Media Coverage

Shadowserver in the news

Botnet fighter Shadowserver in major financial difficulties

Security.NL, March 18, 2020

The Shadowserver Foundation, a non-profit foundation registered in the Netherlands and the United States that works to combat botnets and cybercrime, is in serious financial difficulties now that Cisco has withdrawn as a sponsor. The foundation collects large amounts of information about botnets, malware and other criminal networks and shares it with providers and government services, such as Computer Emergency Response Teams (CERTs). In recent years, the Shadowserver Foundation has played an important role in the roll-up of several large botnets. At the end of February, Cisco announced that it was discontinuing as the largest financial sponsor. As a result, the Shadowserver Foundation immediately lost four of the seven donated staff and the other three employees will stop on May 26. Shadowserver also has to move the entire American data center infrastructure to a new location before May 26. Therefore, without immediate help, Shadowserver will have to stop offering the most important services, including free network reports with information about infected systems.

Hackers hit NutriBullet website with credit card-stealing malware

TechCrunch, March 18, 2020

According to new research by security firm RiskIQ, hackers broke into the blender maker’s website several times over the past two months, injected malicious credit card-skimming malware on its payment pages and siphoned off the credit card numbers and other personal data — like names, billing addresses, expiry dates and card verification values — of unsuspecting blender buyers.

The data was scraped and sent to a third-party server operated by the attackers. The stolen credit card data is then sold to buyers on dark web marketplaces. With the help of security outfits AbuseCH and Shadowserver, RiskIQ began efforts to take down the malicious domain that the hackers were using to send stolen credit card numbers.

The Shadowserver Foundation urgently needs financial help, March 17, 2020

The Shadowserver Foundation is not only the largest source of threat intelligence worldwide, it is also by far the most important source of information for on topics such as malware infections, vulnerable systems, etc. in Austria . The Shadowserver Foundation provides 107 national CERTs / CSIRTs in 136 countries with valuable information on problems in their respective areas of influence. The quality of the data provided in this way is far higher than that of most others, although it is provided completely free of charge. In February, Cisco Systems surprisingly announced that they were no longer able to sustain the Shadowserver Foundation and gave notice they must urgently move their entire data center to a different location. That cost far exceeds the liquidity of this NPO. If you still have budget left in your company, this is surely one of the best ways to use it – the entire Internet will thank you.

Shadowserver, a nonprofit that helps protect the internet from botnets, is in grave danger of going under

INPUT Magazine, March 17, 2020

The internet has a lot of underlying infrastructure most of us seldom give much thought to, but which is essential to keeping it working… and working properly. One of those seldom-seen, essential services that works tirelessly to keep things running smoothly is a nonprofit called Shadowserver . The reason you’re hearing about it now? Shadowserver is about to lose its main source of funding. Shadowserver’s key function is running honeypots and sinkholes, which trick botnets into directing all of their traffic into a black hole rather than to an actual website. Shadowserver sinkholes five million infected machines every day. Without it, who knows where the malicious traffic they generate will end up, or what it’ll do to the usability of the internet. But Shadowserver are losing the funding from their primary supporter and it needs $1.7 million to make it through the rest of 2020. Perhaps that’s the one downside of being such a quiet, inconspicuous company is that few have heard of it, and even fewer understand why it matters. Being distracted by a pandemic, though, can’t be helping matters either. Shadowserver’s never wanted the limelight, but now for all of our sakes it needs as much as it can get.

European Parliament - Parliamentary Question: A serious blow to internet security - the possible disappearance of Shadowserver – assistance needed

European Parliament, March 17, 2020

There is a danger that financial support for the independent non-profit organisation Shadowserver may soon vanish. Shadowserver is a crucial link in efforts to combat internet crime. Shadowserver analyses malware and botnets, issues warnings free of charge to national CERTs and providers concerning victims who have been infected within their networks, and prevents abuse and wrongly configured or compromised hardware. The organisation’s US branch is losing its principal sponsors, and the European branch too may in due course lose its funding. The organisation is therefore urgently seeking new, reliable sources of income to enable the existing function to be maintained while preserving its independence. (1) In view of the important role that Shadowserver plays for society and the disastrous impact on European online security if the organisation were to cease to exist, the EU should consider ways of allowing that role to continue to be played. Will the Commission provide support without delay in the form of funding (even indirect), fund-raising, subsidies, etc. to ensure that Shadowserver does not go bankrupt and can continue its independent work?

The Web’s Bot Containment Unit Needs Your Help

Brian Krebs, March 16, 2020

Anyone who’s seen the 1984 hit movie Ghostbusters likely recalls the pivotal scene where a government bureaucrat orders the shutdown of the ghost containment unit, effectively unleashing a pent-up phantom menace on New York City. Now, something similar is in danger of happening in cyberspace:, an all-volunteer nonprofit organization that works to help Internet service providers (ISPs) identify and quarantine malware infections and botnets, has lost its longtime primary source of funding.

Shadowserver has time and again been the trusted partner when national law enforcement agencies needed someone to manage the technical side of things while people with guns and badges seized hard drives at the affected ISPs and hosting providers.

Anyone interested in supporting that migration effort can do so directly here; Shadowserver’s contact page is here.

A Critical Internet Safeguard Is Running Out of Time

Wired, March 16, 2020

Keeping the internet safe may sometimes feel like a game of Whac-A-Mole, reacting to attacks as they arise, then moving on to the next. In reality, though, it’s an ongoing process that involves not just identifying threats but grabbing and retaining control of the infrastructure behind them. For years a small nonprofit called Shadowserver has quietly carried out a surprisingly large portion of that work. But now the organization faces permanent extinction in a matter of weeks.

There’s a pivotal scene in Ghostbusters in which Environmental Protection Agency inspector Walter Peck marches into the group’s headquarters, armed with a cease and desist order. “Shut this off,” Peck tells the utility worker accompanying him. “Shut this all off.” They cut power to the Ghostbusters’ protection grid, and all the ghosts are released. Think of Shadowserver as the internet’s protection grid.

Magecart and British Airways GDPR fine

Janet CSIRT, February 12, 2020

Janet CSIRT: “The largest UK GDPR fine was £183M in 2018 when the British Airways booking website was hit by Magecart credit card skimming code. @RiskIQ worked with and Shadowserver to take down the malicious domains”. “Listen to DarknetDiaries Episode 52: Magecart. Credit card skimming on your online purchases? Ya it’s happening. With the amazing and fearless @ydklijnsma from @RiskIQ.”

OWASP Amass: in-depth attack surface mapping and asset discovery

Andrea Fortuna, February 11, 2020

The OWASP Amass Project is tool developed to help information security professionals during the mapping process of attack perimeter. It allows DNS enumeration, attack surface mapping & external assets discovery, using open source information gathering and active reconnaissance techniques.

OWASP Amass tries to collect useful information including the following techniques: DNS, Scraping, Certificates, Web Archives and APIs.

  • APIs: AlienVault, BinaryEdge, BufferOver, CIRCL, CommonCrawl, DNSDB, GitHub, HackerTarget, IPToASN, Mnemonic, NetworksDB, PassiveTotal, Pastebin, RADb, Robtex, SecurityTrails, ShadowServer, Shodan, Spyse (CertDB & FindSubdomains), Sublist3rAPI, TeamCymru, ThreatCrowd, Twitter, Umbrella, URLScan, VirusTotal, WhoisXML

Ransomware Attacks Factor Honeypot

Duo Security, January 21, 2020

Me-Tech —a small prototyping company—was attacked several times over the space of seven months. The network was actually a honeypot consisting of real industrial control systems (ICS) hardware and a mix of physical hosts and virtual machines, set up by Trend Micro Research to mimic the operations of a small factory. The researchers monitored the attacks against the honeypot to determine how “knowledgeable and imaginative” attackers had to be to compromise a manufacturing operation, and to monitor firsthand what kind of attacks manufacturing companies dealt with on a regular basis. The threats didn’t come from sophisticated state-sponsored groups, but rather cybercriminals intent on fraud and financial gain. The researchers identified scanning traffic from 9,452 unique IP addresses, of which 610 were linked to scanners such as ip-ip, Rapid 7, Shadow Server, Shodan, and ZoomEye