Media Coverage

Hackers are believed to be exploiting recently fixed SimpleHelp Remote Monitoring and Management (RMM) software vulnerabilities to gain initial access to target networks. The flaws, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, allow threat actors to download and upload files on devices and escalate privileges to administrative levels.

Threat monitoring platform Shadowserver Foundation reported they see 580 vulnerable instances exposed online, most (345) located in the United States.

As of January 22, 2025, nearly 50,000 Fortinet firewall devices remain exposed to a critical zero-day vulnerability despite urgent warnings and available patches. CVE-2024-55591 is an authentication bypass vulnerability in Fortinet’s FortiOS and FortiProxy products.

Data from the Shadowserver Foundation reveals that over 50,000 devices remain unpatched as of January 21, with significant concentrations in Asia (20,687), North America (12,866), and Europe (7,401).

The vulnerability is a critical stack-based buffer overflow with a CVSS score of 9.0 that allows unauthenticated remote code execution. It affects multiple Ivanti products, including Connect Secure versions.

Shadowserver observed that 2,048 instances worldwide are vulnerable. The vulnerability tracked as CVE-2025-0282, has been actively exploited since mid-December 2024.

In February 2024, representatives from States, international organisations, private industry, academia, and civil society came together to consider the challenges posed by the proliferation and irresponsible use of commercial cyber intrusion capabilities (CCICs) and launched the Pall Mall Process. In August 2024, the Pall Mall Process launched a consultation on good practices through which to tackle this shared threat. This report summarises responses to the Pall Mall Process consultation into good practices, including examples, recommendations and concerns raised by participants in written responses and through virtual workshops.

Civil society and academia represented: Shadowserver Foundation

Put simply – we have been hijacking backdoors (that were reliant on now abandoned infrastructure and/or expired domains) that themselves existed inside backdoors, and have since been watching the results flood in. This hijacking allowed us to track compromised hosts as they ‘reported in’, and theoretically gave us the power to commandeer and control these compromised hosts. Over 4000 unique and live backdoors later…

For the same reasons that both this research and the .MOBI research came to exist, we would be guilty of the exact same careless disposal of infrastructure if we were to let these domains expire as their previous owners did. We’re incredibly grateful for the support of The Shadowserver Foundation, who have agreed yet again to save us from our own adventures and to take ownership of the domains implicated in this research and sinkhole them.

The Cybersecurity and Infrastructure Security Agency (CISA) and Office of the National Cyber Director (ONCD) published Playbook for Strengthening Cybersecurity in Federal Grant Programs for Critical Infrastructure to enable grant-making agencies to incorporate cybersecurity into their grant programs, and to enable grant-recipients to build cyber resilience into their grant-funded infrastructure projects.

The guide includes a comprehensive list of cybersecurity resources available to support grant recipient project execution. Shadowserver is included in the Advisory Support/Technical Assistance Service section in the Protect category.

Europol has supported the dismantling of a sophisticated criminal network responsible for facilitating large-scale online fraud. In an operation led by the Hanover Police Department (Polizeidirektion Hannover) and the Verden Public Prosecutor’s Office (Staatsanwaltschaft Verden) in Germany, and supported by law enforcement authorities across Europe, over 50 servers were seized, significant digital evidence was secured, and two key suspects were placed in pretrial detention.

The UK Government published its 2023 to 2024 annual report on the Conflict, Stability and Security Fund (CSSF), a cross-government Fund, that acted as a catalyst for a more integrated government response to tackling conflict, insecurity and instability.

The section on ‘Transnational Threats: Cyber’ highlights the Shadowserver Foundation’s project work funded through the CSSF Indo-Pacific Cyber Programme – ‘Improving Threat Data for Indonesia, Malaysia, the Philippines and Thailand’. This project improved the quality of free daily cyber threat intelligence provided to national telecoms and cyber security incident response teams. In early 2024, a significant and new malware vulnerability was identified in the region, released by a Chinese state actor. Shadowserver quickly responded by detecting and reporting on the exposed networks and devices, alerting cyber response teams, network owners and media. New scanning techniques were developed to determine whether exposed devices were vulnerable and reported through existing mechanisms. Through CSSF funding, Shadowserver helped multiple governments and users in the Indo-Pacific and across the world, including the UK, to help identify and reduce vulnerabilities to a new cyber threat.

On Wednesday, December 4, 2024, law enforcement authorities dismantled key structures of an extensive network for committing cybercrime during a coordinated operation. In close collaboration with Europol and police forces across Europe, the Lower Saxony prosecution authorities shut down over 50 servers, secured extensive digital evidence, and placed two suspects in pretrial detention.

The operation involved police authorities from the Netherlands, Finland, Austria, Czech Republic, Poland, and Norway, as well as Europol task forces, alongside the Verden Public Prosecutor’s Office and Hanover Police Directorate. The investigative authorities were also supported by the nonprofit organization The Shadow Server Foundation.

In this Help Net Security interview, Piotr Kijewski, CEO of The Shadowserver Foundation, discusses the organization’s mission to enhance internet security by exposing vulnerabilities, malicious activity, and emerging threats. Kijewski explains the foundation’s automated efforts to track and disrupt cybercrime.

By providing actionable intelligence we help equip CSIRTs and network defenders worldwide with the information needed to secure their networks and/or constituencies. We also provide free technical support to law enforcement cybercrime disruption operations. We provide cybersecurity capacity building services around the world (typically funded through various grants, such as from the UK Foreign, Commonwealth and Development Office – FCDO) in areas of threat detection, cyber threat intelligence and incident response.

Shadowserver’s free daily network reports help provide organizations with a baseline of timely, actionable and often unique cyber threat intelligence – even for those organizations without big budgets.