News & Insights

The Shadowserver Foundation and trusted partners have observed three different malicious campaigns that have exploited CVE-2023-3519, a code injection vulnerability rated CVSS 9.8 critical in Citrix NetScaler ADC and NetScaler Gateway. The summary below is based on collaboration with the individual compromised organizations, as well as their commercial incident response teams. All timestamps in this write-up are in UTC timezone, and they have all been slightly adjusted to not disclose the actual times. If you own a Citrix NetScaler or have those in your constituency, please follow the detection and hunting advice for signs of compromise and webshells!

We are happy to continue our efforts in collaboration with the UK FCDO, building on our previous global outreach to Africa, Indo-Pacific, Central and Eastern Europe (CEEC), and Association of Southeast Asia Nations (ASEAN) regions to produce a cyber security spotlight on the Gulf Region. For a review of previous UK FCDO supported activities please read a) UK Foreign, Commonwealth & Development Office funds Shadowserver surge in Africa and Indo-Pacific regions, b) Continuing Our Africa and Indo-Pacific Regional Outreach, c) More Free Cyber Threat Intelligence For National CSIRTs and d) Shadowserver’s New Public Dashboard.

Shadowserver has recently been funded by the UK Foreign, Commonwealth & Development Office (FCDO) to provide more detailed and tailored cyber threat insight support to countries in the Association of Southeast Asia Nations (ASEAN), specifically Indonesia, Malaysia, Philippines and Thailand. These activities included obtaining a better understanding of the device makeup of the exposed attack surface in those countries, vulnerability exposure (especially relating to emerging threats) and observed attacks/infected devices - coming both from and directed at the region. The intention is to enrich Shadowserver's free daily threat feeds and public benefit services to the region, providing National CSIRTs and other system defender entities (organizations that are network owners) with a better awareness of their threat and vulnerability landscape, thus helping them to improve their cybersecurity posture.

The UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on nation-state sponsored exploitation of router infrastructure. The alert calls out SNMP public exposure and one vulnerability in particular - CVE-2017-6742 - which relates to a long known “remote code execution” opportunity on certain Cisco routers. This alert is a timely reminder for all with unpatched equipment to think broadly! We use this opportunity to highlight our data and free daily reports that provide information on the SNMP and Cisco device exposed attack surface (and more!).

We are happy to announce multiple enhancements to our public Dashboard, particularly to the Exploited Vulnerability data collected by our server-side honeypot sensors, thanks to funding provided by the UK Foreign Commonwealth and Development Office (FCDO).

The Shadowserver Foundation is grateful for the continued support and generosity of craigslist founder, Craig Newmark. Earlier this month, Craig Newmark provided Shadowserver with a substantial donation of $500,000.

The Shadowserver Foundation today launched its new Alliance to Continue to Build a Safer, More Secure Internet. The new Shadowserver Alliance partner program will accelerate growth and scale up delivery of no cost cybersecurity and cyber threat intelligence services to internet defender organizations and law enforcement. The Alliance represents a significant expansion to Shadowserver's freely provided internet security services and enables partners, including some of the world’s most trusted organizations such as Mastercard, Craig Newmark Philanthropies, Avast, Trend Micro and Akamai, to aid its mission to create a safer, more secure Internet. The Shadowserver Alliance is actively seeking new partners to join us now in the next phase of our journey. As a strong community, we can continue to raise the bar on global cyber security together.