Media Coverage

Shadowserver in the news

Global Cyber-Enforcement Op Nets $130M, Says Interpol

DarkReading, November 28, 2022

A worldwide operation aimed at curtailing fraud has led to the arrest of 975 suspects and the seizure of nearly $130 million, as Interpol expands its efforts and brings new tools to its investigations. Interpol’s National Central Bureaus (NCBs) collaborated with local authorities to pursue arrests. Interpol announced that the linked investigations, dubbed Operation Haechi III, tracked cyber-enabled financial crimes and money laundering in 30 countries. The investigations, which took place between June 28 and Nov. 23, intercepted money transfers and virtual assets, leading to the arrest of 975 suspects in the last five months. Interpol, along with Afripol, also announced an Africa-centric effort — the Africa Cyber Surge Operation — involving 27 countries collaborating over the past four months. The efforts resulted in the takedown of a dark market in Eritrea, investigations into cryptocurrency scams in Cameroon, and the arrest of the operators of malicious cyber infrastructure used for botnets, phishing campaigns, and online extortion. In addition to national government, Interpol credited private-sector partners with helping out, including British Telecom, the Cyber Defense Institute, Fortinet’s FortiGuard Labs, Group-IB, Kaspersky, Palo Alto Networks’ Unit 42 team, Shadowserver, and Trend Micro.

Crackdown on African Cybercrime Leads to Arrests, Infrastructure Takedown

Security Week, November 28, 2022

Interpol on Friday announced the arrest of ten individuals suspected of participation in $800,000 scam and fraud operations with global impact. The arrests were made as part of a four-month effort (July to November 2022) called ‘Africa Cyber Surge Operation’ and focused on countering cybercrime across Africa. According to Interpol, law enforcement from 27 countries joined the operation. Law enforcement agencies took action against over 200,000 pieces of malicious cyber infrastructure facilitating cybercrime across the continent, including botnets, phishing, spam, and online extortion activities. The operation received support from multiple private cybersecurity firms, including British Telecom, Cyber Defense Institute, Fortinet, Group-IB, Kaspersky, Palo Alto Networks, Shadowserver, and Trend Micro.

African Police Bust $800K Fraud Schemes

InfoSecurity, November 28, 2022

Police in Africa have arrested 10 people connected to global fraud worth an estimated $800,000, after a four-month operation, Interpol has revealed. The global policing organization said that 27 countries joined the Africa Cyber Surge Operation, which ran from July to November. Coordinated from the Interpol Command Centre in Kigali, Rwanda, the operation focused on tackling the enablers of cybercrime, Interpol said. As such, police took action against 200,000 pieces of “malicious cyber infrastructure” across the region, including botnet-linked technology used to run mass phishing, spam and online extortion campaigns. Collaboration was key to the success of the Africa Cyber Surge Operation. Interpol worked with its local equivalent Afripol; private sector security vendors including Trend Micro, Fortinet, Group-IB and Kaspersky; local ISPs and Computer Emergency Response Teams (CERTs); hosting providers; and other players like the non-profit Shadowserver Foundation. Eighteen of the participating countries have CERTs and, crucially, police have now put in place agreements to formalize response work for the future, according to Interpol. Many countries were participating for the first time in such an operation. The operation was sandwiched between a two-week training course in Kigali, in which participants learned about cryptocurrency and cybercrime investigations, and a debrief in Mauritius in November. “The Cyber Surge activities have also led to newly introduced legislative protocols and the establishment of a series of cybercrime departments in member countries, which will further contribute to reducing the impact of cybercrime and protecting communities in the region,” Interpol explained.

Operation across Africa identifies cyber-criminals and at-risk online infrastructure

INTERPOL, November 25, 2022

Coordinated from an INTERPOL Command Centre in Kigali, Rwanda, the operation focused on removing the enablers of cybercrime. Among the operational highlights: 11 individuals were arrested, with one suspect linked to the abuse of children, and 10 others linked to scam and fraud activities worth USD 800,000 which had an impact on victims globally. Authorities in Eritrea took down a Darknet Market that was selling hacking tools and cybercrime-as-a-service components. Multiple cryptocurrency scam cases were resolved in Cameroon, including one with an estimated financial impact upon the victim of more than CFA 8 million. Tanzania recovered more than USD 150,000 of victims’ money from data infringement and copyright cases. Action was taken against more than 200,000 pieces of malicious cyber infrastructure which facilitate cybercrime across the African Region. This included the takedown and clean-up of malicious infrastructure linked to botnet activity, and the dissemination of mass phishing, spam and online extortion activities (e.g. romance scams, banking scams and theft of data) to potential victims. Participating countries were able to improve their own national cyber security by patching network vulnerabilities and cleaning-up defaced government websites and securing vulnerable critical infrastructure, thereby reducing the risk of potentially catastrophic attacks. Investigations were shaped by intelligence provided by INTERPOL’s private sector partners including British Telecom, Cyber Defense Institute, Fortinet’s FortiGuard Labs, Group-IB, Kaspersky, Unit 42-Palo Alto Networks, Shadowserver and Trend Micro.

Botnets, Trojans, DDoS From Ukraine and Russian Have Increased Since Invasion

Info Security, November 16, 2022

Activity from IP addresses in Ukraine and Russia has shown a substantial spike in malware, helping botnets spread since 2022. The data comes from security researchers at Top10VPN, who share a report about the findings ahead of publication.

The company’s investigation is based on data from sinkholes and honeypots operated by The Shadowserver Foundation, an internet security non-governmental organization (NGO).

Aspen Institute Launches Group to Address Pressing Global Cybersecurity Challenges

Aspen Institute, November 16, 2022

Amid a year that’s highlighted the need for cross-border, multilateral, and public-private work on technology and security issues, the Aspen Digital program announces the launch of the Global Cybersecurity Group. The forum held its first meeting last week in Prague, Czech Republic.

The group was announced this morning at the kick-off of the seventh annual Aspen Cyber Summit in New York City, where guests will hear from top officials from the NSA, CIA, FBI, Treasury Department, Pentagon, FTC, DHS, White House, and more.

Chaired by European Parliament Member Marina Kaljurand of Estonia; Singapore’s Cyber Security Agency CEO, David Koh; and US-based Rapid7 President & CEO Corey Thomas, the Global Group will address pressing international cybersecurity challenges.

The Global Group consists of a broad and varied collective of approximately 40 leaders pulled from allied and like-minded nations around the world who share a commitment to preserving peace and freedom online. Members include current and former government representatives, industry leaders and tech executives, and academics and civil society thinkers:

  • Shadowserver’s Law Enforcement Liaison, Stew Garrick of the UK

Why Kubernetes security challenges call for a zero-trust strategy

Venture Beat, November 15, 2022

Zero trust is a trending security paradigm being adopted by some of the world’s biggest and technically advanced organizations, including Google, Microsoft and Amazon Web Services (AWS). The technology finds its fit in virtually every technology platform and infrastructure, and Kubernetes is no exception. The Kubernetes community has been actively discussing zero trust for several years as a vital component of an end-to-end encryption strategy. Service mesh providers are promoting essential practices (such as mTLS and certificate key rotation) to make it easier to implement zero-trust architectures. As a result, organizations today are working towards implementing robust zero trust in applications at scale. While Kubernetes is a powerful solution for IT organizations to deliver their software efficiently and at scale, it is not without its security challenges and vulnerabilities. For one, Kubernetes is a relatively new system, which makes it attractive prey for cyberattackers. This is compounded by its operating model’s dynamic nature, which can easily leave room for bad actors to infiltrate if proper security measures are not taken. According to a recent report by the Shadowserver Foundation, 380,000 open Kubernetes API servers were found exposed on the internet this year alone. While these servers were only identified as exposed and not attacked, the figures indicate the severity of the vulnerability and its potential danger to API servers.

Shadowserver: Get free access to timely, critical Internet security data

Help Net Security, October 24, 2022

The Shadowserver Foundation fulfills a unique role in the cybersecurity ecosystem by supplying vital security information to Internet defenders and law enforcement at no cost. In this Help Net Security video, Piotr Kijewski, CEO at The Shadowserver Foundation, talks about what they do and offers insight into their track record of delivering high-quality, actionable cyber threat intelligence for over 15 years. Shadowserver supports over 7000 organizations worldwide as a trusted, neutral third party – including 201 National CSIRTs across 175 countries & territories.

Fortinet’s newly patched vulnerabilities have been attacked by multiple attacks, more than 17,000 Fortinet devices may be exposed, and Taiwan's 635 devices rank third in the world

iThome Taiwan, October 20, 2022

There have been many attacks on Fortinet’s newly patched vulnerabilities. At the same time, the company first notified specific users to update the mitigation, but the news spread out and attracted attention. What is more noteworthy is that the Shadowserver Foundation recently released a report stating that more than 17,000 Fortinet devices are exposed to the Internet and should be patched.

A new DDoS attack vector: TCP Middlebox Reflection

APNIC, October 18, 2022

In August 2021, researchers from the University of Maryland and the University of Colorado Boulder published an award-winning paper detailing a potential DDoS attack vector that takes advantage of flaws within the middleboxes of TCP protocols and can be abused to launch massive Distributed Denial of Service (DDoS) attacks. In March 2022, security researchers at Akamai Security Operations Command Center detected and analysed a series of TCP reflection attacks, peaking at 11Gbps at 1.5 million packets per second (Mpps). Upon examining the TCP packets used in the attack, they realized the attackers were leveraging the technique outlined in the above paper, which they termed TCP Middlebox Reflection attack. In this attack, the attacker abuses vulnerable firewalls and content filtering systems to reflect and amplify TCP traffic to a victim’s machine, creating a powerful DDoS attack. A middlebox is a computer networking device that transforms, inspects, filters, and manipulates traffic for purposes other than packet forwarding. Firewalls, NAT devices, load balancers, and deep packet inspection (DPI) devices are common examples of middleboxes. The researchers who first detailed the attack described two methods to detect potentially vulnerable middleboxes. Using these scanning methods, Shadowserver researchers found that more than 18.8 million IPs are vulnerable to Middlebox TCP Reflection DDoS attacks, which can also be leveraged to launch TCP-based DDoS Reflection attacks. You can get check if any of your IPs are on this list by subscribing to the Shadowserver ‘Vulnerable DDoS Middlebox Report’.