Media Coverage

In August 2021, researchers from the University of Maryland and the University of Colorado Boulder published an award-winning paper detailing a potential DDoS attack vector that takes advantage of flaws within the middleboxes of TCP protocols and can be abused to launch massive Distributed Denial of Service (DDoS) attacks. In March 2022, security researchers at Akamai Security Operations Command Center detected and analysed a series of TCP reflection attacks, peaking at 11Gbps at 1.5 million packets per second (Mpps). Upon examining the TCP packets used in the attack, they realized the attackers were leveraging the technique outlined in the above paper, which they termed TCP Middlebox Reflection attack. In this attack, the attacker abuses vulnerable firewalls and content filtering systems to reflect and amplify TCP traffic to a victim’s machine, creating a powerful DDoS attack. A middlebox is a computer networking device that transforms, inspects, filters, and manipulates traffic for purposes other than packet forwarding. Firewalls, NAT devices, load balancers, and deep packet inspection (DPI) devices are common examples of middleboxes. The researchers who first detailed the attack described two methods to detect potentially vulnerable middleboxes. Using these scanning methods, Shadowserver researchers found that more than 18.8 million IPs are vulnerable to Middlebox TCP Reflection DDoS attacks, which can also be leveraged to launch TCP-based DDoS Reflection attacks. You can get check if any of your IPs are on this list by subscribing to the Shadowserver ‘Vulnerable DDoS Middlebox Report’.

Fortinet is urging customers to address the recently discovered CVE-2022-40684 zero-day vulnerability. Unfortunately, the number of devices that have yet to be patched is still high. The company urges customers of addressing this critical vulnerability immediately due to the risk of remote exploitation of the flaw. The Shadowserver Foundation reported that more than 17K Fortinet devices exposed online are vulnerable to attacks exploiting the CVE-2022-40684 flaw, most of them in Germany and in the US. Users can track CVE-2022-40684 exploitation activity on the Dashboard provided by the organization.

Fortinet is concerned that many of its customers’ devices are still unprotected against attacks exploiting the recently disclosed zero-day vulnerability and the company has urged them to take action. Fortinet was initially aware of a single instance where the vulnerability tracked as CVE-2022-40684 had been exploited. However, now that technical details and proof-of-concept (PoC) exploits are publicly available, the security hole is being increasingly targeted. The cybersecurity company has released patches and workarounds for the vulnerability, as well as indicators of compromise (IoCs) that can be used to detect signs of an attack. The Shadowserver Foundation reported on Friday that it had seen more than 17,000 internet-exposed devices vulnerable to attacks involving CVE-2022-40684, including thousands in the United States and India. Shadowserver has seen exploitation attempts coming from more than 180 IPs.

Researchers from Shadowserver recommended isolating servers to reduce attacks, saying that millions of MySQL website database servers are vulnerable. Then the researchers from Volexity said that the attackers exploited the vulnerabilities of the Zimbra servers, which, combined, have already helped to hack more than a thousand servers.

The Ministry of Information and Communication Technologies (Mitic), makes a new alert service available to State Organizations and Entities. This is the “Proactive Cybersecurity Report”, which consists of sending notices regarding security problems in systems or digital assets. Through the Cyber ​​Incident Response Center (CERT-PY), Mitic enabled this new cybersecurity reporting service for public institutions, so that they are immediately aware and apply corrective measures in a timely manner. How does it work? The CERT-PY receives a large volume of free and public cybersecurity threat intelligence information (threat intelligence feeds) daily, which can be identified through patterns, from various sources, such as Shadowserver, OAS CsirtAmericas, other CSIRTs, among others. This data set includes information on signs of compromise and attacks (IoC / IoA) and vulnerabilities, misconfigurations and/or exposures involving Paraguayan IPs and/or domains. These types of clues are detected in a variety of ways and shared across organizations around the world with national CSIRTs, including CERT-PY. These reports are automatically received and sent by CERT-PY through its Incident Management System, on a daily basis to each subscribed organization, which only receives reports about events involving its own range of IPs and domains that were declared.

The Shadowserver Foundation today launched its new Alliance to continue to build a safer, more secure Internet. The new Shadowserver Alliance partner program will accelerate growth and scale up delivery of no cost cybersecurity and cyber threat intelligence services to internet defender organizations and law enforcement.

The Shadowserver Foundation has launched a new dashboard with “threat data”. The dashboard provides information about honeypots, DDoS ​​attacks, brute force attempts, sinkholes, online scans and vulnerable systems. Shadowserver collects large amounts of information about botnets, malware and other criminal networks and shares it with providers and government services, such as Computer Emergency Response Teams (CERTs). In recent years, the Shadowserver Foundation has played an important role in the take-down of several large botnets. Every day, the organization scans four billion IP addresses for possible abuse and analyzes more than 700,000 malware copies. That information is now partly shared via the dashboard. For example, it appears that in the Netherlands seven thousand infected systems connect to a “sinkhole”. Traffic from an infected machine is redirected to a server of, for example, a security company, authority or provider, in order to prevent further damage and identify infected machines. There is also an overview of vulnerable Zimbra servers. There are still about three hundred of these in the Netherlands. Via the new dashboard, which is financed with money from the British government, it is possible to follow certain trends or compare figures from countries. Shadowserver hopes the data from the dashboard can help security researchers, policy makers, journalists, computer security incident response teams (CSIRTs), and others research and raise awareness about cyber threats.

The OWASP Amass Project is a tool used by security professionals to perform network mapping of attack surfaces as well as external asset discovery. It uses several techniques that include open-source information gathering and active reconnaissance. This tool written in the Go language allows in-depth DNS, ASN numbers, and subdomain enumeration. Below is a list of the techniques and the data sources involved in information collection: DNS: FQDN Similarity-based Guessing, Brute force, Reverse DNS sweeping, Zone transfers, NSEC zone walking FQDN alterations/permutations. Routing: NetworksDB, ARIN, BGPView, IPdata, RADb, Robtex, BGPTools, ShadowServer, TeamCymru, IPinfo

In recent months, Shadowserver has been systematically rolling out IPv6 scanning of services. Blindly scanning the full IPv6 space is, of course, completely unfeasible as the total IPv6 space is about 3.4×10^38 unique addresses (that’s 340 trillion trillion trillion addresses). With Shadowserver’s current capabilities, it would take roughly 2×10^25 years to scan the entire IPv6 space. Scanning all IPv4 space, for comparison, typically takes us minutes, because there are only about 4.3 billion addresses, of which we scan 3.7 billion addresses. Large-scale IPv6 scanning is feasible. You should not assume that your IPv6 infrastructure will never be found by attackers and that you are ‘safe’. Securing and monitoring IPv6 and open IPv6 services on your network is critical, otherwise, you may be leaving gaping holes in your network that a bad actor may exploit. Unfortunately, tools for IPv6 security are not at the same level of maturity as for IPv4. Human analysts are also much less experienced/skilled in dealing with IPv6. We encourage all organizations to make sure they also focus on securing their IPv6 infrastructure, implement their own specific IPv6 monitoring program and of course, subscribe to our free daily feeds to stay alert on their IPv6 attack surface exposure.

We have an active Zimbra exploit, in the wild, with espionage and “others” trying to get into +22: vulnerable systems. Everyone using Zimbra Collaboration (ZCS) who has not recently patched is at risk. Volexity Threat Research responsibly disclosed this risk on August 10th, 2022. Zero-Day exploitation was active on the disclosure day. Shadowserver is tracking +22K exposed systems as of 2022-08-13. The Zimbra Exploit is yet another exploit to be expected. What is helpful is to have systems in place to alert you when there is an issue and help you with your customers who might be vulnerable (i.e. ISPs and Cloud Operators). Shadowserver’s Vulnerability Notifications are one of the key features of Shadowserver’s Daily Network Reports. The industry works with Shadowserver to get the word out to the thousands of networks supported by the Daily Network Reports. Volexity identified over 1,000 Zimbra Exploited instances worldwide that were already backdoored and compromised by their disclosure on August 10th. This was just the start. As shown via the Shadowserver data, 26,854 out of 33,733 (79.6%) instances exposed on the Internet on 2022-08-13 were likely vulnerable & may be compromised. ~28K is much higher than the ~1000 Volexity found. We’re in a race to get systems patched!