Media Coverage

Your firewalls can be used as a STUN DDoS reflector to attack others on the Internet. Open UDP firewall ports for STUN (Session Traversal Utilities for NAT) are being exploited for DDoS reflection. Your network is most likely one of those networks. Shadowserver now detects 101k IPv4 and 2.9K IPv6 accessible UDP STUN services. These can be abused for reflection/amplification DDoS attacks (IPv4 amp factor around 4, IPv6 amp factor around 6). Most open UDP STUN is in US and Germany. All of these can be STUN DDoS reflectors. You can stop this, keeping DDoS miscreants from using your network and firewall for criminal gain. Turning off UDP STUN or applying ACLs on the UDP STUN ports will prevent STUN DDoS reflector abuse. As described on Wikipedia, STUN is a standardized set of methods, including a network protocol, for traversal of network address translator (NAT) gateways in applications of real-time voice, video, messaging, and other interactive communications. Most firewall devices have the STUN UDP ports open.

The US Cybersecurity and Infrastructure Security Agency (CISA) informed organizations on Thursday that a recently patched vulnerability affecting the Zimbra enterprise email solution has been exploited in attacks. The security hole, tracked as CVE-2022-27924 and described as a Memcache injection issue, allows an unauthenticated attacker to steal cleartext credentials from a targeted Zimbra instance without any user interaction. An attacker can leverage the compromised credentials to access the victim’s emails, from where they could escalate their access within the targeted organization and obtain sensitive information. Access to mailboxes can also allow the attacker to impersonate users and spy on victims.

Some members of the cybersecurity community are likely not surprised that the flaw is being exploited in attacks. The Shadowserver Foundation issued a warning on June 14, when it reported seeing roughly 30,000 Zimbra instances that may have been vulnerable to attacks, including thousands in the United States.

Cybersecurity organizations warn that a recently patched vulnerability in the Questions for Confluence application is already being exploited in attacks. Questions for Confluence is an application designed to help Confluence users obtain information, share information with others, and to seek counsel from experts when necessary. Tracked as CVE-2022-26138 and considered ‘critical severity’, the issue exists because, when enabled on Confluence Server and Data Center, the Questions for Confluence application creates a user account with a hardcoded password. Atlassian released patches for this issue a week ago, warning that “a remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to.” Days after fixes were rolled out, the company updated its advisory to warn that someone had made public the hardcoded password, urging organizations to update their deployments as soon as possible. “This issue is likely to be exploited in the wild now that the hardcoded password is publicly known. This vulnerability should be remediated on affected systems immediately,” Atlassian said. Shadowserver observed in-the-wild exploitation of the security flaw.

As part of our continuing mission to reduce cybersecurity risk across U.S. critical infrastructure partners and state, local, tribal, and territorial governments, CISA has compiled a list of free cybersecurity tools and services to help organizations further advance their security capabilities. This living repository includes cybersecurity services provided by CISA, widely used open source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community. CISA will implement a process for organizations to submit additional free tools and services for inclusion on this list in the future. After making progress on the measures above, organizations can use the free services and tools listed below to mature their cybersecurity risk management. These resources are categorized according to the four goals outlined in CISA Insights: Implement Cybersecurity Measures Now to Protect Against Critical Threats:

1. Reducing the likelihood of a damaging cyber incident;
2. Detecting malicious activity quickly;
3. Responding effectively to confirmed incidents; and
4. Maximizing resilience.

Reducing the Likelihood of a Damaging Cyber Incident: Shadowserver – A subscription service that sends custom remediation reports to inform organizations about the state of its networks and security exposures.

In a recent article by Shadowserver foundation – they found that over 3.6 million MySQL servers were accessible world wide. We were surprised by the large number and are pretty certain no one did this on purpose. Our team built a tool, so they could test to see if their databases were public. In this video we talk about: -Why people use open ports -What risks open ports introduce -The pros and cons of how to mitigate those risks -How you can can use

I’ve seen several recent posts about lots of free and open source tools in the security community. These kinds of tools are incredibly important, but they often are targeted towards individuals with some experience to be able to use. This is a challenge for small businesses or nonprofits who may not have the resources or staff to put those tools into practice.

If you’re a small business or nonprofit, this article is for you. There are a ton of free services that can provide real value today, even if you are the only IT person in the company and you don’t have any security experience. 1. ShadowServer. The Shadowserver Foundation was created in 2004 as a nonprofit to help with security reporting and investigation. One of the free services that Shadowserver offers is a report for owners of networks to show vulnerable services that are running on your network so that you can remove them or offer more secure options. This is a really easy way for organizations that may not have scanning tools to prevent an incident before it happens. To sign up, go to https://www.shadowserver.org/what-we-do/network-reporting/get-reports/. You’ll need to provide some detailed information and the Shadowserver team will verify if you actually own the network first.

Do you maintain a MySQL server?  If so, you’re certainly not alone.  What you may not know is that according to research conducted by The Shadowserver Foundation, (a cybersecurity research group) there are literally millions of MySQL servers visible on the internet that shouldn’t be. In all, the group found more than 3.6 million MySQL servers visible on the web and using the default port, TCP port 3306. The company noted that they did not check for the level of access possible, or the exposure of specific data. The fact remained that the server itself was visible and that alone was a security risk, regardless of any other factors. The United States led the world in terms of total number of exposed servers, with just over 1.2 million, but there were also substantial numbers to be found in Germany, Singapore, the Netherlands, and China.

Over 900,000 misconfigured Kubernetes clusters were found exposed on the internet to potentially malicious scans, some even vulnerable to data-exposing cyberattacks. Kubernetes is a highly versatile open-source container orchestration system for hosting online services and managing containerized workloads via a uniform API interface. It enjoys massive adoption and growth rates thanks to its scalability, flexibility in multi-cloud environments, portability, cost, app development, and system deployment time reductions. However, if Kubernetes isn’t configured properly, remote actors might be able to access internal resources and private assets that weren’t meant to be made public. Additionally, depending on the configuration, intruders could sometimes escalate their privileges from containers to break isolation and pivot to host processes, granting them intial access to internal corporate networks for futher attacks. Researchers at Cyble have conducted an exercise to locate exposed Kubernetes instances across the internet, using similar scanning tools and search queries to those employed by malicious actors. Last month, The Shadowserver Foundation released a report on exposed Kubernetes instances where they discovered 381,645 unique IPs responding with a 200 HTTP error code.

Too many organizations are ignoring the risk of SNMP abuse and leaving their SNMP ports open to the world. Simple Network Manage Protocol (SNMP) is one of our core networking building blocks. We – the community who build and run networks – use all types of networks. It is a powerful tool for monitoring, managing, and controlling devices. Yet, SNMP’s security is an afterthought, allowing risk that endangers the organization. We’ll focus on deploying Multi-Factor Authentication (MFA) while leaving the devices that manage the MFA with open and exploitable SNMP ports. SNMP is a gold mine for the miscreant who learns how to leverage it. Shadowserver’s long-term measurement of the SNMP Risk has millions of devices open to exploitation.

The Shadowserver Foundation warns of the security risk associated with more than 3.6 million internet-exposed MySQL servers that accept connections on port 3306/TCP. While scanning the internet for accessible MySQL servers, the organization’s researchers identified a total population of roughly 5.4 million IPv4 and IPv6 instances on port 3306/TCP, but say that only two-thirds of these appear to accept a connection. The scanning revealed that the US is home to the largest number of IPv4 MySQL servers (at more than 740,000), followed by China (just shy of 300,000), and Germany (at roughly 175,000). The Shadowserver Foundation’s research is meant to raise awareness on the wide attack surface created by MySQL servers that are potentially unnecessarily exposed to the internet.