Media Coverage

Shadowserver in the news

Hackers are exploiting critical bug in Zyxel firewalls and VPNs

Bleeping Computer, May 15, 2022

Hackers have started to exploit a recently patched critical vulnerability, tracked as CVE-2022-30525, that affects Zyxel firewall and VPN devices for businesses. Successful exploitation allows a remote attacker to inject arbitrary commands remotely without authentication, which can enable setting up a reverse shell. The severity of the security issue and the damage it could lead to is serious enough for the NSA Cybersecurity Director Rob Joyce to warn users about exploitation and encourage them to update the device firmware version if it is vulnerable. Starting Friday the 13th, security experts at the nonprofit Shadowserver Foundation reported seeing exploitation attempts for CVE-2022-30525. It is unclear if these efforts are malicious or just researchers working to map up Zyxel devices currently exposed to adversary attacks. Given the severity of the vulnerability and the popularity of the devices, security researchers have released code that should help administrators detect the security flaw and exploitation attempts.

‘A nerd’s gotta do what a nerd’s gotta do:’ Why Craig Newmark is funding a cyber civil defense

The Record, April 20, 2022

Craig Newmark is the first to admit that he’s no cybersecurity expert. But that didn’t stop the Craigslist founder and major philanthropist from announcing last week that Craig Newmark Philanthropies would offer more than $50 million in grants to build what he calls a “cyber civil defense.” Aspen Digital, a program run by the Aspen Institute, will manage it.  Grants will go to organizations like the Ransomware Task Force at the Institute for Security Technology, the Global Cyber Alliance and even Consumer Reports, which Newmark says will create “cybersecurity nutrition labels” to, among other things, disclose security metrics on any smart device, be it a a thermostat or a car. The everyday threat of cyberattacks is very real for Americans. The last five years alone have seen a dramatic uptick in cyber and ransomware attacks, with threat actors not just going after military targets, but exploiting vulnerabilities in anything from baby cameras to major oil pipelines. “We’ve been attacked on our own soil in ways that have never happened before,” Newmark told the Click Here podcast team in an interview. “I wish I had the skills to participate,” he added, “but it seems like my role is to help out the people who can really help defend our country and democracy overall.”

Craig Newmark Philanthropies commits $50 million for cybersecurity

Philanthropy News Digest, April 13, 2022

Craig Newmark Philanthropies (CNP) has announced a commitment of more than $50 million in support of a broad coalition of organizations dedicated to educating and protecting Americans amid escalating cybersecurity threats. The grants from the charitable network of craigslist founder Craig Newmark will focus on building the civic infrastructure, policy frameworks, and digital tools necessary to support what Newmark calls a “cyber civil defense” effort to bolster American national and global security in the face of new threats. To that end, the funding will support efforts to raise public awareness of threats and online security choices, in addition to the creation of online tools and digital infrastructure that help secure the country’s networks. The effort also will include programming aimed at developing a diverse, inclusive, and equitable workforce capable of meeting the technical challenges ahead.

Some telecoms kit settings can make a DDoS attack 4 billion times worse if not switched off

Mobile Europe, March 10, 2022

Badly prepared telecoms equipment has created an opportunity for cyber criminals to mount denial of service (DoS) attacks on mobile operators that are 4 billion times worse than anything else that’s gone before, say researchers. The revelation, reported in Arstechnica, comes just as state sponsored cyber warfare is booming, in the wake of the conflict in Ukraine. Distributed denial of services (DDoS) attacks are a popular form of DoS because they need minimal bandwidth and computing power. The effect of each small unit of data overload is amplified by the number of units it replicates on. Rather than having to marshal huge amounts of bandwidth and computing power, the DDoSer locates servers on the Internet that will do it for them.

In-the-wild DDoS attack can be launched from a single packet to create terabytes of traffic

ZDNet, March 8, 2022

A test mode that shouldn’t be exposed to the internet from a PBX-to-internet gateway responsible for amplification ratio of 4,294,967,296 to 1. Security researchers from Akamai, Cloudflare, Lumen Black Lotus Labs, Mitel, Netscour, Team Cymru, Telus, and The Shadowserver Foundation have disclosed denial-of-service attacks with an amplification ratio that surpasses 4 billion to one that can be launched from a single packet. Dubbed CVE-2022-26143, the flaw resides in around 2,600 incorrectly provisioned Mitel MiCollab and MiVoice Business Express systems that act as PBX-to-internet gateways and have a test mode that should not be exposed to the internet.

CVE-2022-26143: TP240PhoneHome Reflection/Amplification DDoS Attack Vector

Akamai, March 8, 2022

A new reflection/amplification DDoS vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch multiple high-impact DDoS attacks. Security researchers, network operators, and security vendors observed these attacks and formed a task force to investigate the new DDoS vector and provide mitigation guidance. Attacks have been observed on broadband access ISPs, financial institutions, logistics companies, gaming companies, and organizations in other vertical markets.

Security organisations form Nonprofit Cyber coalition

Computer Weekly, February 24, 2022

A group of implementation-focused cyber nonprofits have joined forces to create an umbrella coalition that will work to develop, share, deploy and increase awareness of security best practice, tools, standards and services. It will initially focus on two priorities – building awareness of cyber nonprofits, and aligning the work of its 22 founding members, all of which must hold nonprofit status under US law or their home country equivalents. “Our goal with Nonprofit Cyber is to collaboratively align our individual strengths into a collective force for good, taking positive action for the entire cyber ecosystem.”

 

Nonprofits, Activate! Orgs Team Up to Tackle Cybersecurity Threats

PC Mag UK, February 23, 2022

A coalition of nonprofit orgs have joined forces to create Nonprofit Cyber to build awareness of the cybersecurity work they’re doing and team up where it makes sense. Nonprofit Cyber’s 22 founding members say they won’t focus on lobbying, policy development, advocacy organizations, or industry associations. But the group earned a thumbs up from Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA). The group is a mix of technologically focused groups, training providers, and threat intelligence platforms.

 

Shadowserver Starts Conducting Daily Scans to Help Secure ICS

Security Week, February 23, 2022

The Shadowserver Foundation this week announced that it has started conducting daily internet scans in an effort to identify exposed industrial control systems (ICS) and help organizations reduce their exposure to attacks. The nonprofit cybersecurity organization is scanning the web for exposed services that use the Modbus industrial communications protocol on TCP port 502, but Shadowserver’s Piotr Kijewski told SecurityWeek that they plan on introducing many other ICS and operational technology (OT) protocol scans in the near future.The first daily ICS scan conducted by Shadowserver revealed more than 6,300 unique IP addresses corresponding to exposed Modbus services. A majority are associated with Siemens products, followed by ABB, AB Regin, Schneider Electric’s Telemecanique, Solare Datensysteme, Invensys, Delta Electronics, Huawei, Rockwell Automation (Allen Bradley), Alpes Technologies, SE-Elektronic, COPA-DATA, WEG, and Synchronic.

The VARIoT honeypot network in numbers

VARIoT.eu, November 26, 2021

The primary VARIoT honeypot network used for observing IoT and other attacks is based on a rewritten, updated version of the EU H2020 SISSDEN project platform. It enables rapid large scale deployments of honeypot sensors across data centers worldwide. These sensors act as OSI layer 2 tunnel endpoints to a datacenter where the actual honeypots reside. The honeypot network is built and managed byShadowserver. As of the 19th of November 2021, the primary network runs 260 nodes with dedicated IP addresses for a total of 821 honeypots operating at once. The nodes are located in 88 countries, 331 unique /24’s and 134 unique ASNs. Data from these honeypots is shared with 132 National CSIRTs covering 173 countries and territories and over 6000 organizations worldwide in Shadowserver’s daily feeds via the Honeypot Brute Force Events report and Honeypot HTTP Scanner Events report. We have also developed a malware downloader framework that attempts to automatically decode URLs being used to serve malware. These URLs will soon also be shared daily through Shadowserver’s free daily remediation feeds. You can obtain VARIoT global statistics about infections seen by the honeypots (and other sources) on the VARIoT website hosted by CIRCL and also on the European Data Portal. Deployment of sensor nodes in Latin America and the Caribbean is supported by the sensores.lat project together with CEDIA and FRIDA.  Deployment of sensor nodes in Africa and the Indo-Pacific is also supported by the UK FCDO.