Media Coverage

Shadowserver in the news

2022 Adversary Infrastructure Report

Recorded Future, December 15, 2022

Recorded Future’s Insikt Group® conducted a study of malicious command-and-control (C2) infrastructure identified using proactive scanning and collection methods throughout 2022. All data was sourced from the Recorded Future® Platform and is current as of September 1, 2022. Recorded Future tracks the creation and modification of new malicious infrastructure for a multitude of post-exploitation toolkits, custom malware, and open-source remote access trojans (RATs). Since 2017, we have created detections for 108 families including RATs, advanced persistent threat (APT) malware, botnet families, and other commodity tools. We observed over 17,000 unique command-and-control (C2) servers during 2022, which is up 30% from last year. Much like 2021, our collection in 2022 was dominated by Cobalt Strike team servers, botnet families including IcedID and QakBot, and popular RATs such as PlugX. In June of 2022, ShadowServer detailed their methodology for scanning the IPv6 internet space. We predict that more organizations, including Recorded Future, will increase IPv6 scanning with resulting findings of more IPv6 C2 detections. While not widely reported on, malware that communicates over a IPv6 connection does exist, such as VirtualPie as reported on by Mandiant.

Kubernetes Architecture Explained: A Comprehensive Guide For Beginners

Devopscube, December 8, 2022

Understanding Kubernetes architecture helps you with day-to-day Kubernetes implementation and operations. When implementing a production-level cluster setup, having the right knowledge of Kubernetes components will help you run and troubleshoot applications. To reduce the cluster attack surface, it is crucial to secure the API server. The Shadowserver Foundation has conducted an experiment that discovered 380 000 publicly accessible Kubernetes API servers.

Cyble observed Initial Access Brokers (IABs) offering access to enterprise networks compromised via a critical flaw in Fortinet products.

Security Affairs, November 29, 2022

Researchers at Cyble have observed initial access brokers (IABs) selling access to enterprise networks likely compromised via a recently patched critical flaw, tracked as CVE-2022-40684, in Fortinet products. In October, the Shadowserver Foundation reported that more than 17K Fortinet devices exposed online were vulnerable to attacks exploiting the CVE-2022-40684 flaw, most of them in Germany and in the US. Now Cyble researchers reported more than 100,000 FortiGate firewalls accessible from the internet that may be targeted by threat actors if not patched yet.

Critical Fortinet Vulnerability CVE-2022-40684: IAB to Sell Access Appears?

IoT OT Security News, November 29, 2022

SecurityAffairs — Researchers at Cyble are aware of an Initial Access Broker (IAB ) are likely to be selling access to corporate networks. In early October, Fortinet addressed the authentication bypass vulnerability CVE-2022-40684 affecting the FortiGate Firewall/FortiProxy Web Proxy. An attacker who successfully exploited this vulnerability could log into a vulnerable device, Fortinet said. As of this October, the Shadowserver Foundation has announced that over 17K Fortinet devices exposed online are vulnerable to attacks exploiting the vulnerability CVE-2022-40684, the majority of which are located in Germany and the United States. Now , Cyble researchers report that more than 100,000 Internet-accessible FortiGate firewalls, if still unpatched, could be targeted by threat actors.

Azure Firewall IDPS signing rule categories

Microsoft, November 29, 2022

Azure Firewall IDPS includes over fifty categories that can be assigned to individual signatures. The following table is a list of definitions for each category. Botcc (command and control bot) This category is for signatures that are automatically generated from various sources of known and confirmed active botnets and other command and control (C2) hosts. This category is updated daily. The primary data source for the category is

Global Cyber-Enforcement Op Nets $130M, Says Interpol

DarkReading, November 28, 2022

A worldwide operation aimed at curtailing fraud has led to the arrest of 975 suspects and the seizure of nearly $130 million, as Interpol expands its efforts and brings new tools to its investigations. Interpol’s National Central Bureaus (NCBs) collaborated with local authorities to pursue arrests. Interpol announced that the linked investigations, dubbed Operation Haechi III, tracked cyber-enabled financial crimes and money laundering in 30 countries. The investigations, which took place between June 28 and Nov. 23, intercepted money transfers and virtual assets, leading to the arrest of 975 suspects in the last five months. Interpol, along with Afripol, also announced an Africa-centric effort — the Africa Cyber Surge Operation — involving 27 countries collaborating over the past four months. The efforts resulted in the takedown of a dark market in Eritrea, investigations into cryptocurrency scams in Cameroon, and the arrest of the operators of malicious cyber infrastructure used for botnets, phishing campaigns, and online extortion. In addition to national government, Interpol credited private-sector partners with helping out, including British Telecom, the Cyber Defense Institute, Fortinet’s FortiGuard Labs, Group-IB, Kaspersky, Palo Alto Networks’ Unit 42 team, Shadowserver, and Trend Micro.

Crackdown on African Cybercrime Leads to Arrests, Infrastructure Takedown

Security Week, November 28, 2022

Interpol on Friday announced the arrest of ten individuals suspected of participation in $800,000 scam and fraud operations with global impact. The arrests were made as part of a four-month effort (July to November 2022) called ‘Africa Cyber Surge Operation’ and focused on countering cybercrime across Africa. According to Interpol, law enforcement from 27 countries joined the operation. Law enforcement agencies took action against over 200,000 pieces of malicious cyber infrastructure facilitating cybercrime across the continent, including botnets, phishing, spam, and online extortion activities. The operation received support from multiple private cybersecurity firms, including British Telecom, Cyber Defense Institute, Fortinet, Group-IB, Kaspersky, Palo Alto Networks, Shadowserver, and Trend Micro.

African Police Bust $800K Fraud Schemes

InfoSecurity, November 28, 2022

Police in Africa have arrested 10 people connected to global fraud worth an estimated $800,000, after a four-month operation, Interpol has revealed. The global policing organization said that 27 countries joined the Africa Cyber Surge Operation, which ran from July to November. Coordinated from the Interpol Command Centre in Kigali, Rwanda, the operation focused on tackling the enablers of cybercrime, Interpol said. As such, police took action against 200,000 pieces of “malicious cyber infrastructure” across the region, including botnet-linked technology used to run mass phishing, spam and online extortion campaigns. Collaboration was key to the success of the Africa Cyber Surge Operation. Interpol worked with its local equivalent Afripol; private sector security vendors including Trend Micro, Fortinet, Group-IB and Kaspersky; local ISPs and Computer Emergency Response Teams (CERTs); hosting providers; and other players like the non-profit Shadowserver Foundation. Eighteen of the participating countries have CERTs and, crucially, police have now put in place agreements to formalize response work for the future, according to Interpol. Many countries were participating for the first time in such an operation. The operation was sandwiched between a two-week training course in Kigali, in which participants learned about cryptocurrency and cybercrime investigations, and a debrief in Mauritius in November. “The Cyber Surge activities have also led to newly introduced legislative protocols and the establishment of a series of cybercrime departments in member countries, which will further contribute to reducing the impact of cybercrime and protecting communities in the region,” Interpol explained.

Operation across Africa identifies cyber-criminals and at-risk online infrastructure

INTERPOL, November 25, 2022

Coordinated from an INTERPOL Command Centre in Kigali, Rwanda, the operation focused on removing the enablers of cybercrime. Among the operational highlights: 11 individuals were arrested, with one suspect linked to the abuse of children, and 10 others linked to scam and fraud activities worth USD 800,000 which had an impact on victims globally. Authorities in Eritrea took down a Darknet Market that was selling hacking tools and cybercrime-as-a-service components. Multiple cryptocurrency scam cases were resolved in Cameroon, including one with an estimated financial impact upon the victim of more than CFA 8 million. Tanzania recovered more than USD 150,000 of victims’ money from data infringement and copyright cases. Action was taken against more than 200,000 pieces of malicious cyber infrastructure which facilitate cybercrime across the African Region. This included the takedown and clean-up of malicious infrastructure linked to botnet activity, and the dissemination of mass phishing, spam and online extortion activities (e.g. romance scams, banking scams and theft of data) to potential victims. Participating countries were able to improve their own national cyber security by patching network vulnerabilities and cleaning-up defaced government websites and securing vulnerable critical infrastructure, thereby reducing the risk of potentially catastrophic attacks. Investigations were shaped by intelligence provided by INTERPOL’s private sector partners including British Telecom, Cyber Defense Institute, Fortinet’s FortiGuard Labs, Group-IB, Kaspersky, Unit 42-Palo Alto Networks, Shadowserver and Trend Micro.

Botnets, Trojans, DDoS From Ukraine and Russian Have Increased Since Invasion

Info Security, November 16, 2022

Activity from IP addresses in Ukraine and Russia has shown a substantial spike in malware, helping botnets spread since 2022. The data comes from security researchers at Top10VPN, who share a report about the findings ahead of publication.

The company’s investigation is based on data from sinkholes and honeypots operated by The Shadowserver Foundation, an internet security non-governmental organization (NGO).