Media Coverage

Shadowserver in the news

‘Citrix Bleed’ vulnerability targeted by nation-state and criminal hackers: CISA

The Record, November 21, 2023

Both nation-state hackers and cybercriminal gangs are exploiting a vulnerability affecting Citrix products, federal cyber officials warned on Tuesday. The ‘Citrix Bleed’ bug has caused alarm for weeks as cybersecurity experts warned that many government agencies and major companies were leaving their appliances exposed to the internet — opening themselves up to attacks. Despite a security bulletin from Citrix in October rating the bug a 9.4 out of 10 on the CVSS severity scale, research tool ShadowServer shows that thousands of instances where the tool is used were still vulnerable to the issue as of November 2, with nearly 2,000 in North America alone.

NetScaler investigation recommendations for CVE-2023-4966

NetScaler, November 20, 2023

Until mid-October, we understood from public reporting and through very limited support cases that exploitation of CVE-2023-4966 was targeted and limited in nature. However, we learned of a concerning development when, on October 25, Shadowserver Foundation, a non-profit internet monitoring organization, posted on X (formerly known as Twitter) that there was a sharp increase in attempts to exploit this vulnerability in unpatched NetScaler ADCs.

Thousands of new honeypots deployed across Israel to catch hackers

TechCrunch, November 20, 2023

On October 7, Hamas launched an unprecedented terrorist attack on Israel, killing more than 1,200 people, with hundreds taken hostage. The attack prompted a deadly response from the Israel Defense Forces, which has reportedly left more than 10,000 people dead in airstrikes and a land incursion. Shortly after the attack, the number of internet-connected honeypots in Israel — manufactured networks designed to lure hackers in — have risen dramatically, according to cybersecurity experts who monitor the internet.

Piotr Kijewski, the CEO of the Shadowserver Foundationan organization that deploys honeypots to monitor what hackers do on the internet, also confirmed that his organization has seen “a lot more honeypots now deployed in Israel than pre-Oct 7.”

The increase took Israel to the top three in the world in terms of number of deployed honeypots. Before the war, the country wasn’t even in the top 20, according to Kijewski.

“Technically it is possible someone suddenly rolls out a new honeypot deployment when they have developed that capability and yes in this case it seems Israel focused,” Kijewski said in an email. “We do not normally see such large scale instances appear overnight though, and Israel has not so far been a place for these amounts of honeypots (though of course there have always been honeypots in Israel, including ours).”

Over 63,000 Unpatched Microsoft Exchange Servers Vulnerable to RCE Attack

Ddos, November 17, 2023

In a concerning turn of events, over 63,000 Microsoft Exchange servers remain exposed online, failing to implement the necessary patches against the critical remote code execution (RCE) vulnerability, CVE-2023-36439. This vulnerability, among the four security flaws addressed by Microsoft’s November 2023 Patch Tuesday update, poses a significant threat to organizations due to its potential for severe exploitation. According to the Shadowserver Foundation, a non-profit entity committed to bolstering internet security, these servers are susceptible to the CVE-2023-36439 flaw. This vulnerability, identified through the servers’ x_owa_version header, affects Exchange Server 2016 and 2019, and it holds a significant CVSS score of 8.0.

CISA warns of actively exploited Juniper pre-auth RCE exploit chain

Bleeping Computer, November 13, 2023

CISA warned federal agencies today to secure Juniper devices on their networks by Friday against four vulnerabilities now used in remote code execution (RCE) attacks as part of a pre-auth exploit chain. The alert comes one week after Juniper updated its advisory to notify customers that the flaws found in Juniper’s J-Web interface (tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847) have been successfully exploited in the wild.

The warnings come after the ShadowServer threat monitoring service revealed it was already detecting exploitation attempts on August 25th, one week after Juniper released security updates to patch the flaws and as soon as watchTowr Labs security researchers also released a proof-of-concept (PoC) exploit. According to Shadowserver data, over 10,000 Juniper devices have their vulnerable J-Web interfaces exposed online, most from South Korea (Shodan sees more than 13,600 Intenet-exposed Juniper devices).

TellYouThePass ransomware joins Apache ActiveMQ RCE attacks

Bleeping Computer, November 6, 2023

Internet-exposed Apache ActiveMQ servers are also targeted in TellYouThePass ransomware attacks targeting a critical remote code execution (RCE) vulnerability previously exploited as a zero-day. The flaw, tracked as CVE-2023-46604, is a maximum severity bug in the ActiveMQ scalable open-source message broker that enables unauthenticated attackers to execute arbitrary shell commands on vulnerable servers. According to data from the threat monitoring service ShadowServer, there are currently more than 9,200 Apache ActiveMQ servers exposed online, with over 4,770 vulnerable to CVE-2023-46604 exploits.

Critical Atlassian Confluence bug exploited in Cerber ransomware attacks

Bleeping Computer, November 6, 2023

Attackers are exploiting a recently patched and critical severity Atlassian Confluence authentication bypass flaw to encrypt victims’ files using Cerber ransomware. Described by Atlassian as an improper authorization vulnerability and tracked as CVE-2023-22518, this bug received a 9.1/10 severity rating, and it affects all versions of Confluence Data Center and Confluence Server software. According to data from threat monitoring service ShadowServer, there are currently more than 24,000 Confluence instances exposed online, although there’s no way to tell how many are vulnerable to CVE-2023-22518 attacks.

Cyber experts and officials raise alarms about exploits against Citrix and Apache products

The Record, November 3, 2023

Zero-day bugs affecting products from Citrix and Apache have recently been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) known exploited vulnerability (KEV) list. A vulnerability dubbed ‘Citrix Bleed’ is being exploited in attacks on government organizations as well as companies in the professional services and technology industries. The vulnerability allows hackers to gain access to sensitive information, according to a security bulletin from Citrix. The research tool ShadowServer shows that thousands of instances where the tool is used are still vulnerable to the issue as of November 2, with nearly 2,000 in North America alone.

Critical Atlassian Bug Exploit Now Available; Immediate Patching Needed

Dark Reading, November 3, 2023

Proof of concept (PoC) exploit code for a critical vulnerability that Atlassian disclosed in its Confluence Data Center and Server technology has become publicly available, heightening the need for organizations using the collaboration platform to immediately apply the company’s fix for it. ShadowServer, which monitors the Internet for malicious activity, on Nov. 3 reported that it observed attempts to exploit the Atlassian vulnerability from at least 36 unique IP addresses over the last 24 hours. ShadowServer described the increasing exploit activity as involving attempts to upload files and set up or to restore vulnerable Internet accessible Confluence instances. “We see around 24K exposed (not necessarily vulnerable),” Atlassian Confluence instances ShadowServer said.

Critical Apache ActiveMQ Vulnerability Exploited to Deliver Ransomware

Security Week, November 2, 2023

A recently patched vulnerability affecting the Apache ActiveMQ message broker is being exploited by cybercriminals in an apparent attempt to deliver ransomware.  Apache ActiveMQ is described as the “most popular open source, multi-protocol, Java-based message broker”. Several 5.x.x versions of the product, as well as the Apache ActiveMQ Legacy OpenWire Module, are affected by CVE-2023-46604, a security hole that can be exploited for remote code execution. On October 30, the Shadowserver Foundation reported seeing over 7,000 internet-exposed ActiveMQ instances, including roughly 3,300 that had been vulnerable to attacks exploiting CVE-2023-46604.