Media Coverage

Shadowserver in the news

Under cyber siege: How well are cities protecting themselves?

Mastercard, May 20, 2024

In a recent conversation with Mastercard Newsroom, Rigo Van den Broeck (executive vice president of cybersecurity product innovation at Mastercard) shares what RiskRecon’s research reveals about the current risk landscape for cities and how to better protect critical systems and data.

For cities that scored lower, what are the easiest and most immediate steps they could be taking?

Developing strong cyber hygiene takes time, so it’s always important to evaluate ways to mitigate risks throughout your cybersecurity journey. There are resources that can help cities no matter their size. Cybersecurity agencies at various levels of government and computer emergency response teams have expansive missions that aid in securing the internet. Mastercard also proudly supports several organizations that provide no-cost cybersecurity services, including the CyberPeace Institute, the Global Cyber Alliance, and the Shadowserver Foundation.

Samsons vs Goliaths: the unsung cyber heroes we all rely on

TAG International, May 7, 2024

Like it or not, you rely on the internet. So here’s a not-so-fun-fact: the functioning and security of the internet we all rely on, relies on non-profit organisations, many of which depend on uncertain funding streams and volunteer networks.

We’re talking here about organisations like the Shadowserver Foundation which scans the entire internet every day and reports vulnerabilities, free of charge, to network owners. Or Quad 9, which provides secure Domain Name Services (or an internet ‘address book’) for individuals and companies. Or MITRE, whose ATT&CK knowledge base is the go-to source for defence against cyber attackers.

We, the companies and individuals who get the benefit, just expect the internet to work. Yet the organisations on which we rely to make it work have very real costs, often in the millions of dollars per month. And all of these vital but little acknowledged organisations are funded through grants, donations and intermittent government-funded projects, and all of them suffer the extremes of perpetual funding uncertainty.

The good news is that this precarious model for sustaining a secure and functioning internet is recognised problem, and increasingly attracting attention and serious thought. At the forefront of this effort are the incredibly special people at the Global Cyber Alliance, who, rather than simply accepting that this frightening dependency is a hard-wired and permanent norm, are pioneering solutions to address this funding conundrum. This is the essence of the Common Good Cyber initiative

Maximum-severity GitLab flaw allowing account hijacking under active exploitation

Ars Technica, May 2, 2024

A maximum severity vulnerability that allows hackers to hijack GitLab accounts with no user interaction required is now under active exploitation, federal government officials warned as data showed that thousands of users had yet to install a patch released in January. While exploits require no user interaction, hijackings work only against accounts that aren’t configured to use multifactor authentication. Even with MFA, accounts remained vulnerable to password resets, but the attackers ultimately are unable to access the account, allowing the rightful owner to change the reset password. The vulnerability, tracked as CVE-2023-7028, carries a severity rating of 10 out of 10.

According to Internet scans performed by security organization Shadowserver, more than 2,100 IP addresses showed they were hosting one or more vulnerable GitLab instances. The number of IP addresses showing vulnerable instances has fallen over time. Shadowserver shows that there were more than 5,300 addresses on January 22, one week after GitLab issued the patch.

GitLab users should also remember that patching does nothing to secure systems that have already been breached through exploits. GitLab has published incident response guidance here.

More Than 1,400 CrushFTP Servers at Risk Due to Critical Bug

PureVPN, April 26, 2024

A critical vulnerability in 1,400+ exposed CrushFTP servers has sparked major security concerns. Identified as CVE-2024-4040, this flaw (previously exploited as a zero-day) allows unauthenticated attackers to remotely execute code or access files on vulnerable systems.  CrushFTP urgently recommends updates to prevent exploitation that could compromise system files.

Security analysts from Shadowserver have pinpointed 1,401 CrushFTP servers that remain unpatched and exposed online, with the highest numbers located in the United States (725), Germany (115), and Canada (108). Moreover, a total of 5,232 CrushFTP servers are visible on the internet, though it remains unclear how many are susceptible to this vulnerability.

Update your CrushFTP servers promptly to mitigate this critical vulnerability and protect your systems from potential cyber threats. Stay vigilant and ensure your defenses are up to date!

Exploring Law Enforcement Hacking as a Tool Against Transnational Cyber Crime

Carnegie Endowment for International Peace, April 23, 2024

In terms of revenue, 2023 will go down as a record-breaking year for ransomware, with over a billion dollars in payments going to hackers. The FBI reports a record $12.5 billion lost to cyber crime more broadly over the course of that year.

Tech companies often are best positioned to detect cyber threats and anomalies. They routinely issue software patches to preempt illicit cyber activity, and some even resort to civil litigation to disarm it. Commercial actors are also credible voices in internet governance bodies like ICANN and other nongovernmental, multistakeholder groups. These traits make them natural, even indispensable, partners for Western LEAs.

Meanwhile, civil society groups (such as the Shadowserver Foundation, the Institute for Security and Technology, and the Global Cyber Alliance) provide convening power, capability development, and vulnerability monitoring that can help prioritize and drive public awareness to both inform and complement LEA takedowns.

Law enforcement infiltrates fraud platform used by thousands of criminals worldwide

Metropolitan Police, April 18, 2024

A website used by more than 2,000 criminals to defraud victims worldwide has been infiltrated in the Met’s latest joint operation to tackle large-scale online fraud. ‘LabHost’ is a service which was set up in 2021 by a criminal cyber network. It enabled the creation of “phishing” websites designed to trick victims into revealing personal information such as email addresses, passwords, and bank details.

But LabHost has now been infiltrated and disrupted as the result of a worldwide operation led by the Met.

Work began in June 2022 after detectives received crucial intelligence about LabHost’s activity from the Cyber Defence Alliance. Once the scale of site and the linked fraud became clear the Met’s Cyber Crime Unit joined forces with the National Crime Agency, City of London Police, Europol, Regional Organised Crime Units (ROCUs) across the country and other international police forces to take action.

Partners including Chainalysis, Intel 471, Microsoft, The Shadowserver Foundation and Trend Micro have also been at the centre of our efforts to bring down this platform.

Exploit released for Palo Alto PAN-OS bug used in attacks, patch now

Bleeping Computer, April 16, 2024

Exploit code is now available for a maximum severity and actively exploited vulnerability in Palo Alto Networks’ PAN-OS firewall software.

Tracked as CVE-2024-3400, this security flaw can let unauthenticated threat actors execute arbitrary code as root via command injection in low-complexity attacks on vulnerable PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls if the device telemetry and GlobalProtect (gateway or portal) feature are enabled.

While Palo Alto Networks has started releasing hotfixes on Monday to secure unpatched firewalls exposed to attacks, the vulnerability has been exploited in the wild as a zero-day since March 26th to backdoor firewalls using Upstyle malware, pivot to internal networks, and steal data by a threat group believed to be state-sponsored and tracked as UTA0218..

Security threat monitoring platform Shadowserver says it sees more than 156,000 PAN-OS firewall instances on the Internet daily; however, it doesn’t provide information on how many are vulnerable.

Launch of Common Good Cyber Workshop Report: Mitigating the Systemic Underfunding of Cybersecurity Nonprofits

Common Good Cyber, April 10, 2024

The Common Good Cyber initiative, a collaborative effort aimed at addressing the challenge of sustaining nonprofit and public interest organizations involved in critical cybersecurity functions, announces the release of its workshop report. The report encapsulates insights and outcomes from a landmark gathering held in February 2024 at the National Press Club in Washington, D.C., United States.

The workshop, jointly organized by leading cybersecurity organizations including the Cyber Threat Alliance, the CyberPeace Institute, the Forum of Incident Response and Security Teams (FIRST), the Global Cyber Alliance, the Institute for Security and Technology (IST), and the Shadowserver Foundation, convened over 100 stakeholders representing various sectors including government, multilateral organizations, civil society, foundations, business, and academia. An additional 200 participants joined online to discuss the systemic underfunding of cybersecurity nonprofits and explore sustainable funding approaches.

Principal Deputy Assistant Attorney General David Newman Delivers Remarks at 2024 U.S. Cyber Command Legal Conference

US Department of Justice, April 10, 2024

First, our focus is on disrupting illegal cyber activity before it can cause harm and threaten national security. Drawing from our CT playbook, it’s a threat-driven and victim-centered approach. While we always look to make arrests where possible, our law enforcement disruptions can take many forms.

Not long ago, such law enforcement disruption operations occurred at most once per year. But, so far this year, the Department has announced already three significant such operations, two of which were spearheaded by NSD, alongside our U.S. Attorney’s Office and FBI partners.

It deserves emphasizing that this is a team sport: Even as the operations relied on Justice Department legal process, we are often not alone in planning or executing them. We are almost always joined by a coalition of U.S. government, private sector, and foreign partners in this work.

In disrupting the GRU botnet, for example, we planned and coordinated with the Shadowserver Foundation, Microsoft, and other private sector partners. Shortly after we announced the operation, the FBI, NSA, Cyber Command, and 11 foreign partner entities released a joint cybersecurity advisory providing device owners and network defenders with valuable threat intelligence about the GRU’s relevant tactics, techniques, and procedures. Many of these same partners provided invaluable assistance in eradicating portions of the botnet within their borders.

Ivanti VPN Appliances Patch Critical Heap Overflow Bug

B2B Daily, April 10, 2024

The cybersecurity community is on high alert after uncovering a serious flaw in Ivanti VPN devices, tracked as CVE-2024-21894. This critical vulnerability holds grave consequences for entities relying on Ivanti for secure remote access. The threat posed by this exploit is considerable, as it could allow unauthorized remote control over affected systems, endangering both operational integrity and the confidentiality of sensitive information. Businesses employing Ivanti’s VPN must act swiftly to implement necessary safeguards.

The Shadowserver Foundation’s extensive network scanning has cast a spotlight on a significant security concern—a widespread vulnerability in the Ivanti VPN software, evidenced by the startling discovery of over 16,000 instances at risk to the critical vulnerability designated as CVE-2024-21894. The Shadowserver Foundation has played a crucial role in unmasking the extent of exposure, which suggests that the issue is not isolated but rather prevalent, raising the alarm on an international scale. Encouragingly, a follow-up check conducted by Shadowserver as of April 7 indicated a reduction in the number of vulnerable instances—to about 10,000.

Shadowserver stands as a key player in the cybersecurity field, relentlessly scanning the internet to pinpoint vulnerabilities. Their role is critical; by detecting and alerting firms to security gaps, they enable proactive defense strategies. Their efforts reflect a significant, broader principle in cybersecurity: collaboration is essential. As a vigilant entity that assists with early threat detection and raises community awareness about evolving digital dangers, Shadowserver functions as a vital component in the fight to protect online environments against nefarious elements. By doing so, they are not just guards but catalysts of collective cyber resilience, underscoring the shared responsibility in defending cyber spaces. Through Shadowserver’s dedication, the digital world becomes a bit more fortified against the constant threat of cyber incursions.