Media Coverage

Shadowserver in the news

Critical vulnerabilities: Consider these exposed devices pwned

The Register, June 5, 2023

We kick off this week’s list of critical vulnerabilities and active exploits with the ongoing exploitation of CVE-2023-28771 – a flaw in Zyxel firewall, VPN and ATP firmware that could let an unauthenticated attacker remotely execute OS commands. First identified in April, the flaw has been exploited on tens of thousands of affected devices, according to security firm Rapid7. According to Shadowserver, “at this stage if you have a vulnerable device exposed, assume compromise.” That’s a safe bet, since a patch has been out since April – install it now.

Researchers tell owners to “assume compromise” of unpatched Zyxel firewalls

arsTechnica, May 31, 2023

Firewalls made by Zyxel are being wrangled into a destructive botnet, which is taking control of them by exploiting a recently patched vulnerability with a severity rating of 9.8 out of a possible 10. “At this stage if you have a vulnerable device exposed, assume compromise,” officials from Shadowserver, an organization that monitors Internet threats in real time, warned four days ago. The officials said the exploits are coming from a botnet that’s similar to Mirai, which harnesses the collective bandwidth of thousands of compromised Internet devices to knock sites offline with distributed denial-of-service attacks. According to data from Shadowserver collected over the past 10 days, 25 of the top 62 Internet-connected devices waging “downstream attacks”—meaning attempting to hack other Internet-connected devices—were made by Zyxel as measured by IP addresses. The software bug used to compromise the Zyxel devices is tracked as CVE-2023-28771, an unauthenticated command-injection vulnerability with a severity rating of 9.8. The flaw, which Zyxel patched on April 25, can be exploited to execute malicious code with a specially crafted IKEv2 packet to UDP port 500 on the device. The critical vulnerability exists in default configurations of the manufacturer’s firewall and VPN devices.  On Wednesday, the Cybersecurity and Infrastructure Security Agency placed CVE-2023-28771 on its list of known exploited vulnerabilities. The agency has given federal agencies until June 21 to fix any vulnerable devices in their networks. With infections from CVE-2023-28771 still occurring five weeks after Zyxel fixed it, it’s clear many device owners aren’t installing security updates in a timely manner. If the poor patching hygiene carries over to the more recently fixed vulnerabilities, there likely will be more Zyxel compromises occurring soon.

Hackers exploit critical Zyxel firewall flaw in ongoing attacks

Bleeping Computer, May 31, 2023

Hackers are performing widespread exploitation of a critical-severity command injection flaw in Zyxel networking devices, tracked as CVE-2023-28771, to install malware. The flaw, which is present in the default configuration of impacted firewall and VPN devices, can be exploited to perform unauthenticated remote code execution using a specially crafted IKEv2 packet to UDP port 500 on the device. Zyxel released patches for the vulnerability on April 25, 2023, warning users of the following product versions to apply to resolve the vulnerability. Today, CISA published an alert warning that CVE-2023-28771 is being actively exploited by attackers, urging federal agencies to apply the available update by June 21, 2023. This alert coincides with additional verification from Rapid7 today that confirms the active exploitation of the flaw. One of the activity clusters confirmed to exploit CVE-2023-28771 is a Mirai-based botnet malware that, according to Shadowserver, started launching attacks on May 26, 2023. Similar activity was spotted by cybersecurity researcher Kevin Beaumont a day earlier, who highlighted the use of a publicly available PoC (proof of concept) exploit. While the Mirai threat is typically limited to DDoS (distributed denial of service), other threat groups might engage in lower-scale and less-noticeable exploitation to launch more potent attacks against organizations. It is also important to note that Zyxel has recently fixed two other critical severity flaws, CVE-2023-33009 and CVE-2023-33010, which impact the same firewall and VPN products. The two flaws could allow unauthenticated attackers to impose denial of service on vulnerable devices or execute arbitrary code.

Only after being warned of potential attacks, Zhaoqin equipment was infected by Mirai virus on a large scale

iThome Taiwan, May 31, 2023

After the device vulnerability (CVE-2023-28771) patched by Zyxel on April 25 was released in May, security experts warned that the Mirai botnet began to threaten unpatched Zyxel devices to launch attacks. The ShadowServer Foundation, a security nonprofit, has detected that multiple Zhaoqin devices have been used to launch attacks. Since the abused PoC program has been made public, the foundation also expects the attacks to increase further. Zyxel patched the major vulnerability CVE-2023-28771 in firewall and VPN equipment products in April , and urged users to install the new firmware as soon as possible. This vulnerability originates from the IKE packet decryption component in the firmware, which may allow unauthorized attackers to send malicious packets to remotely execute OS commands. It is a major vulnerability with a risk value of 9.8. Last week, the information security company Rapid7 also warned that at least 40,000 firewall devices have been exposed because they have not been updated, and they believe that there will be exploit attacks. Since May 26, more than 700 decoy systems set up by the security nonprofit The ShadowServer Foundation have detected about 3,773 attacks. According to the statistics of the Foundation , the users of Zhaoqin’s firewall and VPN products are the most in France (13,800 units), Italy (13,100 units), the United States (9,300 units), and Switzerland (7,800 units). In addition, they also detect Multiple Zhaoqin devices have been used to launch attacks . Since the abused PoC program has been made public, the foundation also expects the attacks to increase further .

Kazakh companies using GeoServer are at risk

Register TV Kazakhstan, May 16, 2023

State Technical Service JSC reports that during the monitoring of the Kazakhstani segment of the Internet, 17 IP addresses were found that are presumably subject to critical vulnerabilities with identifiers CVE-2022-24816 and CVE-2023-25157. The detected IP addresses belong to large companies in the quasi-public sector of Kazakhstan. GeoServer is used in various industries such as geology, ecology, geodesy, agriculture, urban management, etc., where spatial data is an important component for making strategic decisions. The National Computer Incident Response Service (KZ-CERT) sent notifications to owners of IP addresses and telecom operators recommending the need to immediately apply updates to avoid possible risks and threats to information security. Failure to address vulnerabilities in a timely manner can lead to the compromise of sensitive data and further attacks on the network, including the introduction of malicious software into other systems, which will compromise the security of the entire network infrastructure. The Shadowserver Foundation (an information security organization that sends daily online reports to subscribers and cooperates with law enforcement agencies around the world in investigating cybercrime) published information about vulnerabilities in the GeoServer software. We recommend that all companies pay attention to updates of systems and software used in the infrastructure,” KZ-Cert noted.

Shadowserver Dashboard in Indonesian, Malay, Filipino, Thai & Arabic

SENKI, May 15, 2023

Have you seen the Shadowserver Dashboard? Did you know it provides critical information on what people outside your network can see into your network? Did you know that the Dashboard and free reports can save your network …. all you need to do is track down the exposure and fix it (before the criminals use it to break into your network? Shadowserer provides one of the most critical tools to protect your network. Organizations that do not leverage this free “Cyber-Civil Defense” resource are missing out on critical security information about your network that is provided as a free public benefit. Shadowserver’s Dashboard is one of those free-public benefit tools. The Dashboard provides a map of vulnerabilities, risks, and unpatched systems with a global view. Shadowserver is expanding the language options of their Dashboard. Indonesian, Malay, Filipino, Thai, and Arabic will be offered. While the translations are done with professional translators, the Shadowserver team asks for help. The team seeks network/security professionals to help provide validation and context. If you are interested, please email contact@shadowserver.org. New vulnerabilities, attacks, and other risks are announced every day. Shadowserver’s suite of services is combined to provide each organization with their Daily Network Reporting and the update to Shadowserver’s Dashboard. With the dashboard, you can explore active risk and attack vectors. 

Thousands of Microsoft servers are at risk from some serious security bugs

Techradar, May 10, 2023

IT teams operating Microsoft Exchange servers are very slow at patching their endpoints, resulting in thousands of devices still being vulnerable to some high-severity flaws. This is according to a new report on CyberNews, which claims more than 85,000 servers are still exposed to multiple remote code execution (RCE) vulnerabilities, namely CVE-2023-21529, CVE-2023-21706, and CVE-2023-21707. The report has described the flaws as “extremely dangerous” due to the fact that they can allow the threat actors to run malicious code and compromise people’s inboxes and email messages sitting on the servers. The flaws were discovered in mid-February 2023, with Microsoft being quick to release a patch to address the issue. However, many IT teams are yet to apply these patches, they’re saying. In fact, as per Shadowserver Foundation data, the number of vulnerable servers in February was 87,000, meaning the vast majority of IT teams basically disregarded this security threat and simply decided not to apply the fix.

Cybercriminal Network Fueling the Global Stolen Credit Card Trade is Dismantled

U.S. Attorneys Office Eastern District of New York, May 3, 2023

A four-count indictment was unsealed today in the United States District Court for the Eastern District of New York charging Denis Gennadievich Kulkov with access device fraud, computer intrusion and money laundering in connection with his operation of Try2Check, the primary service offering “card-checking” to cybercriminals in the stolen credit card trade.  The Try2Check platform catered to cybercriminals who purchased and sold stolen credit card numbers in bulk on the internet, offering criminals the ability to quickly determine what percentage of the cards were valid and active.  As such, Try2Check was a primary enabler of the trade in stolen credit card information, processing at minimum tens of millions of card numbers every year.  Today, the U.S. government worked with partners in Germany and Austria to take offline Try2Check’s websites, thus dismantling the defendant’s criminal network.  Along with the indictment and global website domain takedown, the State Department has announced a $10 million reward for information leading to the capture of Kulkov, who resides in Russia. Try2Check ran tens of millions of credit card checks per year and supported the operations of major card shops that made hundreds of millions in bitcoin in profits.  Over a nine-month period in 2018, the site performed at least 16 million checks, and over a 13-month period beginning in September 2021, the site performed at least 17 million checks. Through the illegal operation of his websites, the defendant made at least $18 million in bitcoin (as well as an unknown amount through other payment systems), which he used to purchase a Ferrari, among other luxury items.  In coordination with the unsealing of the charging documents in this case, Try2Check’s websites were taken offline and the State Department issued a $10 million reward for information leading to the defendant’s capture.  If convicted, Kulkov faces 20 years’ imprisonment. The charges in the indictment are allegations, and the defendant is presumed innocent unless and until proven guilty. The Office extends its appreciation to the German Federal Criminal Police Office (BKA), the German Federal Office for Information Security (BSI), the Austrian Criminal Intelligence Service – Cybercrime Competence Center (C4), and the French Central Directorate of the Judicial Police (DCPJ) and the governments of Austria, Germany and France for their assistance on this case, as well as to the Shadowserver Foundation for crucial technical assistance in addressing 

Cyber ​​threat: Morocco, the African country most affected by banking Trojans

Yabiladi, April 19, 2023

Interpol’s African Bureau of Cybercrime Operations report ranks Morocco as the African country most affected by Banking Trojans and Stealers. It is also the second most affected country by Ransomware on the continent. The African Cybercrime Operations Bureau of the International Criminal Police Organization (Interpol) recently unveiled its Africa Cyber Threat Assessment Report for the year 2022. A document that provides an overview of cyber threat trends in the African region. It shows that Morocco is the African country most affected by banking Trojans and Stealers, according to data from Trend Micro, a world leader in enterprise cloud security solutions, XDR and cybersecurity platform. The Interpol report even mentions 18,827 detections in the kingdom, which puts it ahead of South Africa (6,560 malware detections), Nigeria (5,366), Cameroon (1,462) and Algeria ( 691).  Banking Trojans and Stealers can be installed manually or remotely using techniques such as emails containing malicious links or attachments.  The report also revealed that the most prevalent banking Trojans and Stealers are Zbot and Fareit. The former accounts for 67.67% of all detections in the region, while the latter accounts for 15.39%.  The report also ranks Morocco in second place when it comes to Ransomware. Quoting Shadowserver, a non-profit security organization that collects and analyzes data on malicious activity on the Internet. South Africa is the country most targeted by these attacks. The country accounts for 42% of all detected attacks. It is followed by Morocco where 8% of the attacks took place, Botswana and Egypt (6%) as well as Tanzania and Kenya (4%). The kingdom is also cited for “online scams and extortion”. 

Patch now! QueueJumper vulnerability puts hundreds of thousands of Windows systems at risk

heise online, April 14, 2023

After worldwide scans, security researchers have discovered over 400,000 potentially vulnerable Windows systems. Security patches are available.

Windows admins should quickly take care of a ” critical ” vulnerability in the Microsoft Message Queuing Service (MSMQ) in Windows and Windows Server. If attacks are successful, attackers could execute malicious code and completely compromise systems. The vulnerability (CVE-2023-21554) was closed on Patchday in April . As a prerequisite for attacks, the MSMQ server must be active, which is not the case by default. However, the service is often activated in the course of Exchange installations, so the gap should not be underestimated. To check if systems are vulnerable, admins should check if the “Message Queuing” service is running and listening on TCP port 1801. According to a warning from Microsoft, Windows 10, 11 and many Windows server versions such as 20H2 are affected. Message Queuing is a messaging infrastructure and development platform. Message queuing applications can use this to communicate with PCs that may be offline. The service is designed to guarantee message delivery. Checkpoint security researchers discovered the vulnerability . According to them, attackers would only have to send their exploit code to TCP port 1801 of MSMQ servers to trigger an attack. Patch now! According to scans by Shadowsever, the MSMQ service is publicly available on over 400,000 Windows systems worldwide. If these systems are not yet patched, attackers could strike. The majority of these can be found in Hong Kong with 160,000 instances. In the US, there are around 57,000. Almost 8,000 systems are publicly accessible in Germany.