The Shadowserver Foundation today launched its new Alliance to continue to build a safer, more secure Internet. The new Shadowserver Alliance partner program will accelerate growth and scale up delivery of no cost cybersecurity and cyber threat intelligence services to internet defender organizations and law enforcement.
The Shadowserver Foundation has launched a new dashboard with “threat data”. The dashboard provides information about honeypots, DDoS attacks, brute force attempts, sinkholes, online scans and vulnerable systems. Shadowserver collects large amounts of information about botnets, malware and other criminal networks and shares it with providers and government services, such as Computer Emergency Response Teams (CERTs). In recent years, the Shadowserver Foundation has played an important role in the take-down of several large botnets. Every day, the organization scans four billion IP addresses for possible abuse and analyzes more than 700,000 malware copies. That information is now partly shared via the dashboard. For example, it appears that in the Netherlands seven thousand infected systems connect to a “sinkhole”. Traffic from an infected machine is redirected to a server of, for example, a security company, authority or provider, in order to prevent further damage and identify infected machines. There is also an overview of vulnerable Zimbra servers. There are still about three hundred of these in the Netherlands. Via the new dashboard, which is financed with money from the British government, it is possible to follow certain trends or compare figures from countries. Shadowserver hopes the data from the dashboard can help security researchers, policy makers, journalists, computer security incident response teams (CSIRTs), and others research and raise awareness about cyber threats.
The OWASP Amass Project is a tool used by security professionals to perform network mapping of attack surfaces as well as external asset discovery. It uses several techniques that include open-source information gathering and active reconnaissance. This tool written in the Go language allows in-depth DNS, ASN numbers, and subdomain enumeration. Below is a list of the techniques and the data sources involved in information collection: DNS: FQDN Similarity-based Guessing, Brute force, Reverse DNS sweeping, Zone transfers, NSEC zone walking FQDN alterations/permutations. Routing: NetworksDB, ARIN, BGPView, IPdata, RADb, Robtex, BGPTools, ShadowServer, TeamCymru, IPinfo
In recent months, Shadowserver has been systematically rolling out IPv6 scanning of services. Blindly scanning the full IPv6 space is, of course, completely unfeasible as the total IPv6 space is about 3.4×10^38 unique addresses (that’s 340 trillion trillion trillion addresses). With Shadowserver’s current capabilities, it would take roughly 2×10^25 years to scan the entire IPv6 space. Scanning all IPv4 space, for comparison, typically takes us minutes, because there are only about 4.3 billion addresses, of which we scan 3.7 billion addresses. Large-scale IPv6 scanning is feasible. You should not assume that your IPv6 infrastructure will never be found by attackers and that you are ‘safe’. Securing and monitoring IPv6 and open IPv6 services on your network is critical, otherwise, you may be leaving gaping holes in your network that a bad actor may exploit. Unfortunately, tools for IPv6 security are not at the same level of maturity as for IPv4. Human analysts are also much less experienced/skilled in dealing with IPv6. We encourage all organizations to make sure they also focus on securing their IPv6 infrastructure, implement their own specific IPv6 monitoring program and of course, subscribe to our free daily feeds to stay alert on their IPv6 attack surface exposure.
We have an active Zimbra exploit, in the wild, with espionage and “others” trying to get into +22: vulnerable systems. Everyone using Zimbra Collaboration (ZCS) who has not recently patched is at risk. Volexity Threat Research responsibly disclosed this risk on August 10th, 2022. Zero-Day exploitation was active on the disclosure day. Shadowserver is tracking +22K exposed systems as of 2022-08-13. The Zimbra Exploit is yet another exploit to be expected. What is helpful is to have systems in place to alert you when there is an issue and help you with your customers who might be vulnerable (i.e. ISPs and Cloud Operators). Shadowserver’s Vulnerability Notifications are one of the key features of Shadowserver’s Daily Network Reports. The industry works with Shadowserver to get the word out to the thousands of networks supported by the Daily Network Reports. Volexity identified over 1,000 Zimbra Exploited instances worldwide that were already backdoored and compromised by their disclosure on August 10th. This was just the start. As shown via the Shadowserver data, 26,854 out of 33,733 (79.6%) instances exposed on the Internet on 2022-08-13 were likely vulnerable & may be compromised. ~28K is much higher than the ~1000 Volexity found. We’re in a race to get systems patched!
Your firewalls can be used as a STUN DDoS reflector to attack others on the Internet. Open UDP firewall ports for STUN (Session Traversal Utilities for NAT) are being exploited for DDoS reflection. Your network is most likely one of those networks. Shadowserver now detects 101k IPv4 and 2.9K IPv6 accessible UDP STUN services. These can be abused for reflection/amplification DDoS attacks (IPv4 amp factor around 4, IPv6 amp factor around 6). Most open UDP STUN is in US and Germany. All of these can be STUN DDoS reflectors. You can stop this, keeping DDoS miscreants from using your network and firewall for criminal gain. Turning off UDP STUN or applying ACLs on the UDP STUN ports will prevent STUN DDoS reflector abuse. As described on Wikipedia, STUN is a standardized set of methods, including a network protocol, for traversal of network address translator (NAT) gateways in applications of real-time voice, video, messaging, and other interactive communications. Most firewall devices have the STUN UDP ports open.
The US Cybersecurity and Infrastructure Security Agency (CISA) informed organizations on Thursday that a recently patched vulnerability affecting the Zimbra enterprise email solution has been exploited in attacks. The security hole, tracked as CVE-2022-27924 and described as a Memcache injection issue, allows an unauthenticated attacker to steal cleartext credentials from a targeted Zimbra instance without any user interaction. An attacker can leverage the compromised credentials to access the victim’s emails, from where they could escalate their access within the targeted organization and obtain sensitive information. Access to mailboxes can also allow the attacker to impersonate users and spy on victims.
Some members of the cybersecurity community are likely not surprised that the flaw is being exploited in attacks. The Shadowserver Foundation issued a warning on June 14, when it reported seeing roughly 30,000 Zimbra instances that may have been vulnerable to attacks, including thousands in the United States.
Cybersecurity organizations warn that a recently patched vulnerability in the Questions for Confluence application is already being exploited in attacks. Questions for Confluence is an application designed to help Confluence users obtain information, share information with others, and to seek counsel from experts when necessary. Tracked as CVE-2022-26138 and considered ‘critical severity’, the issue exists because, when enabled on Confluence Server and Data Center, the Questions for Confluence application creates a user account with a hardcoded password. Atlassian released patches for this issue a week ago, warning that “a remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to.” Days after fixes were rolled out, the company updated its advisory to warn that someone had made public the hardcoded password, urging organizations to update their deployments as soon as possible. “This issue is likely to be exploited in the wild now that the hardcoded password is publicly known. This vulnerability should be remediated on affected systems immediately,” Atlassian said. Shadowserver observed in-the-wild exploitation of the security flaw.
As part of our continuing mission to reduce cybersecurity risk across U.S. critical infrastructure partners and state, local, tribal, and territorial governments, CISA has compiled a list of free cybersecurity tools and services to help organizations further advance their security capabilities. This living repository includes cybersecurity services provided by CISA, widely used open source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community. CISA will implement a process for organizations to submit additional free tools and services for inclusion on this list in the future. After making progress on the measures above, organizations can use the free services and tools listed below to mature their cybersecurity risk management. These resources are categorized according to the four goals outlined in CISA Insights: Implement Cybersecurity Measures Now to Protect Against Critical Threats:
Reducing the Likelihood of a Damaging Cyber Incident: Shadowserver – A subscription service that sends custom remediation reports to inform organizations about the state of its networks and security exposures.
In a recent article by Shadowserver foundation – they found that over 3.6 million MySQL servers were accessible world wide. We were surprised by the large number and are pretty certain no one did this on purpose. Our team built a tool, so they could test to see if their databases were public. In this video we talk about: -Why people use open ports -What risks open ports introduce -The pros and cons of how to mitigate those risks -How you can can use