Media Coverage

Shadowserver in the news

Principal Deputy Assistant Attorney General David Newman Delivers Remarks at 2024 U.S. Cyber Command Legal Conference

US Department of Justice, April 10, 2024

First, our focus is on disrupting illegal cyber activity before it can cause harm and threaten national security. Drawing from our CT playbook, it’s a threat-driven and victim-centered approach. While we always look to make arrests where possible, our law enforcement disruptions can take many forms.

Not long ago, such law enforcement disruption operations occurred at most once per year. But, so far this year, the Department has announced already three significant such operations, two of which were spearheaded by NSD, alongside our U.S. Attorney’s Office and FBI partners.

It deserves emphasizing that this is a team sport: Even as the operations relied on Justice Department legal process, we are often not alone in planning or executing them. We are almost always joined by a coalition of U.S. government, private sector, and foreign partners in this work.

In disrupting the GRU botnet, for example, we planned and coordinated with the Shadowserver Foundation, Microsoft, and other private sector partners. Shortly after we announced the operation, the FBI, NSA, Cyber Command, and 11 foreign partner entities released a joint cybersecurity advisory providing device owners and network defenders with valuable threat intelligence about the GRU’s relevant tactics, techniques, and procedures. Many of these same partners provided invaluable assistance in eradicating portions of the botnet within their borders.

Ivanti VPN Appliances Patch Critical Heap Overflow Bug

B2B Daily, April 10, 2024

The cybersecurity community is on high alert after uncovering a serious flaw in Ivanti VPN devices, tracked as CVE-2024-21894. This critical vulnerability holds grave consequences for entities relying on Ivanti for secure remote access. The threat posed by this exploit is considerable, as it could allow unauthorized remote control over affected systems, endangering both operational integrity and the confidentiality of sensitive information. Businesses employing Ivanti’s VPN must act swiftly to implement necessary safeguards.

The Shadowserver Foundation’s extensive network scanning has cast a spotlight on a significant security concern—a widespread vulnerability in the Ivanti VPN software, evidenced by the startling discovery of over 16,000 instances at risk to the critical vulnerability designated as CVE-2024-21894. The Shadowserver Foundation has played a crucial role in unmasking the extent of exposure, which suggests that the issue is not isolated but rather prevalent, raising the alarm on an international scale. Encouragingly, a follow-up check conducted by Shadowserver as of April 7 indicated a reduction in the number of vulnerable instances—to about 10,000.

Shadowserver stands as a key player in the cybersecurity field, relentlessly scanning the internet to pinpoint vulnerabilities. Their role is critical; by detecting and alerting firms to security gaps, they enable proactive defense strategies. Their efforts reflect a significant, broader principle in cybersecurity: collaboration is essential. As a vigilant entity that assists with early threat detection and raises community awareness about evolving digital dangers, Shadowserver functions as a vital component in the fight to protect online environments against nefarious elements. By doing so, they are not just guards but catalysts of collective cyber resilience, underscoring the shared responsibility in defending cyber spaces. Through Shadowserver’s dedication, the digital world becomes a bit more fortified against the constant threat of cyber incursions.

D-Link RCE Vulnerability Exploited In Wild, Impacts 92,000 Devices

GB Hackers, April 9, 2024

Cybercriminals have actively exploited a critical vulnerability in D-Link Network Attached Storage (NAS) devices globally.

Identified as CVE-2024-3273, this remote code execution (RCE) flaw poses a significant threat to as many as 92,000 devices worldwide.

The exploit allows attackers to execute arbitrary code on vulnerable devices, potentially leading to data theft, device hijacking, and the spread of malware.

D-Link, the manufacturer of the affected NAS devices, has issued a support announcement regarding the vulnerability.


More Than 16,000 Ivanti VPN Gateways Still Vulnerable To RCE CVE-2024-21894

Security Affairs, April 6, 2024

Shadowserver researchers reported that roughly 16,500 Ivanti Connect Secure and Poly Secure gateways are vulnerable to the recently reported RCE flaw CVE-2024-21894.

This week the company released security updates to address four security flaws impacting Connect Secure and Policy Secure Gateways that could result in code execution and denial-of-service (DoS), including CVE-2024-21894. The flaw CVE-2024-21894 (CVSS score 8.2) is a heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure that allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may lead to the execution of arbitrary code.

Shadowserver researchers have scanned the Internet for instances vulnerable to CVE-2024-21894 and reported that about 16,500 are still vulnerable. Most of the vulnerable systems are in the US (4686 at the time of this writing), followed by Japan (2009), and UK (1032).

Funding the Organizations That Secure the Internet

Dark Reading, April 2, 2024

Common Good Cyber is a global consortium connecting nonprofit, private sector, and government organizations to fund organizations focused on securing Internet infrastructure.

Much of our everyday lives, from banking to turning on the lights, would be impossible if the elaborate infrastructure underpinning the Internet were unavailable. However, unlike the electrical grid or financial institutions, there’s no single entity responsible for maintaining and securing the Internet. Instead, that task falls upon a diverse group of organizations and individuals that preserve this public utility with little funding or subsisting on tight budgets. The stakes are incredibly high, but the amount of resources available for keeping this infrastructure secure falls short.

The goal of Common Good Cyber is to find new ways to build adequate funding into law and policy, business policies and government, and other funding vehicles sufficient to meet the common need for cybersecurity. Supporting organizations include the Cyber Civil Defense Initiative, the Global Cyber Alliance, the Cyber Threat Alliance, the CyberPeace Institute, the Forum of Incident Response and Security Teams, the Institute for Security and Technology, and the Shadowserver Foundation.

SQL injection vulnerability in Fortinet software under attack

News ITN, March 26, 2024

A critical Fortinet vulnerability has been actively exploited since at least March 21 and was added to CISA’s Known Exploited Vulnerability catalog on Monday.

In a security advisory on March 12, Fortinet detailed a pre-authentication SQL injection vulnerability tracked as CVE-2023-48788 or what the vendor identifies internally as FR-IG-24-007. On March 21, Fortinet updated the advisory to warn users that CVE-2023-48788 was being exploited in the wild. On Sunday, the Shadowserver Foundation, a cybersecurity nonprofit organization, revealed its internet scans detected several vulnerable instances around the world.

“We have started scanning/reporting Fortinet FortiClient EMS CVE-2023-48788 (pre-auth SQL injection) vulnerable instances. 130 vulnerable found on 2024-03-23 Top: US with 30 IPs,”

That number is potentially higher. Shadowserver noted that its scans only detect the web interface version, and it does not check port 8013 access, which is required for exploitation.

Patching is vital as Fortinet products have been increasingly targeted by threat actors. Last week, exploitation activity escalated for another critical Fortinet flaw tracked as CVE-2024-21762, two days after a proof-of-concept (PoC) exploit was published.

167,500 Instances Vulnerable: Loop DoS Attack

Cyber Security News, March 22, 2024

A sweeping vulnerability has been uncovered, leaving an estimated 167,500 instances across various networks susceptible to a Loop Denial of Service (DoS) attack. This discovery underscores the ever-present and evolving threats in the digital landscape, prompting an urgent call to action for organizations worldwide.

The vulnerability was first identified by Shadowserver, a renowned entity in the cybersecurity realm dedicated to identifying and mitigating cyber threats. Through meticulous analysis and monitoring, Shadowserver’s team stumbled upon a pattern of weakness in a staggering number of instances. This flaw, if exploited, could allow attackers to initiate a Loop DoS attack, effectively crippling the targeted systems by overwhelming them with a flood of traffic.

“Today we started sharing data on IPs vulnerable to the novel “Loop DoS” attack discovered by @CISPA. Data is based on DNS, NTP & TFTP protocol scans. Over 167 500 vulnerable instances found on 2024-03-20.”

According to a recent tweet from Shadowserver, there are over 167,500 instances that are vulnerable to the “Loop DoS” attack. In response to this discovery, Shadowserver has issued a call to action for organizations worldwide. System administrators and IT professionals must assess their networks for the identified vulnerabilities and apply necessary patches or updates.


Critical Fortinet flaw may impact 150,000 exposed devices

Bleeping Computer, March 8, 2024

Scans on the public web show that approximately 150,000 Fortinet FortiOS and FortiProxy secure web gateway systems are vulnerable to CVE-2024-21762, a critical security issue that allows executing code without authentication. America’s Cyber Defense Agency CISA confirmed last month that attackers are actively exploiting the flaw by adding it to its Known Exploited Vulnerabilities (KEV) catalog.

Almost a month after Fortinet addressed CVE-2024-21762, The Shadowserver Foundation announced on Thursday that it found nearly 150,000 vulnerable devices. Shadowserver’s Piotr Kijewski told BleepingComputer that their scans check for vulnerable versions, so the number of affected devices may be lower if admins applied mitigations instead of upgrading. According to Shadowserver data, most vulnerable devices, more than 24,000, are in the United States, followed by India, Brazil, and Canada.


Earliest Reporter of Exploitation in the Wild

VulnCheck, March 7, 2024

As we explore over 20 years worth of publicly disclosed exploited vulnerabilities, the collaborative effort of global security teams becomes increasingly evident.

My latest data visualization underscores the remarkable contributions from organizations worldwide, including: – Government Agencies like Cybersecurity and Infrastructure Security Agency, National Cyber Security Centre, NHS, United States Department of Defense and Australian Cyber Security Centre. – Security Research Projects/Teams such as Palo Alto Networks Unit 42, Google Project Zero, CitizensLab e.V. , FortiGuard Labs, Cisco Talos Intelligence Group, Trend Micro, SANS Institute, Huntress, The Shadowserver Foundation, Akamai Technologies, and so many more.

In an effort to empower security teams, researchers, and the global security community, we’ve curated a comprehensive index comprising of over 8,500+ publicly cited references of vulnerabilities known to have been exploited in the wild.



ConnectWise ScreenConnect bug used in Play ransomware breach, MSP attack

SC Media, March 1, 2024

A critical ConnectWise ScreenConnect vulnerability that enables authentication bypass was used in a Play ransomware breach and an attempted supply chain attack involving LockBit malware, researchers say. One of the attacks targeted a managed service provider (MSP) for a potential wider supply chain breach against its customers, the At-Bay Cyber Research Team revealed in an article Thursday.

Amidst this spate of attacks, more than 3,800 ScreenConnect instances tracked by nonprofit cybersecurity organization Shadowserver remained vulnerable to CVE-2024-1709 as of Feb. 29. Notably, this is less than half the number Shadowserver reported on Feb. 21, when more than 8,200 vulnerable instances were detected