Media Coverage

A new reflection/amplification DDoS vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch multiple high-impact DDoS attacks. Security researchers, network operators, and security vendors observed these attacks and formed a task force to investigate the new DDoS vector and provide mitigation guidance. Attacks have been observed on broadband access ISPs, financial institutions, logistics companies, gaming companies, and organizations in other vertical markets.

A group of implementation-focused cyber nonprofits have joined forces to create an umbrella coalition that will work to develop, share, deploy and increase awareness of security best practice, tools, standards and services. It will initially focus on two priorities – building awareness of cyber nonprofits, and aligning the work of its 22 founding members, all of which must hold nonprofit status under US law or their home country equivalents. “Our goal with Nonprofit Cyber is to collaboratively align our individual strengths into a collective force for good, taking positive action for the entire cyber ecosystem.”

A coalition of nonprofit orgs have joined forces to create Nonprofit Cyber to build awareness of the cybersecurity work they’re doing and team up where it makes sense. Nonprofit Cyber’s 22 founding members say they won’t focus on lobbying, policy development, advocacy organizations, or industry associations. But the group earned a thumbs up from Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA). The group is a mix of technologically focused groups, training providers, and threat intelligence platforms.

The Shadowserver Foundation this week announced that it has started conducting daily internet scans in an effort to identify exposed industrial control systems (ICS) and help organizations reduce their exposure to attacks. The nonprofit cybersecurity organization is scanning the web for exposed services that use the Modbus industrial communications protocol on TCP port 502, but Shadowserver’s Piotr Kijewski told SecurityWeek that they plan on introducing many other ICS and operational technology (OT) protocol scans in the near future.The first daily ICS scan conducted by Shadowserver revealed more than 6,300 unique IP addresses corresponding to exposed Modbus services. A majority are associated with Siemens products, followed by ABB, AB Regin, Schneider Electric’s Telemecanique, Solare Datensysteme, Invensys, Delta Electronics, Huawei, Rockwell Automation (Allen Bradley), Alpes Technologies, SE-Elektronic, COPA-DATA, WEG, and Synchronic.

The primary VARIoT honeypot network used for observing IoT and other attacks is based on a rewritten, updated version of the EU H2020 SISSDEN project platform. It enables rapid large scale deployments of honeypot sensors across data centers worldwide. These sensors act as OSI layer 2 tunnel endpoints to a datacenter where the actual honeypots reside. The honeypot network is built and managed byShadowserver. As of the 19th of November 2021, the primary network runs 260 nodes with dedicated IP addresses for a total of 821 honeypots operating at once. The nodes are located in 88 countries, 331 unique /24’s and 134 unique ASNs. Data from these honeypots is shared with 132 National CSIRTs covering 173 countries and territories and over 6000 organizations worldwide in Shadowserver’s daily feeds via the Honeypot Brute Force Events report and Honeypot HTTP Scanner Events report. We have also developed a malware downloader framework that attempts to automatically decode URLs being used to serve malware. These URLs will soon also be shared daily through Shadowserver’s free daily remediation feeds. You can obtain VARIoT global statistics about infections seen by the honeypots (and other sources) on the VARIoT website hosted by CIRCL and also on the European Data Portal. Deployment of sensor nodes in Latin America and the Caribbean is supported by the sensores.lat project together with CEDIA and FRIDA.  Deployment of sensor nodes in Africa and the Indo-Pacific is also supported by the UK FCDO.

Bad guys are scanning your network. They are finding all the vulnerabilities exposed to the Internet. The vulnerable systems, critical devices, and other ways to break into your network. When ransomware, malware, botnets, and other break-ins happen, people wonder, “how did the threat actors find that service?” People thought that “if we don’t publish it, then obscurity will protect the service. Can you get ahead of the bag, guys scanning your network? There is a public benefit (free) service open to all organizations that will let you know daily what systems the bad guys can see and what you need to do to protect yourself. There are many commercial Attack Surface Management services, but none offer the comprehensive surface from Shadowserver’s Daily Network Report. Typical ASM reports just “scan” your network. Shadowserver diverse telemetry connects to malware, botnet, and threat actor takedowns. They monitor the malware Command-and-Control systems coming from your network, through your firewall, and beaconing to the Internet. One public benefit ASM++ service provides organization powerful intelligence from Shadowserver – an organization whose mission is to fight the same threat actors who are scanning your network to harm you.

Following a recent Incident Response, McAfee Enterprise‘s Advanced Threat Research (ATR) team worked with its Professional Services IR team to support a case that initially started as a malware incident but ultimately turned out to be a long-term cyber-attack. Operation Harvest has been a long-term operation whereby an adversary maintained access for multiple years to exfiltrate data. The exfiltrated data would have either been part of an intellectual property theft for economic purposes and/or would have provided insights that would be beneficial in case of military interventions. The adversaries made use of techniques very often observed in this kind of attack but also used distinctive new backdoors or variants of existing malware families. Combining all forensic artifacts and cross-correlation with historical and geopolitical data, we have high confidence that this operation was executed by an experienced APT actor.

Gaining visibility into a target network from the outside is one of the first steps in breaching a network’s defences and has become one of the standard elements of criminal attacks. The constant scanning of networks has become commonplace, not just by criminals, but also by organizations that sell access to the data that is collected. Gaining insight into the exposed footprint of your network has never been easier. You should assume attackers have an overview of your potentially vulnerable or misconfigured systems and understand what is exposed and exploitable. What if you, as a defender, could have access to a public benefit, free to use, daily security report that provides an overview of some of your security risks? What if this data allowed you to understand what the criminals might see on your network? What if this data can highlight devices that are infected with malware? In fact, what if this data exposed devices and resources on your network you didn’t even know you had?

New data suggests someone has compromised more than 21,000 Microsoft Exchange Server email systems worldwide and infected them with malware that invokes both KrebsOnSecurity and Yours Truly by name. Let’s just get this out of the way right now: It wasn’t me. The Shadowserver Foundation, a nonprofit that helps network owners identify and fix security threats, says it has found 21,248 different Exchange servers which appear to be compromised by a backdoor and communicating with brian[.]krebsonsecurity[.]top (NOT a safe domain, hence the hobbling). Shadowserver has been tracking wave after wave of attacks targeting flaws in Exchange that Microsoft addressed earlier this month in an emergency patch release. The group looks for attacks on Exchange systems using a combination of active Internet scans and “honeypots” — systems left vulnerable to attack so that defenders can study what attackers are doing to the devices and how.

At the Commonwealth Heads of Government Meeting in London in 2018, the UK and Singapore signed a Memorandum of Cooperation committing to collaborate to help support implementation of the Commonwealth Cyber Declaration across the Commonwealth. The project workshops introduced Commonwealth Member States to nCSIRT Maturity Frameworks as a way to develop and gauge their national cyber incident response capabilities and to identify and prioritise areas as next steps to maturity. They also provided important opportunities for network building and cooperation on cyber security across the Commonwealth. An area which was unanimously requested by the participating countries in the lead up to the event, was information regarding Open Source Monitoring Tools. It was highlighted that Shadowserver and Team Cymru are both reputable private companies who work with national CERTs, and many of the participating countries had already raised that they are indeed using data feeds from those companies already.