Media Coverage

Shadowserver in the news

Critical Fortinet flaw may impact 150,000 exposed devices

Bleeping Computer, March 8, 2024

Scans on the public web show that approximately 150,000 Fortinet FortiOS and FortiProxy secure web gateway systems are vulnerable to CVE-2024-21762, a critical security issue that allows executing code without authentication. America’s Cyber Defense Agency CISA confirmed last month that attackers are actively exploiting the flaw by adding it to its Known Exploited Vulnerabilities (KEV) catalog.

Almost a month after Fortinet addressed CVE-2024-21762, The Shadowserver Foundation announced on Thursday that it found nearly 150,000 vulnerable devices. Shadowserver’s Piotr Kijewski told BleepingComputer that their scans check for vulnerable versions, so the number of affected devices may be lower if admins applied mitigations instead of upgrading. According to Shadowserver data, most vulnerable devices, more than 24,000, are in the United States, followed by India, Brazil, and Canada.

 

Earliest Reporter of Exploitation in the Wild

VulnCheck, March 7, 2024

As we explore over 20 years worth of publicly disclosed exploited vulnerabilities, the collaborative effort of global security teams becomes increasingly evident.

My latest data visualization underscores the remarkable contributions from organizations worldwide, including: – Government Agencies like Cybersecurity and Infrastructure Security Agency, National Cyber Security Centre, NHS, United States Department of Defense and Australian Cyber Security Centre. – Security Research Projects/Teams such as Palo Alto Networks Unit 42, Google Project Zero, CitizensLab e.V. , FortiGuard Labs, Cisco Talos Intelligence Group, Trend Micro, SANS Institute, Huntress, The Shadowserver Foundation, Akamai Technologies, and so many more.

In an effort to empower security teams, researchers, and the global security community, we’ve curated a comprehensive index comprising of over 8,500+ publicly cited references of vulnerabilities known to have been exploited in the wild.

 

 

ConnectWise ScreenConnect bug used in Play ransomware breach, MSP attack

SC Media, March 1, 2024

A critical ConnectWise ScreenConnect vulnerability that enables authentication bypass was used in a Play ransomware breach and an attempted supply chain attack involving LockBit malware, researchers say. One of the attacks targeted a managed service provider (MSP) for a potential wider supply chain breach against its customers, the At-Bay Cyber Research Team revealed in an article Thursday.

Amidst this spate of attacks, more than 3,800 ScreenConnect instances tracked by nonprofit cybersecurity organization Shadowserver remained vulnerable to CVE-2024-1709 as of Feb. 29. Notably, this is less than half the number Shadowserver reported on Feb. 21, when more than 8,200 vulnerable instances were detected

Critical ConnectWise RMM Bug Poised for Exploitation Avalanche

Dark Reading, February 21, 2024

Users of the ConnectWise ScreenConnect remote desktop management tool are under active cyberattack, after a proof-of-concept (PoC) exploit surfaced for a max-critical security vulnerability in the platform. The situation has the potential to blow up into a mass compromise event, researchers are warning. ScreenConnect can be used by tech support and others to authenticate to a machine as though they were the user. As such, it offers a conduit to threat actors looking to infiltrate high-value endpoints and any other areas of corporate networks to which they might have access.

Piotr Kijewski, CEO at the Shadowserver Foundation, confirmed seeing initial exploitation requests in the nonprofit’s honeypot sensors. “Check for signs of compromise (like new users added) and patch!” he stressed via the Shadowserver mailing list, adding that as of Tuesday, a full 93% of ScreenConnect instances were still vulnerable (about 3,800 installations), most of them located in the US.

Over 28,500 Exchange servers vulnerable to actively exploited bug

Bleeping Computer, February 19, 2024

Up to 97,000 Microsoft Exchange servers may be vulnerable to a critical severity privilege escalation flaw tracked as CVE-2024-21410 that hackers are actively exploiting. Microsoft addressed the issue on February 13, when it had already been leveraged as a zero-day. Currently, 28,500 servers have been identified as being vulnerable. Exchange Server is widely used in business environments to facilitate communication and collaboration among users, providing email, calendar, contact management, and task management services.

Today, threat monitoring service Shadowserver announced that its scanners have identified approximately 97,000 potentially vulnerable servers. Out of the total 97,000, the vulnerable state for an estimated 68,500 servers depends on whether administrators applied mitigations, while 28,500 are confirmed to be vulnerable to CVE-2024-21410.

Exploitation of CVE-2024-21410 can have serious consequences for an organization because attackers with elevated permissions an Exchange Server can access confidential data like email communication and use the server as a ramp for further attacks on the network.

Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU)

US Department of Justice, February 15, 2024

A January 2024 court-authorized operation has neutralized a network of hundreds of small office/home office (SOHO) routers that GRU Military Unit 26165, also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, used to conceal and otherwise enable a variety of crimes.

The Department’s court-authorized operation leveraged the Moobot malware to copy and delete stolen and malicious data and files from compromised routers. Additionally, in order to neutralize the GRU’s access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers’ firewall rules to block remote management access to the devices, and during the course of the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation.

The FBI Philadelphia and Boston Field Offices and Cyber Division, U.S. Attorney’s Office for the Eastern District of Pennsylvania, and the National Security Division’s National Security Cyber Section led the disruption effort. The Criminal Division’s Computer Crime and Intellectual Property Section and Office of International Affairs, Shadowserver Foundation, Microsoft Threat Intelligence, and other partners provided valuable assistance.

World Govs, Tech Giants Sign Spyware Responsibility Pledge

Dark Reading, February 6, 2024

A coalition of dozens of countries including France, the UK, and the US, along with tech giants such as Google, Meta, and Microsoft, have signed a joint agreement to combat the use of commercial spyware in ways that violate human rights.

At a speech at the UK-France Cyber Proliferation conference at Lancaster House in London today, UK Deputy Prime Minister Oliver Dowden announced the kickoff for the spyware initiative, dubbed the “Pall Mall Process,” which will be a “multi-stakeholder initiative … to tackle the proliferation and irresponsible use of commercially available cyber-intrusion capabilities,” he explained.

He also announced that the UK will invest £1 million into the nonprofit Shadowserver Foundation, to “help them expand the access they provide to early warning systems, and to cyber resilience support for those impacted by cyberattacks.”

Newest Ivanti SSRF zero-day now under mass exploitation

Bleeping Computer, February 5, 2024

An Ivanti Connect Secure and Ivanti Policy Secure server-side request forgery (SSRF) vulnerability tracked as CVE-2024-21893 is currently under mass exploitation by multiple attackers. Exploitation of CVE-2024-21893 allowed attackers to bypass authentication and access restricted resources on vulnerable devices (versions 9.x and 22.x).

Threat monitoring service Shadowserver is now seeing multiple attackers leveraging the SSRF bug, with 170 distinct IP addresses attempting to exploit the flaw.

According to ShadowServer, there are currently almost 22,500 Ivanti Connect Secure devices exposed on the Internet. However, it is unknown how many are vulnerable to this particular vulnerability.

INTERPOL-led operation targets growing cyber threats

INTERPOL, February 1, 2024

Operation Synergia, which ran from September to November 2023, was launched in response to the clear growth, escalation and professionalisation of transnational cybercrime and the need for coordinated action against new cyber threats. The operation involved 60 law enforcement agencies from more than 50 INTERPOL member countries, with officers conducting house searches and seizing servers as well as electronic devices.

Operation Synergia demonstrated how cybersecurity is most effective when international law enforcement, national authorities, and private sector partners cooperate to share best practices and pro-actively combat cybercrime. INTERPOL and its Gateway Partners Group-IB, Kaspersky, TrendMicro, Shadowserver and Ad hoc partner Team Cymru provided analysis and intelligence support throughout the operation.

2nd critical GitLab patch of 2024 fixes arbitrary file writing bug

SC Media, January 31, 2024

A GitLab vulnerability enabling file writing to arbitrary locations on a server was patched last Thursday, two weeks after the company patched a critical account takeover bug. The latest vulnerability, tracked as CVE-2024-0402, received a CVSS score of 9.9 and allows authenticated users to write files anywhere on a GitLab server while creating a workspace.

The Shadowserver Foundation, which tracks malicious activity and vulnerabilities online, previously said it detected more than 5,300 GitLab instances vulnerable to CVE-2023-7028 on Jan. 23. As of Jan. 30, Shadowserver’s dashboard showed 4,826 GitLab instances still running unpatched versions. Shadowserver CEO Piotr Kijewski told SC Media that while the organization is not currently scanning for CVE-2024-0402, it is most likely that instances still vulnerable to CVE-2023-7028 are also vulnerable to the latest bug. “The total CVE-2024-0402 population will be expected to be higher, however,” Kijewski said.