, in partnership with and the Shadowserver Foundation, sinkholed both that domain and another (ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.

BlueKeep: Around one million devices could be vulnerable to a worm-like Microsoft bug

SC Magazine, May 30, 2019

“This will likely lead to an event as damaging as WannaCry and notPetya from 2017 — potentially worse, as hackers have since honed their skills exploiting these things for ransomware and other nastiness,” said a blog post by researchers at Errata Security. The flaw, dubbed Bluekeep, was found in Remote Desktop Services and affects older versions of Windows, including Windows 7, Windows XP, Server 2003 and Server 2008. Errata Security researcher Robert Graham carried out a scan of devices using a tool called Masscan, to find the port (3389) used by Remote Desktop, the one used by Remote Desktop. While this found all open ports, Graham then used a Remote Desktop Protocol scanning project created by The Shadowserver Foundation, to find the million devices vulnerable to Bluekeep.

ICANN SAC105: The DNS and the Internet of Things: Opportunities, Risks, and Challenges

ICANN, May 28, 2019

This is a report of the ICANN Security and Stability Advisory Committee (SSAC). The SSAC focuses on matters relating to the security and integrity of the Internet’s naming and address allocation systems. SSAC engages in ongoing threat assessment and risk analysis of the Internet naming and address allocation services to assess where the principal threats to stability and security lie, and advises the ICANN community accordingly.

The number of open resolvers on the Internet is on the order of millions, with [31] estimating 23- 25 million open resolvers in 2014 and Shadowserver reporting over 3 million open resolvers based on their active scanning system (Dec 2018). While open resolvers are a longtime problem [42], they represent an additional risk to the IoT.

A few prototypes of shared systems for exchanging DDoS information across multiple collaborating players are under development and are potential starting points for a shared system for DNS operators. Sources that may enrich the botnet information in the shared database include: Shadowserver’s Open Resolver Scanning Project, which could help to identify resolvers that IoT botnets have used or could use for reflection attacks.