News & Insights

We have recently started to perform a full IPv4 Internet-wide scan for accessible SMTP services and will report out possible vulnerabilities that have been observed, with a current focus on Exim (in the future non-Exim vulnerabilities may be added). We scan by performing a connection to port 25, recognizing an SMTP response and collecting the banner served. These connections look just like a normal SMTP connection, there is not any attempt to exploit the port, only to collect the banner information from that connection to the server. Our scan uncovered 317,848 distinct Exim IPs that likely contain 21nails vulnerabilities (as discovered by Qualys) based on the connected banner identification.

A new opt-in feature in our reporting mechanism will allow for reporting only the changes of the data from day to day: the report delta mode option. In this mode, every Sunday we will continue to deliver a full set of reports on all events observed on a report recipients’s network. For the rest of the week, for every distinct report type we will report only the difference between events seen on that day relative to the Sunday report. This will continue throughout the week until the following Sunday, when everything is reset and a full report is delivered again.

We are happy to announce a completely new way of accessing our reports - via a RESTful API. Every report recipient can now choose to opt in to this delivery method and receive a unique API key and unique secret.

Over the years, Shadowserver’s report list has grown considerably from when we originally started. When some of these reports were originally set up, the requirements were different to those needed today. We have therefore decided to implement changes with some of the existing report types, especially those related to our sinkholes and honeypots, as well as remove some legacy reports. Changes will come into effect on 2021-06-01. On that day, the old reports will cease and only the new equivalents will be sent out. Until that time, starting 2021-04-05 both the old reports and new reports will function in parallel.

A new one-off Special Report covering efforts to identify additional vulnerable and compromised Microsoft Exchange servers and associated common web shell that are configured to use DNS based virtual hosting, rather than direct IPv4 /0 scanning for default web sites, containing data for the period 2021-03-16 to 2021-03-22.

Can you help Shadowserver sign up more countries/networks in Africa and the Info-Pacific to receive our free daily network reports and help secure the Internet? We are running a UK FCDO funded surge in Feb/March 2021, aimed at increasing outreach and expanding our honeypot sensor network in those regions. We are seeking introductions, contacts and hosting so please get in touch if you can help us achieve these goals.

Another internet wide scan based one-off Special Report identifying 59218 potentially vulnerable Microsoft Exchange Servers on 2021-03-14 courtesy of Kryptoslogic, with a comparison of the degree of overlap in coverage between this data set and our previous one-off Special Report that was just released. If your mail servers appear in either report - please patch immediately.

Another one-off Special Report identifying 73608 potentially vulnerable Microsoft Exchange Servers during the period 2021-03-13 and 2021-03-14, which corresponds to 63115 unique IP addresses in 211 countries. These exposed systems remain at very high risk and need patching immediately.

Another one off Shadowserver Special Report, this time in partnership with Kryptoslogic, provides critical information about compromised Microsoft Exchange Servers with exposed public web shells that were likely exploited using CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. Please remediate and patch/rebuild urgently!

Shadowserver one-off Special Reports are for reporting security events outside our usual 24-hour reporting window. Our second Special Report covers identification Microsoft Exchange Servers potentially vulnerable to CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 by scanning with DIVD after patches were released.