Media Coverage

Shadowserver in the news

Major Security Flaw Discovered in Metabase BI Software – Urgent Update Required

The Hacker News, July 28, 2023

Users of Metabase, a popular business intelligence and data visualization software package, are being advised to update to the latest version following the discovery of an “extremely severe” flaw that could result in pre-authenticated remote code execution on affected installations. Tracked as CVE-2023-38646, the issue impacts open-source editions prior to 0.46.6.1 and Metabase Enterprise versions before 1.46.6.1. “An unauthenticated attacker can run arbitrary commands with the same privileges as the Metabase server on the server you are running Metabase on,” Metabase said in an advisory released last week. While there is no evidence that the issue has been exploited in the wild, data gathered by the Shadowserver Foundation shows that 5,488 out of the total 6,936 Metabase instances are vulnerable as of July 26, 2023. A majority of the instances are located in the U.S., India, Germany, France, the U.K., Brazil, and Australia.

Hackers Actively Exploiting Zero-day Flaw in Ivanti Mobile Endpoint Manager Software

Cyber Security News, July 25, 2023

Ivanti ‘s mobile device management software EPMM(Endpoint manager mobile), aka Mobile iron core version lower than 11.8.1.0, was impacted by the actively exploited zero-day vulnerability.  On Sunday, the company released the security patches for the remote unauthenticated API access vulnerability tracked as CVE-2023-35078. Ivanti is an asset management software system used to remotely inventory and manage desktop computers.  It has the ability to report on installed software and hardware, allow remote assistance, and install security patches. If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server.

Shadowserver reported that +15K Citrix servers are likely vulnerable to attacks exploiting the flaw CVE-2023-3519

Security Affairs, July 23, 2023

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week warned of cyber attacks against Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices exploiting recently discovered zero-day CVE-2023-3519. The Agency states that threat actors targeted a NetScaler ADC appliance deployed in the network of a critical infrastructure organization. Citrix this week warned customers of a critical vulnerability, tracked as CVE-2023-3519 (CVSS score: 9.8), in NetScaler Application Delivery Controller (ADC) and Gateway that is being actively exploited in the wild. The U.S. CISA revealed that threat actors are exploiting the vulnerability to drop web shells on vulnerable systems. Researchers from the non-profit organization Shadowserver Foundation this week reported that at least 15,000 Citrix servers were exposed to CVE-2023-3519 attacks based on their version information. Most of the servers are located in the United States and Germany.

Over 15K Citrix servers vulnerable to CVE-2023-3519 RCE attacks

Bleeping Computer, July 22, 2023

Thousands of Citrix Netscaler ADC and Gateway servers exposed online are vulnerable to attacks exploiting a critical remote code execution (RCE) bug that was previously abused in the wild as a zero-day. Security researchers from the Shadowserver Foundation, a non-profit organization dedicated to enhancing internet security, revealed this week that at least 15,000 appliances were identified as exposed to attacks leveraging the flaw (CVE-2023-3519) based on their version information. “We tag all IPs where we see a version hash in a Citrix instance. This is due fact that Citrix has removed version hash information in recent revisions,” Shadowserver said. “Thus safe to assume in our view all instances that still provide version hashes have not been updated and may be vulnerable.” They also noted that they’re also undercounting since some revisions known to be vulnerable but with no version hashes have not been tagged and added to the total number of exposed Citrix servers. Citrix released security updates to address this RCE vulnerability on July 18th, saying that “exploits of CVE-2023-3519 on unmitigated appliances have been observed” and urging customers to install the patches as soon as possible. The company added that unpatched Netscaler appliances must be configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an authentication virtual server (the so-called AAA server) to be vulnerable to attacks. The CVE-2023-3519 RCE zero-day was likely available online since the first week of July when a threat actor began advertising Citrix ADC zero-day flaw on a hacker forum.

Zyxel users still getting hacked by DDoS botnet emerge as public nuisance No. 1

arsTechnica, July 21, 2023

Organizations that have yet to patch a 9.8-severity vulnerability in network devices made by Zyxel have emerged as public nuisance No. 1 as a sizable number of them continue to be exploited and wrangled into botnets that wage DDoS attacks. Zyxel patched the flaw on April 25. Five weeks later, Shadowserver, an organization that monitors Internet threats in real time, warned that many Zyxel firewalls and VPN servers had been compromised in attacks that showed no signs of stopping. The Shadowserver assessment at the time was: “If you have a vulnerable device exposed, assume compromise.” On Wednesday—12 weeks since Zyxel delivered a patch and seven weeks since Shadowserver sounded the alarm—security firm Fortinet published research reporting a surge in exploit activity being carried out by multiple threat actors in recent weeks. As was the case with the active compromises Shadowserver reported, the attacks came overwhelmingly from variants based on Mirai, an open source application hackers use to identify and exploit common vulnerabilities in routers and other Internet of Things devices.

#TECH: Building safer cybersecurity environment for Asean

New Straits Times, July 20, 2023

In today’s interconnected world, cybersecurity has become a critical concern for nations. Asean countries, for example, with their rapidly growing digital economies and expanding online presence, face increasing cyberthreats. To effectively address these challenges and build a robust cybersecurity environment, partnerships and collaborations are essential. According to the United Kingdom’s Foreign, Commonwealth and Development Office (FCDO) cyberpolicy lead for the Indo-Pacific, Henry Carver, cybersecurity has become a global challenge. “The whole world has been more reliant on digitalisation since the Covid-19 pandemic. More and more technology and the way we live are moving online. Just as it’s true for every citizen, it’s also true for government services, and its critical infrastructure. As a result, we have a larger footprint, which means we have a greater surface area where cybercriminals and people with malicious intentions can come in and pursue their objectives,” he said. “We’ve been working with an organisation called Shadowserver, which has done a lot of Internet scanning for business and government on some of the cyber insights that they have.” The FCDO also shares a lot of good practice on how we protect our own system with our Malaysian counterparts, like our public services cybersecurity strategy, skills and education. “Although it may not be 100 per cent relevant here, it’s about sharing what works for us and for countries to take the good practices and make them their own, and we are really excited to continue our collaboration,” he added.

Rockwell Automation Warns of Critical Bug in ControlLogix Modules

Duo Security, July 13, 2023

Rockwell Automation has released patches for a critical remote code execution vulnerability that affects many versions of its communications modules, and is warning customers that an exploit for the bug exists, although no exploitation has been observed yet. Rockwell discovered the vulnerability internally, and reported it to the Cybersecurity and Infrastructure Security Agency, which published an advisory on Wednesday. There is a separate bug (CVE-2023-3596) identifier for the vulnerability in the 1756-EN4* series of products, since exploitation results in a denial of service rather than RCE. Rockwell said that it had discovered and analyzed an exploit for the bug, which it attributed to an unnamed APT actor. The affected modules are used in critical manufacturing settings, and Rockwell has released firmware updates for all of the modules. The Shadowserver Foundation, which tracks exploit activity and vulnerabilities, identified about 107 vulnerable modules exposed to the Internet on Thursday. One of the interesting aspects of this vulnerability is that researchers were able to identify the exploit and discover that an APT actor had also discovered the bug, before the actor actually used the exploit. Organizations running affected Rockwell ControlLogix modules should install the updated firmware as soon as possible.

How EPSS 3.0 is an improvement over previous versions of the threat assessment system

CSO, July 11, 2023

The third iteration of the Exploit Prediction Scoring System helps security teams prioritize vulnerabilities through prediction. In late 2022, we compared the Exploit Prediction Scoring System (EPSS) and the widely used Common Vulnerability Scoring System (CVSS). Now EPSS 3.0 brings a more comprehensive, efficient, and effective model to the industry looking to prioritize vulnerabilities that pose the greatest threat and offers a robust API and resource open for anyone to access and consume as part of their vulnerability management program. The introduction of the EPSS, which attempts to aid vulnerability prioritization efforts by providing a numerical score of how likely a vulnerability is to be exploited over the next 30-day window, has been a boon to security practitioners and organizations looking to improve their vulnerability management activities. EPSS utilizes a variety of sources when it comes to exploits, such as Fortiguard, Alienvault OTX, the Shadow Server Foundation, and GreyNoise, all of which utilize various techniques to identify exploitation attempts in digital environments around the globe.

CVE-2023-33299: Critical Remote Code Execution Vulnerability in FortiNAC

Tenable, June 23, 2023

On June 23, Fortinet published an advisory (FG-IR-23-074) that addresses a critical remote code execution vulnerability in FortiNAC, its Network Access Control solution. In addition to CVE-2023-33299, Fortinet published an additional advisory (FG-IR-23-096) for a separate vulnerability in FortiNAC. Both flaws were disclosed to Fortinet by security researcher Florian Hauser. Hauser’s research was inspired by the disclosure of a previous FortiNAC vulnerability in February 2023. Identified as CVE-2022-39952, the flaw was patched on February 16. However, on February 21, researchers at Shadowserver confirmed observed exploitation attempts against its honeypots.

Threat activity and vulnerabilities in Indonesia, Malaysia, Philippines, and Thailand

APNIC, June 15, 2023

Shadowserver has recently been funded by the UK Foreign, Commonwealth and Development Office (FCDO) to provide more detailed and tailored cyber threat insight support to economies in the Association of Southeast Asia Nations (ASEAN), specifically Indonesia, Malaysia, the Philippines, and Thailand. These activities included obtaining a better understanding of the device makeup of the attack surface exposed in these economies, vulnerability exposure (especially related to emerging threats), and observed attacks/infected devices — both originating from and directed at the region. The intention is to enrich Shadowserver’s free daily threat feeds and public benefit services to the region, providing National CSIRTs and other system defender entities (organizations that are network owners) with a better awareness of their threat and vulnerability landscape, thus helping them to improve their cybersecurity posture.