Media Coverage

Law enforcement has teamed up with the private sector to fight against the abuse of a legitimate security tool by criminals who were using it to infiltrate victims’ IT systems. Older, unlicensed versions of the Cobalt Strike red teaming tool were targeted during a week of action coordinated from Europol’s headquarters between 24 and 28 June. Known as Operation MORPHEUS, this investigation was led by the UK National Crime Agency and involved law enforcement authorities from Australia, Canada, Germany, the Netherlands, Poland and the United States.

Cooperation with the private sector was instrumental in the success of this disruptive action. A number of private industry partners supported the action, including BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch and The Shadowserver Foundation. These partners deployed enhanced scanning, telemetry and analytical capabilities to help identify malicious activities and use by cybercriminals.

Thought last year’s MOVEit hellscape was well and truly behind you? Unlucky, buster. We’re back for round two after Progress Software lifted the lid on fresh vulnerabilities affecting MOVEit Transfer and Gateway.

In typical fashion, researchers at watchTowr have penned a comprehensive account of CVE-2024-5806 – the one affecting MOVEit Transfer – and the two damaging attacks it can facilitate. To the surprise of probably no one, within just a few hours of watchTowr’s writeup going live, attack attempts using CVE-2024-5806 began, according to Shadowserver’s telemetry.

As for how many MOVEit customers are currently exposed, different vendors’ telemetry will always vary. Shadowserver’s data suggests less than 2,000 are exposed to the internet, while Censys puts that figure more in the 2,700 region. Both agree that most are localized to North America, however.

Michael Smith of Vercara delves into DNS’s critical role as foundational internet infrastructure and outlines essential steps to secure it against escalating cyber threats.

To safeguard DNS like we would traditional critical infrastructure, consider the following best practices and steps:

1) Ensure DNS redundancy; 2) Protect DNS servers from DDoS; 3) Scan DNS servers:

Vulnerability scanning services and some of the free scanning data provided by Shadowserver can help you identify these vulnerabilities and misconfigurations in your internet-accessible DNS servers.

4) Use DNSSEC; 5) Use protective DNS services; 6) Separate public and non-public zones ; and 7) Change control, audit, and rollback

Cybersecurity watchdog Shadowserver has identified 256,000+ publicly exposed servers vulnerable to a critical Remote Code Execution (RCE) flaw in Microsoft Message Queuing (MSMQ) services.

The flaw, designated CVE-2024-30080, poses a significant threat to global cybersecurity. It could allow malicious actors to execute arbitrary code on affected systems.

These servers span various industries, including finance, healthcare, and government sectors, highlighting the widespread risk posed by this vulnerability.

As a national CERT, one of our extremely important tasks is to proactively inform network operators about potential or confirmed security issues that could affect Austrian companies. 

As you can imagine, handling every possible case would be impossible. Therefore, we focus on the most typical issues and automate much of our processes. Our approach heavily relies on automated data processing and sending notifications via email. To accomplish this, we subscribe to data feeds from partners like ShadowServer.  Our partners who conduct scans ensure they do so legally and non-intrusively, typically operating their servers in countries where scanning isn’t prohibited. This is the approach chosen by ShadowServer, our main data source.

If we don’t scan, what exactly is our role? Simply put: we inform YOU. 

Over the past year, we developed a process that includes regular meetings of representatives from all involved teams. This new process and a one-time review of existing sources resulted in a significant increase in the types of issues we process. For our main provider, ShadowServer, we doubled the number of processed feeds in the last year, currently supporting about 70 of their feeds. 

A remote code execution (RCE) vulnerability in PHP has been discovered by DEVCORE during their continuous offensive research. Due to the widespread use of PHP in the web ecosystem and the ease of exploitability, the severity of the vulnerability has been classified as critical (CVSS score 9.8). This issue was promptly reported to the PHP official team, who released a patch on June 6, 2024.

On June 7, The Shadowserver Foundation posted a tweet on X (formerly Twitter) that they have observed multiple IPs trying to exploit this vulnerability against their honeypots.

The critical PHP vulnerability, CVE-2024-4577, is currently being exploited to deploy TellYouThePass ransomware.

First, given the FBI’s history, it should not be surprising that one of our core focuses is investigating and attributing cyber activity to disrupt cybercriminals and raise their cost to operate. Bottom line, we want to punish cybercriminals and take them off of the playing field.

Next, we must gather and operationalize domestic intelligence to bolster victim recovery and support operational activity, or, as we say, we must pressure the common threats we face. We pressure these common threats by initiating joint and sequenced operations and on network operations to fight back against cyber adversaries from a domestic position and as a foothold for USIC [U.S. Intelligence Community] partners to engage. It’s an all-tools/all-partners approach. When I say “all-partners,” I mean it. We look to partner with domestic and global partners in both the public and private sectors. This is how we have the most significant impact on our adversaries.

For instance, in January, the FBI Field Office here in Boston led Operation Dying Ember, an international effort against Russian military intelligence: the GRU. In this case, the GRU was taking advantage of a botnet to target the U.S. government, cleared defense contractors, NATO allies, and the Ukrainian aid shipment network. Our court-authorized technical operation kicked the GRU off more than 1,000 home and small-business routers belonging to unwitting victims all over the world—including here in Massachusetts.

This was an operation we could not have accomplished without corporate partners, particularly Microsoft and the Shadowserver Foundation.

By killing the GRU’s access to a botnet they were using to run cyber operations around the world, we both helped to protect unwitting businesses and individuals and put a dent in Russia’s cyber-enabled intelligence operations.

Between 27 and 29 May 2024 Operation Endgame, coordinated from Europol’s headquarters, targeted droppers including, IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. The actions focused on disrupting criminal services through arresting High Value Targets, taking down the criminal infrastructures and freezing illegal proceeds. This approach had a global impact on the dropper ecosystem.

This is the largest ever operation against botnets, which play a major role in the deployment of ransomware. The operation, initiated and led by France, Germany and the Netherlands was also supported by Eurojust and involved Denmark, the United Kingdom and the United States. In addition, Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland and Ukraine also supported the operation with different actions, such as arrests, interviewing suspects, searches, and seizures or takedowns of servers and domains. The operation was also supported by a number of private partners at national and international level including Bitdefender, Cryptolaemus, Sekoia, Shadowserver, Team Cymru, Prodaft, Proofpoint, NFIR, Computest, Northwave, Fox-IT, HaveIBeenPwned, Spamhaus and DIVD.

A court-authorized international law enforcement operation led by the U.S. Justice Department disrupted a botnet used to commit cyber attacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations.

“This Justice Department-led operation brought together law enforcement partners from around the globe to disrupt 911 S5, a botnet that facilitated cyber-attacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations,” said Attorney General Merrick B. Garland.

“Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet—likely the world’s largest botnet ever,” said FBI Director Christopher Wray.

The Department appreciates the significant assistance provided by the Attorney-General’s Chambers of Singapore, Singapore Police Force (SPF), Royal Thai Police, and the Office of the Attorney General and the Anti-Money Laundering Office of the Kingdom of Thailand. The Justice Department’s Office of International Affairs and Money Laundering and Asset Recovery Section provided crucial support to this operation. The Treasury Department’s OFAC also provided support to this operation. Additionally, the Department offers its thanks to Chainalysis, the Shadowserver Foundation, and Microsoft for the assistance provided by each during the investigation and the operation.

CREST recently visited the UN to take part in discussions throughout the day as part of the UN’s cyber focus group. The UN’s cyber focused open ended working group is working towards international agreement on key cyber capability development priorities.

CREST President, Rowland Johnson, and CEO, Nick Benson, attended the working group at the UN HQ in NY on 10 May 2024. Rowland presented on the benefits of consistent international standards for high quality cyber service providers and practitioners.

We were also honoured to be referenced by the UK’s representative who sited the valuable contribution of non-profits including CREST, Global Cyber Alliance, Shadowserver and FIRST.