Media Coverage

Shadowserver in the news

Nonprofits, Activate! Orgs Team Up to Tackle Cybersecurity Threats

PC Mag UK, February 23, 2022

A coalition of nonprofit orgs have joined forces to create Nonprofit Cyber to build awareness of the cybersecurity work they’re doing and team up where it makes sense. Nonprofit Cyber’s 22 founding members say they won’t focus on lobbying, policy development, advocacy organizations, or industry associations. But the group earned a thumbs up from Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA). The group is a mix of technologically focused groups, training providers, and threat intelligence platforms.

 

Shadowserver Starts Conducting Daily Scans to Help Secure ICS

Security Week, February 23, 2022

The Shadowserver Foundation this week announced that it has started conducting daily internet scans in an effort to identify exposed industrial control systems (ICS) and help organizations reduce their exposure to attacks. The nonprofit cybersecurity organization is scanning the web for exposed services that use the Modbus industrial communications protocol on TCP port 502, but Shadowserver’s Piotr Kijewski told SecurityWeek that they plan on introducing many other ICS and operational technology (OT) protocol scans in the near future.The first daily ICS scan conducted by Shadowserver revealed more than 6,300 unique IP addresses corresponding to exposed Modbus services. A majority are associated with Siemens products, followed by ABB, AB Regin, Schneider Electric’s Telemecanique, Solare Datensysteme, Invensys, Delta Electronics, Huawei, Rockwell Automation (Allen Bradley), Alpes Technologies, SE-Elektronic, COPA-DATA, WEG, and Synchronic.

The VARIoT honeypot network in numbers

VARIoT.eu, November 26, 2021

The primary VARIoT honeypot network used for observing IoT and other attacks is based on a rewritten, updated version of the EU H2020 SISSDEN project platform. It enables rapid large scale deployments of honeypot sensors across data centers worldwide. These sensors act as OSI layer 2 tunnel endpoints to a datacenter where the actual honeypots reside. The honeypot network is built and managed byShadowserver. As of the 19th of November 2021, the primary network runs 260 nodes with dedicated IP addresses for a total of 821 honeypots operating at once. The nodes are located in 88 countries, 331 unique /24’s and 134 unique ASNs. Data from these honeypots is shared with 132 National CSIRTs covering 173 countries and territories and over 6000 organizations worldwide in Shadowserver’s daily feeds via the Honeypot Brute Force Events report and Honeypot HTTP Scanner Events report. We have also developed a malware downloader framework that attempts to automatically decode URLs being used to serve malware. These URLs will soon also be shared daily through Shadowserver’s free daily remediation feeds. You can obtain VARIoT global statistics about infections seen by the honeypots (and other sources) on the VARIoT website hosted by CIRCL and also on the European Data Portal. Deployment of sensor nodes in Latin America and the Caribbean is supported by the sensores.lat project together with CEDIA and FRIDA.  Deployment of sensor nodes in Africa and the Indo-Pacific is also supported by the UK FCDO.

Bad Guys are Scanning Your Network!

SENKI, November 25, 2021

Bad guys are scanning your network. They are finding all the vulnerabilities exposed to the Internet. The vulnerable systems, critical devices, and other ways to break into your network. When ransomware, malware, botnets, and other break-ins happen, people wonder, “how did the threat actors find that service?” People thought that “if we don’t publish it, then obscurity will protect the service. Can you get ahead of the bag, guys scanning your network? There is a public benefit (free) service open to all organizations that will let you know daily what systems the bad guys can see and what you need to do to protect yourself. There are many commercial Attack Surface Management services, but none offer the comprehensive surface from Shadowserver’s Daily Network Report. Typical ASM reports just “scan” your network. Shadowserver diverse telemetry connects to malware, botnet, and threat actor takedowns. They monitor the malware Command-and-Control systems coming from your network, through your firewall, and beaconing to the Internet. One public benefit ASM++ service provides organization powerful intelligence from Shadowserver – an organization whose mission is to fight the same threat actors who are scanning your network to harm you.

Operation ‘Harvest’: A Deep Dive into a Long-term Campaign

Trellix, September 14, 2021

Following a recent Incident Response, McAfee Enterprise‘s Advanced Threat Research (ATR) team worked with its Professional Services IR team to support a case that initially started as a malware incident but ultimately turned out to be a long-term cyber-attack. Operation Harvest has been a long-term operation whereby an adversary maintained access for multiple years to exfiltrate data. The exfiltrated data would have either been part of an intellectual property theft for economic purposes and/or would have provided insights that would be beneficial in case of military interventions. The adversaries made use of techniques very often observed in this kind of attack but also used distinctive new backdoors or variants of existing malware families. Combining all forensic artifacts and cross-correlation with historical and geopolitical data, we have high confidence that this operation was executed by an experienced APT actor.

Securing your network using Shadowserver reports

APNIC, June 10, 2021

Gaining visibility into a target network from the outside is one of the first steps in breaching a network’s defences and has become one of the standard elements of criminal attacks. The constant scanning of networks has become commonplace, not just by criminals, but also by organizations that sell access to the data that is collected. Gaining insight into the exposed footprint of your network has never been easier. You should assume attackers have an overview of your potentially vulnerable or misconfigured systems and understand what is exposed and exploitable. What if you, as a defender, could have access to a public benefit, free to use, daily security report that provides an overview of some of your security risks? What if this data allowed you to understand what the criminals might see on your network? What if this data can highlight devices that are infected with malware? In fact, what if this data exposed devices and resources on your network you didn’t even know you had?

No, I Did Not Hack Your MS Exchange Server

Krebs on Security, March 28, 2021

New data suggests someone has compromised more than 21,000 Microsoft Exchange Server email systems worldwide and infected them with malware that invokes both KrebsOnSecurity and Yours Truly by name. Let’s just get this out of the way right now: It wasn’t me. The Shadowserver Foundation, a nonprofit that helps network owners identify and fix security threats, says it has found 21,248 different Exchange servers which appear to be compromised by a backdoor and communicating with brian[.]krebsonsecurity[.]top (NOT a safe domain, hence the hobbling). Shadowserver has been tracking wave after wave of attacks targeting flaws in Exchange that Microsoft addressed earlier this month in an emergency patch release. The group looks for attacks on Exchange systems using a combination of active Internet scans and “honeypots” — systems left vulnerable to attack so that defenders can study what attackers are doing to the devices and how.

Commonwealth nCSIRT Capacity Building Programme: self-help guide

Foreign, Commonwealth and Development Office, March 8, 2021

At the Commonwealth Heads of Government Meeting in London in 2018, the UK and Singapore signed a Memorandum of Cooperation committing to collaborate to help support implementation of the Commonwealth Cyber Declaration across the Commonwealth. The project workshops introduced Commonwealth Member States to nCSIRT Maturity Frameworks as a way to develop and gauge their national cyber incident response capabilities and to identify and prioritise areas as next steps to maturity. They also provided important opportunities for network building and cooperation on cyber security across the Commonwealth. An area which was unanimously requested by the participating countries in the lead up to the event, was information regarding Open Source Monitoring Tools. It was highlighted that Shadowserver and Team Cymru are both reputable private companies who work with national CERTs, and many of the participating countries had already raised that they are indeed using data feeds from those companies already.

WHAT REAL COLLABORATION ON CYBER SECURITY LOOKS LIKE

TAG Cyber Law Journal, February 1, 2021

How Pittsburgh helped nail hackers in Eastern Europe who’d preyed on U.S. companies with impunity. GozNym malware attacks hit Western Pennsylvania in a big way in the spring of 2016. It took a while for investigators to determine the source of the problem. It was only after the FBI ordered a forensic examination of a victim’s machine that they learned the type of malware involved. The plan to take down the botnet involved seizing, blocking, and sinkholing—redirecting traffic from infected computers to servers controlled by law enforcement—800,000 malicious domains. Additional investigation led to the Avalanche administrator in Ukraine. The investigators’ response was launched on the last day of November. In a press release, Europol listed 30 countries that were involved in the operation. It credited Germany for leading the charge—specifically the Public Prosecutor’s Office in Verden and the Luneburg Police—“in close cooperation with” Tod Eberle’s office, DOJ, the FBI, and Europol and Eurojust. The Shadowserver Foundation also played a key role behind the scenes.

VPNFilter Two Years Later: Routers Still Compromised

Trend Micro, January 19, 2021

With the internet of things (IoT) gaining more popularity, common IoT devices such as routers, printers, cameras, and network-attached storage (NAS) devices, are becoming more frequent targets for cybercriminals. Unlike typical operating systems such as Windows and macOS, users are less likely to patch IoT devices. This is because users find the task more difficult and inconvenient since, in comparison, the operating systems of these devices have no auto-update feature and some manufacturers rarely even issue security updates at all. These are the kinds of systems that users log on to once in order to set them up and then never to do so again, unless they encounter a big problem. It also is not rare to find an outdated router — one that has been running for as long as the system has. As a result, many systems are left wide open to known vulnerabilities, which can lead to successful attacks even years after the first infection. While looking at these types of infections by known malware families, we found that one of the biggest reported malware families was from 2018’s VPNFilter.