Media Coverage

Shadowserver in the news

South African water and sewage control systems potentially hit in global hack

mybroadband, December 5, 2023

The Shadowserver Foundation has revealed that South Africa is among the countries most impacted by a recent attack on Unitronics programmable logic controllers (PLCs). This comes after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory warning that a state-sponsored Iranian hacking group had exploited security weaknesses in the controllers. CISA stated that, in addition to water and wastewater systems, the targeted Unitronics PLCs are also used in energy, food and beverage manufacturing, and healthcare.

Shadowserver said it specifically scanned the default Unitronics TCP port, 20256, on 2 December 2023.

Breaches, hacks, and security incidents: Unitronics hacking spree

Risky Business News, December 4, 2023

The US government has confirmed that an Iranian hacking group named Cyber Av3ngers has gained access to equipment at water facilities across multiple US states. CISA, the FBI, the NSA, and other agencies say the attacks began as far back as November 22 and exploited PLCs manufactured by Israeli company Unitronics. The group targeted Unitronics PLCs that were still using the default password “1111.” CISA asked US organizations last week to change the default password, enable MFA, and remove the devices from the internet. US officials say the Cyber Av3ngers group is affiliated with the IRGC, an Iranian military and intelligence organization. According to the Shadowserver Foundation, from 500 to 800 Unitronics PLCs are currently exposed on the internet, with the vast majority in Australia and Singapore.

Global Cyber Conference: Over 30 global organizations endorse new Accra Call for cyber capacity building

Modern Ghana, November 30, 2023

Representatives from governments, international organizations, and private sector gathered in Accra, Ghana today for the inaugural Global Conference on Cyber Capacity Building. The landmark event saw the release of an action framework known as the Accra Call on wednesday, November 29th. The highlight of the first day of the event was the endorsement of the Call by over 30 entities.

How cybercriminals make their honey from the Citrix Bleed flaw

ZDNet, November 27, 2023

It has now been more than six weeks since virtualization and cloud services provider Citrix reported the existence of a particularly critical vulnerability in two of its products, NetScaler ADC and NetScaler Gateway. But, as often happens, equipped organizations are slow to apply the patches. Which delights cybercriminals of all kinds. According to data from Shadowserver , a foundation dedicated to researching malicious activities, there are still around 91 vulnerable instances in France. This is much less than when the flaw was announced on October 10, when 813 instances were identified, but it is still far too many. “These are the most common attacks observed on our honeypots,” warns the foundation.

LockBit malware group still at large, now using Citrix Bleed tactics

SiliconANGLE, November 22, 2023

The malware group behind the LockBit ransomware attacks has gotten even more sophisticated. Australian cybersecurity officials, the FBI and the Cybersecurity and Infrastructure Security Agency on Tuesday jointly released a security advisory on how the group is exploiting the CitrixBleed vulnerability.

The group isn’t the only one using this issue, which compromises various Citrix load balancing and networking equipment. And though various warnings were issued about a month ago when the exploit first came to light, many enterprises have been slow to patch their gear. The below chart from The ShadowServer Foundation shows more than 3,000 affected devices, mostly in North America and Europe.

‘Citrix Bleed’ vulnerability targeted by nation-state and criminal hackers: CISA

The Record, November 21, 2023

Both nation-state hackers and cybercriminal gangs are exploiting a vulnerability affecting Citrix products, federal cyber officials warned on Tuesday. The ‘Citrix Bleed’ bug has caused alarm for weeks as cybersecurity experts warned that many government agencies and major companies were leaving their appliances exposed to the internet — opening themselves up to attacks. Despite a security bulletin from Citrix in October rating the bug a 9.4 out of 10 on the CVSS severity scale, research tool ShadowServer shows that thousands of instances where the tool is used were still vulnerable to the issue as of November 2, with nearly 2,000 in North America alone.

NetScaler investigation recommendations for CVE-2023-4966

NetScaler, November 20, 2023

Until mid-October, we understood from public reporting and through very limited support cases that exploitation of CVE-2023-4966 was targeted and limited in nature. However, we learned of a concerning development when, on October 25, Shadowserver Foundation, a non-profit internet monitoring organization, posted on X (formerly known as Twitter) that there was a sharp increase in attempts to exploit this vulnerability in unpatched NetScaler ADCs.

Thousands of new honeypots deployed across Israel to catch hackers

TechCrunch, November 20, 2023

On October 7, Hamas launched an unprecedented terrorist attack on Israel, killing more than 1,200 people, with hundreds taken hostage. The attack prompted a deadly response from the Israel Defense Forces, which has reportedly left more than 10,000 people dead in airstrikes and a land incursion. Shortly after the attack, the number of internet-connected honeypots in Israel — manufactured networks designed to lure hackers in — have risen dramatically, according to cybersecurity experts who monitor the internet.

Piotr Kijewski, the CEO of the Shadowserver Foundationan organization that deploys honeypots to monitor what hackers do on the internet, also confirmed that his organization has seen “a lot more honeypots now deployed in Israel than pre-Oct 7.”

The increase took Israel to the top three in the world in terms of number of deployed honeypots. Before the war, the country wasn’t even in the top 20, according to Kijewski.

“Technically it is possible someone suddenly rolls out a new honeypot deployment when they have developed that capability and yes in this case it seems Israel focused,” Kijewski said in an email. “We do not normally see such large scale instances appear overnight though, and Israel has not so far been a place for these amounts of honeypots (though of course there have always been honeypots in Israel, including ours).”

Over 63,000 Unpatched Microsoft Exchange Servers Vulnerable to RCE Attack

Ddos, November 17, 2023

In a concerning turn of events, over 63,000 Microsoft Exchange servers remain exposed online, failing to implement the necessary patches against the critical remote code execution (RCE) vulnerability, CVE-2023-36439. This vulnerability, among the four security flaws addressed by Microsoft’s November 2023 Patch Tuesday update, poses a significant threat to organizations due to its potential for severe exploitation. According to the Shadowserver Foundation, a non-profit entity committed to bolstering internet security, these servers are susceptible to the CVE-2023-36439 flaw. This vulnerability, identified through the servers’ x_owa_version header, affects Exchange Server 2016 and 2019, and it holds a significant CVSS score of 8.0.

CISA warns of actively exploited Juniper pre-auth RCE exploit chain

Bleeping Computer, November 13, 2023

CISA warned federal agencies today to secure Juniper devices on their networks by Friday against four vulnerabilities now used in remote code execution (RCE) attacks as part of a pre-auth exploit chain. The alert comes one week after Juniper updated its advisory to notify customers that the flaws found in Juniper’s J-Web interface (tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847) have been successfully exploited in the wild.

The warnings come after the ShadowServer threat monitoring service revealed it was already detecting exploitation attempts on August 25th, one week after Juniper released security updates to patch the flaws and as soon as watchTowr Labs security researchers also released a proof-of-concept (PoC) exploit. According to Shadowserver data, over 10,000 Juniper devices have their vulnerable J-Web interfaces exposed online, most from South Korea (Shodan sees more than 13,600 Intenet-exposed Juniper devices).