Media Coverage

Chris Gibson (FIRST) in an interview with Common Good Cyber.

Our vision is to make the Internet safer through building relationships and networks of teams worldwide. These teams support, train, and mentor each other, helping new groups develop until they can maintain incident response capabilities within their own countries or regions. Our members, company teams and incident response teams worldwide rely on data. They can gather some of it themselves. Some of the more mature teams have that set up within their jurisdictions. They’re pulling feeds, but many of them rely heavily on companies like Shadowserver. 

The data Shadowserver delivers, as a public service, is just fantastic. If Shadowserver disappeared, our membership’s ability to deliver safety on the internet would be significantly impacted.

An interview with Common Good Cyber.

“We share hundreds of millions of cyber threat events daily with entities across the planet.” Shadowserver’s core mission is, at its most basic level, delivering such valuable information for free to threat defenders so that they can better secure their networks. To sustain their operations – including helping critical infrastructure and supporting multi-year law enforcement operations to actively take down threats – Piotr Kijewski, the nonprofit’s CEO, calculates that $5 million are needed yearly and admits there is no fully sustainable guaranteed pipeline for the coming years.

Common Good Cyber is a global initiative to create sustainable funding models for the organizations and individuals working to keep the Internet safe.

A critical security vulnerability affecting over 87,000 FortiOS devices has been discovered, leaving them exposed to potential remote code execution (RCE) attacks. The flaw, identified as CVE-2024-23113, impacts multiple versions of FortiOS, FortiProxy, FortiPAM, and FortiWeb products.

According to Shadowserver scans, approximately 87,390 IP addresses associated with potentially vulnerable Fortinet devices have been identified. The United States leads with 14,000 affected devices, followed by Japan (5,100) and India (4,800).

In a world where we all live and work online, investing in cyber security and promoting responsible behaviour is an essential part of this mission, because fundamentally, and you will all know this, there is no national security, no economic security without cyber security. I wanted to highlight today and reflect on three key themes that will guide our approach as a new government.

The first of those is that partnerships are vital for success.

Secondly, I want to talk about responsible cyber behaviour. I will simply say that for the UK, this is about staying at the forefront of science and technology so we can understand threats and respond appropriately, and helping others do the same. For example, supporting cyber security nonprofit organisations like Shadowserver to share threat data.

Thirdly, I wanted to stress the importance of a whole of society approach.

That’s how we can ultimately keep our citizens safe, help our economies to flourish, protect our security and stand up for our values.

Proofpoint has issued a critical warning regarding active exploitation attempts against Synacor’s Zimbra Collaboration platform. A recently disclosed security flaw, tracked as CVE-2024-45519, has been under attack since late September 2024, prompting urgent calls for patching.

According to the Shadowserver Foundation, as of October 4, 2024, more than 19,600 unpatched Zimbra instances remain exposed to this vulnerability. Germany, the U.S., and Russia top the list of affected countries, each with over 1,500 vulnerable servers.

Legions of unsung heroes work behind the scenes to secure the Internet. The Global Cyber Alliance, Cyber Threat Alliance, CyberPeace Institute, FIRST, the Global Forum on Cyber Expertise, the Institute for Security and Technology, and the Shadowserver Foundation formed the Common Good Cyber initiative together.

Help us build a stronger Internet.

A critical vulnerability in Ivanti Virtual Traffic Manager (vTM) was added to the Known Exploited Vulnerabilities (KEV) catalog by the Cybersecurity & Infrastructure Security Agency (CISA) on Tuesday.

The Shadowserver Foundation began tracking internet-exposed Ivanti vTM instances, regardless of patching status, in mid-August, and only discovered 31 exposed instances as of Aug. 17. However, they observed an exploit attempt based on the available PoC on Aug. 18, according to a post on X. As of Sept. 24, only 21 internet-exposed instances were detected, according to Shadowserver’s time series dashboard.

A China-linked cyber-espionage group has attacked Taiwanese government agencies, the Philippine and Japanese military, and energy companies in Vietnam, installing either the Cobalt Strike client or a custom backdoor known as EagleDoor on compromised machines.

Dubbed Earth Baxia by cybersecurity firm Trend Micro, the group primarily uses spear-phishing to compromise victims, but it has also exploited a vulnerability (CVE-2024-36401) in the open source GeoServer software used to distribute geospatial data. The GeoServer attacks appear to have started at least two months ago, with the Shadowserver Foundation noting that the attack first appeared in its logs on July 9. The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerability (KEV) catalog on July 15.

It deserves emphasizing that this is a team sport: Even as the operations relied on Justice Department legal process, we are often not alone in planning or executing them. We are almost always joined by a coalition of U.S. government, private sector, and foreign partners in this work.

In disrupting the GRU botnet, for example, we planned and coordinated with the Shadowserver Foundation, Microsoft, and other private sector partners. Shortly after we announced the operation, the FBI, NSA, Cyber Command, and 11 foreign partner entities released a joint cybersecurity advisory providing device owners and network defenders with valuable threat intelligence about the GRU’s relevant tactics, techniques, and procedures. Many of these same partners provided invaluable assistance in eradicating portions of the botnet within their borders.

We recently performed research that started off “well-intentioned” (or as well-intentioned as we ever are) – to make vulnerabilities in WHOIS clients and how they parse responses from WHOIS servers exploitable in the real world (i.e. without needing to MITM etc).

We hope you’ve enjoyed (and/or been terrified by) today’s post, in which we took control of a chunk of the Internet’s infrastructure, opened up a big slab of juicy attack surface, and found a neat way of undermining TLS/SSL – the fundamental protocol that allows for secure communication on the web.

We want to thank the UK’s NCSC and the ShadowServer Foundation for rapidly working with us ahead of the release of this research to ensure that the ‘dotmobiregistry.net’ domain is suitably handled going forwards, and that a process is put in place to notify affected parties.