Media Coverage

Shadowserver in the news

Critical ManageEngine RCE bug now exploited to open reverse shells

Bleeping Computer, January 20, 2023

A critical remote code execution (RCE) vulnerability affecting multiple Zoho ManageEngine products is now being exploited in attacks. The first exploitation attempts were observed by cybersecurity firm Rapid7 on Tuesday, two days before Horizon3 security researchers released public exploit code and in-depth technical analysis of the flaw.  “Rapid7 is responding to various compromises arising from the exploitation of CVE-2022-47966, a pre-authentication remote code execution (RCE) vulnerability impacting at least 24 on-premise ManageEngine products,” the threat detection firm said. Rapid7 observed exploitation across organizations as early as January 17, 2023 (UTC).” This was confirmed by researchers at the Shadowserver Foundation, who said they are “picking up exploitation attempts from at least 10 IPs for CVE-2022-47966 unauthenticated RCE affecting multiple Zoho ManageEngine products (that have SAML SSO enabled).”

University hospitals in Brazil join Latin cybersecurity network

Convergencia Digital, January 17, 2023

The Brazilian Hospital Services Company (Ebserh), which operates in the country’s 38 university hospitals, has joined a project that brings together several Latin American countries to collaborate on detecting cyber threats.  The initiative, initiated by the Ecuadorian Corporation for the Development of Research and Academia (CEDIA) and the Shadowserver Foundation, is deploying a network of sensors in Latin America and the Caribbean, using as a foundation the technology developed by Shadowserver to automate sensor deployments and the CEDIA’s experience as an IT Security Incident Response Center (CSIRT). This network provides a unique view of IoT threats in the region and, together with a communication campaign, will help reduce the number of infected devices. Data generated will be shared with 21 national CSIRTs and 235 network owners in the region, as well as a total of 109 national CSIRTs and more than 5,000 network owners worldwide via Shadowserver’s daily corrective action feeds. The project will take existing IoT-related open source honeypots and deploy them at scale using the Shadowserver framework. The project will be supported by a combination of paid VPS services and third-party donated nodes. At least 50 sensors will be placed in 15 countries.

Most Cacti Installations Unpatched Against Exploited Vulnerability

Security Week, January 13, 2023

Most internet-exposed Cacti installations have not been patched against a critical-severity command injection vulnerability that is being exploited in attacks. An open-source web-based network monitoring and graphing tool that offers an operational monitoring and fault management framework, Cacti is a front-end application for the data logging utility RRDtool. In early December 2022, the tool’s maintainers announced patches for CVE-2022-46169, a critical-severity (CVSS score 9.8) command injection flaw that could allow unauthenticated attackers to execute code on the server running Cacti, if a specific data source was used. Cacti versions 1.2.23 and 1.3.0, released on December 5, include patches for this vulnerability. A few days after SonarSource published a technical analysis of CVE-2022-46169 on January 3, The Shadowserver Foundation warned that it had logged the first exploitation attempts targeting the security defect. “Using Cacti? We started to pick up exploitation attempts for Cacti unauthenticated remote command injection CVE-2022-46169 including subsequent malware download. These started Jan 3rd. Make sure to patch & not expose your Cacti instance to the Internet,” Shadowserver said. This week, attack surface management firm Censys revealed that, out of 6,400 internet-accessible Cacti hosts that it has identified, only 26 were running a patched version of the tool. Most of these servers are in Brazil, with Indonesia and the US rounding up the top three. With exploitation of this vulnerability underway, organizations are advised to update Cacti to a patched version as soon as possible.

Alert: Hackers Actively Exploiting Critical "Control Web Panel" RCE Vulnerability

The Hacker News, January 12, 2023

Malicious actors are actively attempting to exploit a recently patched critical vulnerability in Control Web Panel (CWP) that enables elevated privileges and unauthenticated remote code execution (RCE) on susceptible servers. Tracked as CVE-2022-44877 (CVSS score: 9.8), the bug impacts all versions of the software before 0.9.8.1147 and was patched by its maintainers on October 25, 2022. Control Web Panel, formerly known as CentOS Web Panel, is a popular server administration tool for enterprise-based Linux systems. Gais Security researcher Numan Turle has been credited with discovering and reporting the flaw to the Control Web Panel developers. Exploitation of the flaw is said to have commenced on January 6, 2023, following the availability of a proof-of-concept (PoC), the Shadowserver Foundation and GreyNoise disclosed. “This is an unauthenticated RCE,” Shadowserver said in a series of tweets, adding, “exploitation is trivial.”

Attacks Target Control Web Panel Flaw

Duo Security, January 11, 2023

Attackers are targeting a recently patched vulnerability in the CentOS Control Web Panel that allows remote unauthenticated code execution on vulnerable servers. The bug has been public for several days and the researcher who discovered it has published exploit code for it, as well. The maintainers of CWP released a new version of the software to address the vulnerability, but because CWP is used as an interface for websites, it’s likely that many organizations haven’t updated just yet. CWP is a popular web interface for website hosting. Researcher Numan Turle of Gais Security discovered the vulnerability (CVE-2022-44877) and reported it to Control Web Panel, which released an update in October. The details of the vulnerability emerged last week, along with a proof-of-concept exploit that Turle developed, and now attackers are beginning to exploit the bug. On Wednesday, researchers at The Shadowserver Foundation, which tracks vulnerabilities, exploit attempts, and other Internet trends, reported seeing exploit attempts ramping up against the CWP flaw. And data from GreyNoise, which also tracks attack traffic, shows exploit attempts against this flaw, as well. “We are seeing CVE-2022-44877 exploitation attempts for CWP (CentOS Web Panel/Control Web Panel) instances. This is an unauthenticated RCE. Exploitation is trivial and a PoC published. Exploitation first observed Jan 6th,” Shadowserver said on Twitter.

Microsoft's first Patch Tuesday of 2023 delivers a massive 98 fixes

ZDNet, January 11, 2023

Windows and Office admins get a busy start to 2023, with Microsoft releasing 98 security fixes for its platforms — that’s a big haul when compared to most Patch Tuesdays and almost double the number it turned out leading into the holiday season. January 2023 Patch Tuesday addresses two zero-day flaws but only one of them is known to be actively exploited, which is the critical Windows flaw, tracked as CVE-2023-21674. This flaw allows an attacker with local privileges to elevate to system, the highest level of privileges. It has a CVSSv3 severity score of 8.8 out of 10. Earlier this month, security research group Shadowserver reported that there were 70,000 unpatched Exchange Servers exposed on the internet to highlight how many were likely still vulnerable to two Exchange Server zero-day flaws Microsoft patched in November, dubbed ProxyNotShell.

Many Exchange servers still not patched

SicherHeitsForum, January 9, 2023

Many Microsoft Exchange Servers around the world are still likely to be unpatched. Since Exchange Servers are coupled to the Internet, attackers can exploit existing vulnerabilities to compromise Exchange Servers. At the end of December 2022, security researchers from the Shadowserver Foundation scanned the Internet and came up with a Message on Twitter According to the report, a total of around 70,000 vulnerable Microsoft Exchange servers have been found. The figures show that just under 30,000 servers in Europe are affected. Admins should therefore ensure that the latest security updates are installed.

More than 60,000 Microsoft Exchange Servers still vulnerable to ProxyNotShell

TechMonitor, January 4, 2023

Despite repeated warnings, many businesses have not taken steps to combat the problem which leaves systems open to attack. Data released this week by the ShadowServer Foundation, a non-profit focusing on internet security, found that 60,865 have not yet patched against the vulnerability, which was discovered last year. Microsoft released patches for the ProxyNotShell vulnerabilities in November, but many companies have been slow to implement the security measures, despite Microsoft stating at the time that it “recommends that customers protect their organizations by applying the updates immediately to affected systems.” Hacking gangs Play, LockBit and BlackCat are among those known to have taken advantage of the vulnerability. Play uses Microsoft Exchange Server vulnerabilities as a leading technique of intrusion, according to security company Crowdstrike.

Patch now! 60,000 Exchange servers still vulnerable to ProxyNotShell attacks

heise online, January 4, 2023

Security researchers warn of vulnerable Exchange servers. 30,000 of them are in Europe – the majority in Germany. Security patches are available. At the end of December 2022, security researchers from the Shadowserver Foundation scanned the Internet and, according to a post on Twitter, came across around 70,000 vulnerable servers. According to current dashboard data, there are now around 60,000 systems. The figures show that there are almost 30,000 servers in Europe. In Germany there are still around 10,000 vulnerable Exchange servers at the beginning of 2023. Malicious code attacks have been taking place since September 2022 . Recently, the situation worsened when attackers combined two vulnerabilities (CVE-2022-41082 ” high “, CVE-2022-41080 ” high “) in a new way .

The results of a security monitoring: Iran is the third most infected country with malware

Digiato, January 4, 2023

The data of the Shadowserver Foundation, which is active in the field of cyber security, shows that in the past few days Iran has ranked third among the countries with the most known malware infections. The average level of contamination of systems during the last three months in Iran placed our country in seventh place. It seems that network filtering at the end of September and extensive efforts to bypass these limitations are one of the factors of obtaining such rank. According to experts, filtering and people’s use of free VPNs is one of the main factors in the spread of malware. Since the end of September and the filter of Instagram and WhatsApp, people’s need to use tools to bypass these restrictions has increased; an issue that seriously threatens the security of devices in people’s hands. In the meantime, the Google Play filter has also reduced the possibility of safer access to applications, and users go to unreliable sources in cyberspace to download their desired programs.