Media Coverage

Shadowserver in the news

381,000-plus Kubernetes API servers 'exposed to internet'

The Register, May 23, 2022

A large number of servers running the Kubernetes API have been left exposed to the internet, which is not great: they’re potentially vulnerable to abuse. Nonprofit security organization The Shadowserver Foundation recently scanned 454,729 systems hosting the popular open-source platform for managing and orchestrating containers, finding that more than 381,645 – or about 84 percent – are accessible via the internet to varying degrees thus providing a cracked door into a corporate network. “While this does not mean that these instances are fully open or vulnerable to an attack, it is likely that this level of access was not intended and these instances are an unnecessarily exposed attack surface,” Shadowserver’s team stressed in a write-up.” They also allow for information leakage on version and build.”

Researchers, NSA cybersecurity director warn of hackers targeting Zyxel vulnerability

The Record, May 17, 2022

A widespread, critical vulnerability affecting Zyxel firewalls is being exploited by hackers, according to several researchers and the director of cybersecurity for the NSA. Cybersecurity nonprofit Shadowserver Foundation said it began seeing exploitation attempts starting on May 13. CVE-2022-30525 was first discovered by cybersecurity firm Rapid7 and the firewalls affected by the vulnerability are sold to both small companies and corporate headquarters. The tools are used for VPN solutions, SSL inspection, web filtering, intrusion protection, and email security. The vulnerability allows attackers to modify specific files and then execute some OS commands on a vulnerable device. It has a CVSS v3 score of 9.8 — indicating a high severity — and affects Zyxel firewalls supporting Zero Touch Provisioning (ZTP), which includes the ATP series, VPN series, and the USG FLEX series.

Nasty Zyxel remote execution bug is being exploited

ZDNet, May 15, 2022

At the end of last week, Rapid7 disclosed a nasty bug in Zyxel firewalls that could allow for an unauthenticated remote attacker to execute code as the nobody user. At the time, Rapid7 said there were 15,000 affected models on the internet that Shodan had found. However, over the weekend, Shadowserver Foundation has boosted that number to over 20,800. The Foundation also said it had seen exploitation kick off on May 13, and urged users to patch immediately.

Hackers are exploiting critical bug in Zyxel firewalls and VPNs

Bleeping Computer, May 15, 2022

Hackers have started to exploit a recently patched critical vulnerability, tracked as CVE-2022-30525, that affects Zyxel firewall and VPN devices for businesses. Successful exploitation allows a remote attacker to inject arbitrary commands remotely without authentication, which can enable setting up a reverse shell. The severity of the security issue and the damage it could lead to is serious enough for the NSA Cybersecurity Director Rob Joyce to warn users about exploitation and encourage them to update the device firmware version if it is vulnerable. Starting Friday the 13th, security experts at the nonprofit Shadowserver Foundation reported seeing exploitation attempts for CVE-2022-30525. It is unclear if these efforts are malicious or just researchers working to map up Zyxel devices currently exposed to adversary attacks. Given the severity of the vulnerability and the popularity of the devices, security researchers have released code that should help administrators detect the security flaw and exploitation attempts.

‘A nerd’s gotta do what a nerd’s gotta do:’ Why Craig Newmark is funding a cyber civil defense

The Record, April 20, 2022

Craig Newmark is the first to admit that he’s no cybersecurity expert. But that didn’t stop the Craigslist founder and major philanthropist from announcing last week that Craig Newmark Philanthropies would offer more than $50 million in grants to build what he calls a “cyber civil defense.” Aspen Digital, a program run by the Aspen Institute, will manage it.  Grants will go to organizations like the Ransomware Task Force at the Institute for Security Technology, the Global Cyber Alliance and even Consumer Reports, which Newmark says will create “cybersecurity nutrition labels” to, among other things, disclose security metrics on any smart device, be it a a thermostat or a car. The everyday threat of cyberattacks is very real for Americans. The last five years alone have seen a dramatic uptick in cyber and ransomware attacks, with threat actors not just going after military targets, but exploiting vulnerabilities in anything from baby cameras to major oil pipelines. “We’ve been attacked on our own soil in ways that have never happened before,” Newmark told the Click Here podcast team in an interview. “I wish I had the skills to participate,” he added, “but it seems like my role is to help out the people who can really help defend our country and democracy overall.”

Craig Newmark Philanthropies commits $50 million for cybersecurity

Philanthropy News Digest, April 13, 2022

Craig Newmark Philanthropies (CNP) has announced a commitment of more than $50 million in support of a broad coalition of organizations dedicated to educating and protecting Americans amid escalating cybersecurity threats. The grants from the charitable network of craigslist founder Craig Newmark will focus on building the civic infrastructure, policy frameworks, and digital tools necessary to support what Newmark calls a “cyber civil defense” effort to bolster American national and global security in the face of new threats. To that end, the funding will support efforts to raise public awareness of threats and online security choices, in addition to the creation of online tools and digital infrastructure that help secure the country’s networks. The effort also will include programming aimed at developing a diverse, inclusive, and equitable workforce capable of meeting the technical challenges ahead.

Some telecoms kit settings can make a DDoS attack 4 billion times worse if not switched off

Mobile Europe, March 10, 2022

Badly prepared telecoms equipment has created an opportunity for cyber criminals to mount denial of service (DoS) attacks on mobile operators that are 4 billion times worse than anything else that’s gone before, say researchers. The revelation, reported in Arstechnica, comes just as state sponsored cyber warfare is booming, in the wake of the conflict in Ukraine. Distributed denial of services (DDoS) attacks are a popular form of DoS because they need minimal bandwidth and computing power. The effect of each small unit of data overload is amplified by the number of units it replicates on. Rather than having to marshal huge amounts of bandwidth and computing power, the DDoSer locates servers on the Internet that will do it for them.

In-the-wild DDoS attack can be launched from a single packet to create terabytes of traffic

ZDNet, March 8, 2022

A test mode that shouldn’t be exposed to the internet from a PBX-to-internet gateway responsible for amplification ratio of 4,294,967,296 to 1. Security researchers from Akamai, Cloudflare, Lumen Black Lotus Labs, Mitel, Netscour, Team Cymru, Telus, and The Shadowserver Foundation have disclosed denial-of-service attacks with an amplification ratio that surpasses 4 billion to one that can be launched from a single packet. Dubbed CVE-2022-26143, the flaw resides in around 2,600 incorrectly provisioned Mitel MiCollab and MiVoice Business Express systems that act as PBX-to-internet gateways and have a test mode that should not be exposed to the internet.

CVE-2022-26143: TP240PhoneHome Reflection/Amplification DDoS Attack Vector

Akamai, March 8, 2022

A new reflection/amplification DDoS vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch multiple high-impact DDoS attacks. Security researchers, network operators, and security vendors observed these attacks and formed a task force to investigate the new DDoS vector and provide mitigation guidance. Attacks have been observed on broadband access ISPs, financial institutions, logistics companies, gaming companies, and organizations in other vertical markets.

Security organisations form Nonprofit Cyber coalition

Computer Weekly, February 24, 2022

A group of implementation-focused cyber nonprofits have joined forces to create an umbrella coalition that will work to develop, share, deploy and increase awareness of security best practice, tools, standards and services. It will initially focus on two priorities – building awareness of cyber nonprofits, and aligning the work of its 22 founding members, all of which must hold nonprofit status under US law or their home country equivalents. “Our goal with Nonprofit Cyber is to collaboratively align our individual strengths into a collective force for good, taking positive action for the entire cyber ecosystem.”