Media Coverage

Shadowserver in the news

VMware vCenter Server vulnerability widely exploited

Mandarinian, January 20, 2024

VMware is warning customers that CVE-2023-34048, a critical vCenter Server vulnerability patched in October 2023, is being widely exploited.

According to a report by the Shadowserver Foundation, there are currently hundreds of VMware vCenter Server instances exposed to the Internet that are potentially vulnerable. It’s not uncommon for VMware products to be targeted by malicious attackers. The catalog of known exploited vulnerabilities maintained by the US security agency CISA currently includes 21 VMware product flaws .

Juniper warns of a vulnerability that could allow firewalls to be taken over, January 13, 2024

Network manufacturer Juniper warns customers of a critical vulnerability that could allow an unauthenticated attacker to take over firewalls and switches remotely. The vulnerability (CVE-2024-21591) resides in the J-Web configuration tool in Juniper Networks Junos OS SRX Series and EX Series firewalls and switches. The J-Web interface makes it possible to monitor, configure and manage the device via a browser.

According to the Shadowserver Foundation, the J-Web interface of 8,300 Juniper systems is accessible from the Internet, including 139 in the Netherlands.

Government Launches Automatic Alert Service for Vulnerabilities and Exposure in Cyberspace

CNCS Republica Dominicana, January 12, 2024

The Government, through the National Cybersecurity Center (CNCS), made an automatic notification service for vulnerabilities and exposure in cyberspace available to public and private entities. The new service, which is offered free of charge, aims to help organizations strengthen their cybersecurity and protect their digital assets to promote a safer, more reliable and resilient cyberspace, through timely notifications.

The resource, presented by the National Cyber ​​Incident Response Team (CSIRT-RD), together with the Shadowserver Foundation, is aligned with the Digital Agenda 2030, our National Digital Transformation Strategy. The director of the CNCS, Juan Gabriel Gautreaux, explained that those interested in obtaining the service must subscribe by registering an official and authorized contact of the organization to which they belong and complete a form.

Ivanti Connect Secure zero-days exploited to deploy custom malware

Bleeping Computer, January 12, 2024

Hackers have been exploiting the two zero-day vulnerabilities in Ivanti Connect Secure disclosed this week since early December to deploy multiple families of custom malware for espionage purposes. Identified as CVE-2023-46805 and CVE-2024-21887, the security issues allow bypassing authentication and injecting arbitrary commands on vulnerable systems.

Today, threat monitoring service Shadowserver has posted on X that its scanners detect 17,100 Invanti CS appliances on the public web, most of them in the United States. However, there is no indication to how many of them are vulnerable.

[Information Security Daily] On January 8, the distributed message streaming data platform Apache RocketMQ had a major and incompletely patched vulnerability.

iThome Taiwan, January 8, 2024

The team that developed the distributed message streaming data platform Apache RocketMQ discovered that the major vulnerability CVE-2023-33246 they patched in May this year was incompletely patched, and a new version of the program component was provided to patch it.

It is worth noting that according to the Shadowserver Foundation’s investigation, they have currently published the geographical locations of hosts exposed on the Internet to the foundation’s global security situation database, and stated that hackers have passed nearly 400 source IP address to try to exploit the above two vulnerabilities.

Widespread Vulnerability in SSH Servers: The Terrapin Attack Threat

Heimdal Security, January 2, 2024

The Terrapin attack, a newly identified security threat, jeopardizes nearly 11 million SSH servers that are accessible online. Originating from academic research at Ruhr University Bochum in Germany, this attack specifically targets the SSH protocol, affecting both clients and servers.The attack requires the perpetrator to be in a unique position – an adversary-in-the-middle (AitM) – to intercept and manipulate the handshake.  A report by Shadowserver, a security monitoring platform, highlights the widespread vulnerability of these servers across the globe. Shadowserver’s findings show that the United States has the highest number of vulnerable servers (3.3 million), followed by China (1.3 million), Germany (1 million), Russia (700,000), Singapore (390,000), and Japan (380,000).


Cozy Bear Hackers Target JetBrains TeamCity Servers in Global Campaign

Infosecurity Magazine, December 14, 2023

Cozy Bear, a threat group linked with the Russian foreign intelligence service (SVR), has been conducting a global hacking campaign targeting servers hosting JetBrains TeamCity software, according to US, UK and Polish government agencies. On December 13, the UK-backed Shadowserver Foundation said it was still detecting 800 unpatched instances of JetBrains TeamCity worldwide. JetBrains’ Russkih commented: “The estimate from the Shadowserver Foundation doesn’t distinguish the instances patched with a dedicated security plugin JetBrains released for customers with older versions (since they only look at the version number). We have already reached out to them to discuss possible improvements.”

Hackers are exploiting critical Apache Struts flaw using public PoC

Bleeping Computer, December 13, 2023

Hackers are attempting to leverage a recently fixed critical vulnerability (CVE-2023-50164) in Apache Struts that leads to remote code execution, in attacks that rely on publicly available proof-of-concept exploit code.

It appears that threat actors have just started, according to the Shadowserver scanning platform, whose researchers observed a small number of IP addresses engaged in exploitation attempts.

Good news about South African water and sewage control systems following global hack

mybroadband, December 11, 2023

The Department of Water and Sanitation (DWS) has told MyBroadband that it does not use the programmable controllers exploited in a recent attack on a United States water facility. This comes after the Shadowserver Foundation revealed that South Africa was among the countries most impacted by a recent attack on Unitronics programmable logic controllers (PLCs). Shadowserver scanned the Internet for potentially vulnerable controllers following a U.S. Cybersecurity and Infrastructure Security Agency (CISA) advisory.

South African water and sewage control systems potentially hit in global hack

mybroadband, December 5, 2023

The Shadowserver Foundation has revealed that South Africa is among the countries most impacted by a recent attack on Unitronics programmable logic controllers (PLCs). This comes after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory warning that a state-sponsored Iranian hacking group had exploited security weaknesses in the controllers. CISA stated that, in addition to water and wastewater systems, the targeted Unitronics PLCs are also used in energy, food and beverage manufacturing, and healthcare.

Shadowserver said it specifically scanned the default Unitronics TCP port, 20256, on 2 December 2023.