Media Coverage

HUMAN’s Satori Threat Intelligence and research team has uncovered and—in collaboration with Google, Trend Micro, Shadowserver, and other partners—partially disrupted a sprawling and complex cyberattack dubbed BADBOX 2.0. BADBOX 2.0 is a major adaptation and expansion of the Satori team’s 2023 BADBOX disclosure, and is the largest botnet made up of infected connected TV (CTV) devices ever uncovered.

A new botnet malware named ‘Eleven11bot’ has infected over 86,000 IoT devices, primarily security cameras and network video recorders (NVRs), to conduct DDoS attacks. The botnet, which is loosely linked to Iran, has already launched distributed denial of service (DDoS) attacks targeting telecommunication service providers and online gaming servers. Earlier today, threat monitoring platform The Shadowserver Foundation reported seeing 86,400 devices infected by the Eleven11bot botnet, with most in the United States, the United Kingdom, Mexico, Canada, and Australia.

A critical vulnerability, CVE-2025-22467, in Ivanti Connect Secure (ICS) devices has left approximately 2,850 instances worldwide unpatched and vulnerable to remote code execution (RCE) attacks. Shadowserver’s daily assessments reveal a significant prevalence of vulnerable devices across various nations. Shadowserver’s findings highlight the need for global coordination in vulnerability disclosure and remediation efforts. Their reports provide actionable intelligence to help organizations identify and secure exposed systems.

In Andorra, the CSIRT-AD has taken a step forward in the protection of companies and offers access to the Shadowserver service , a tool recognized internationally for its effectiveness in the detection and mitigation of threats. Access to Shadowserver provides essential information on detected malicious activities, compromised devices, and vulnerabilities within corporate networks. At a time when digital threats are increasingly frequent and sophisticated, tools like Shadowserver become essential to ensure system protection and operational continuity of companies.

Vulnerabilities in Palo Alto’s firewall operating system PAN-OS became known towards the end of last week. Exploit code was already available for the most serious vulnerability CVE-2025-0108. The Shadowserver Foundation has observed attacks on the PAN-OS vulnerability using this exploit code since Thursday, as reported on X.

Cybersecurity researchers caution that over 12,000 instances of GFI KerioControl firewalls remain unpatched and vulnerable to a critical security flaw (CVE-2024-52875) that could be exploited for remote code execution (RCE) with minimal effort. The Shadowserver Foundation has been tracking this vulnerability and issuing daily reports since February 5, 2025.

A global heatmap published by Shadowserver highlights the widespread nature of the issue, showing unpatched devices across multiple countries. The Shadowserver Foundation is actively sharing data with network owners to help facilitate immediate remediation efforts.

In recent weeks, ShadowServer has observed a significant rise in brute-force attacks targeting web login pages of edge devices, with honeypot data revealing up to 2.8 million IPs involved daily.

The Shadowserver Foundation’s Honeypot HTTP Scanner Events Report notes that attackers are leveraging known vulnerabilities (CVE identifiers) and exploiting weak credentials to gain unauthorized access.

According to the latest findings from VulnCheck, 768 Common Vulnerabilities and Exposures (CVEs) were publicly reported as exploited in the wild for the first time this year (2024). Spikes in exploitation reporting frequently coincided with major industry events, including the RSA Conference, or were influenced by disclosures from newly onboarded sources like ShadowServer. ShadowServer’s integration into reporting processes in January also led to increased public awareness of exploitation.

The 2024 report highlighted that the initial evidence of exploitation came from a diverse set of 112 unique sources, underscoring the importance of collaboration within the security community. These sources include: Third-party security vendors, Government Agencies; Non-profits: Groups like ShadowServer significantly contributed to disclosure efforts; Product Vendors; and Independent Platforms.

Hackers are believed to be exploiting recently fixed SimpleHelp Remote Monitoring and Management (RMM) software vulnerabilities to gain initial access to target networks. The flaws, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, allow threat actors to download and upload files on devices and escalate privileges to administrative levels.

Threat monitoring platform Shadowserver Foundation reported they see 580 vulnerable instances exposed online, most (345) located in the United States.

As of January 22, 2025, nearly 50,000 Fortinet firewall devices remain exposed to a critical zero-day vulnerability despite urgent warnings and available patches. CVE-2024-55591 is an authentication bypass vulnerability in Fortinet’s FortiOS and FortiProxy products.

Data from the Shadowserver Foundation reveals that over 50,000 devices remain unpatched as of January 21, with significant concentrations in Asia (20,687), North America (12,866), and Europe (7,401).