Media Coverage

Activity from IP addresses in Ukraine and Russia has shown a substantial spike in malware, helping botnets spread since 2022. The data comes from security researchers at Top10VPN, who share a report about the findings ahead of publication.

The company’s investigation is based on data from sinkholes and honeypots operated by The Shadowserver Foundation, an internet security non-governmental organization (NGO).

Amid a year that’s highlighted the need for cross-border, multilateral, and public-private work on technology and security issues, the Aspen Digital program announces the launch of the Global Cybersecurity Group. The forum held its first meeting last week in Prague, Czech Republic.

The group was announced this morning at the kick-off of the seventh annual Aspen Cyber Summit in New York City, where guests will hear from top officials from the NSA, CIA, FBI, Treasury Department, Pentagon, FTC, DHS, White House, and more.

Chaired by European Parliament Member Marina Kaljurand of Estonia; Singapore’s Cyber Security Agency CEO, David Koh; and US-based Rapid7 President & CEO Corey Thomas, the Global Group will address pressing international cybersecurity challenges.

The Global Group consists of a broad and varied collective of approximately 40 leaders pulled from allied and like-minded nations around the world who share a commitment to preserving peace and freedom online. Members include current and former government representatives, industry leaders and tech executives, and academics and civil society thinkers:

• Shadowserver’s Law Enforcement Liaison, Stew Garrick of the UK

Zero trust is a trending security paradigm being adopted by some of the world’s biggest and technically advanced organizations, including Google, Microsoft and Amazon Web Services (AWS). The technology finds its fit in virtually every technology platform and infrastructure, and Kubernetes is no exception. The Kubernetes community has been actively discussing zero trust for several years as a vital component of an end-to-end encryption strategy. Service mesh providers are promoting essential practices (such as mTLS and certificate key rotation) to make it easier to implement zero-trust architectures. As a result, organizations today are working towards implementing robust zero trust in applications at scale. While Kubernetes is a powerful solution for IT organizations to deliver their software efficiently and at scale, it is not without its security challenges and vulnerabilities. For one, Kubernetes is a relatively new system, which makes it attractive prey for cyberattackers. This is compounded by its operating model’s dynamic nature, which can easily leave room for bad actors to infiltrate if proper security measures are not taken. According to a recent report by the Shadowserver Foundation, 380,000 open Kubernetes API servers were found exposed on the internet this year alone. While these servers were only identified as exposed and not attacked, the figures indicate the severity of the vulnerability and its potential danger to API servers.

There have been many attacks on Fortinet’s newly patched vulnerabilities. At the same time, the company first notified specific users to update the mitigation, but the news spread out and attracted attention. What is more noteworthy is that the Shadowserver Foundation recently released a report stating that more than 17,000 Fortinet devices are exposed to the Internet and should be patched.

In August 2021, researchers from the University of Maryland and the University of Colorado Boulder published an award-winning paper detailing a potential DDoS attack vector that takes advantage of flaws within the middleboxes of TCP protocols and can be abused to launch massive Distributed Denial of Service (DDoS) attacks. In March 2022, security researchers at Akamai Security Operations Command Center detected and analysed a series of TCP reflection attacks, peaking at 11Gbps at 1.5 million packets per second (Mpps). Upon examining the TCP packets used in the attack, they realized the attackers were leveraging the technique outlined in the above paper, which they termed TCP Middlebox Reflection attack. In this attack, the attacker abuses vulnerable firewalls and content filtering systems to reflect and amplify TCP traffic to a victim’s machine, creating a powerful DDoS attack. A middlebox is a computer networking device that transforms, inspects, filters, and manipulates traffic for purposes other than packet forwarding. Firewalls, NAT devices, load balancers, and deep packet inspection (DPI) devices are common examples of middleboxes. The researchers who first detailed the attack described two methods to detect potentially vulnerable middleboxes. Using these scanning methods, Shadowserver researchers found that more than 18.8 million IPs are vulnerable to Middlebox TCP Reflection DDoS attacks, which can also be leveraged to launch TCP-based DDoS Reflection attacks. You can get check if any of your IPs are on this list by subscribing to the Shadowserver ‘Vulnerable DDoS Middlebox Report’.

Fortinet is urging customers to address the recently discovered CVE-2022-40684 zero-day vulnerability. Unfortunately, the number of devices that have yet to be patched is still high. The company urges customers of addressing this critical vulnerability immediately due to the risk of remote exploitation of the flaw. The Shadowserver Foundation reported that more than 17K Fortinet devices exposed online are vulnerable to attacks exploiting the CVE-2022-40684 flaw, most of them in Germany and in the US. Users can track CVE-2022-40684 exploitation activity on the Dashboard provided by the organization.

Fortinet is concerned that many of its customers’ devices are still unprotected against attacks exploiting the recently disclosed zero-day vulnerability and the company has urged them to take action. Fortinet was initially aware of a single instance where the vulnerability tracked as CVE-2022-40684 had been exploited. However, now that technical details and proof-of-concept (PoC) exploits are publicly available, the security hole is being increasingly targeted. The cybersecurity company has released patches and workarounds for the vulnerability, as well as indicators of compromise (IoCs) that can be used to detect signs of an attack. The Shadowserver Foundation reported on Friday that it had seen more than 17,000 internet-exposed devices vulnerable to attacks involving CVE-2022-40684, including thousands in the United States and India. Shadowserver has seen exploitation attempts coming from more than 180 IPs.

Researchers from Shadowserver recommended isolating servers to reduce attacks, saying that millions of MySQL website database servers are vulnerable. Then the researchers from Volexity said that the attackers exploited the vulnerabilities of the Zimbra servers, which, combined, have already helped to hack more than a thousand servers.

The Ministry of Information and Communication Technologies (Mitic), makes a new alert service available to State Organizations and Entities. This is the “Proactive Cybersecurity Report”, which consists of sending notices regarding security problems in systems or digital assets. Through the Cyber ​​Incident Response Center (CERT-PY), Mitic enabled this new cybersecurity reporting service for public institutions, so that they are immediately aware and apply corrective measures in a timely manner. How does it work? The CERT-PY receives a large volume of free and public cybersecurity threat intelligence information (threat intelligence feeds) daily, which can be identified through patterns, from various sources, such as Shadowserver, OAS CsirtAmericas, other CSIRTs, among others. This data set includes information on signs of compromise and attacks (IoC / IoA) and vulnerabilities, misconfigurations and/or exposures involving Paraguayan IPs and/or domains. These types of clues are detected in a variety of ways and shared across organizations around the world with national CSIRTs, including CERT-PY. These reports are automatically received and sent by CERT-PY through its Incident Management System, on a daily basis to each subscribed organization, which only receives reports about events involving its own range of IPs and domains that were declared.