Media Coverage

The Shadowserver Foundation this week announced that it has started conducting daily internet scans in an effort to identify exposed industrial control systems (ICS) and help organizations reduce their exposure to attacks. The nonprofit cybersecurity organization is scanning the web for exposed services that use the Modbus industrial communications protocol on TCP port 502, but Shadowserver’s Piotr Kijewski told SecurityWeek that they plan on introducing many other ICS and operational technology (OT) protocol scans in the near future.The first daily ICS scan conducted by Shadowserver revealed more than 6,300 unique IP addresses corresponding to exposed Modbus services. A majority are associated with Siemens products, followed by ABB, AB Regin, Schneider Electric’s Telemecanique, Solare Datensysteme, Invensys, Delta Electronics, Huawei, Rockwell Automation (Allen Bradley), Alpes Technologies, SE-Elektronic, COPA-DATA, WEG, and Synchronic.

The primary VARIoT honeypot network used for observing IoT and other attacks is based on a rewritten, updated version of the EU H2020 SISSDEN project platform. It enables rapid large scale deployments of honeypot sensors across data centers worldwide. These sensors act as OSI layer 2 tunnel endpoints to a datacenter where the actual honeypots reside. The honeypot network is built and managed byShadowserver. As of the 19th of November 2021, the primary network runs 260 nodes with dedicated IP addresses for a total of 821 honeypots operating at once. The nodes are located in 88 countries, 331 unique /24’s and 134 unique ASNs. Data from these honeypots is shared with 132 National CSIRTs covering 173 countries and territories and over 6000 organizations worldwide in Shadowserver’s daily feeds via the Honeypot Brute Force Events report and Honeypot HTTP Scanner Events report. We have also developed a malware downloader framework that attempts to automatically decode URLs being used to serve malware. These URLs will soon also be shared daily through Shadowserver’s free daily remediation feeds. You can obtain VARIoT global statistics about infections seen by the honeypots (and other sources) on the VARIoT website hosted by CIRCL and also on the European Data Portal. Deployment of sensor nodes in Latin America and the Caribbean is supported by the sensores.lat project together with CEDIA and FRIDA.  Deployment of sensor nodes in Africa and the Indo-Pacific is also supported by the UK FCDO.

Bad guys are scanning your network. They are finding all the vulnerabilities exposed to the Internet. The vulnerable systems, critical devices, and other ways to break into your network. When ransomware, malware, botnets, and other break-ins happen, people wonder, “how did the threat actors find that service?” People thought that “if we don’t publish it, then obscurity will protect the service. Can you get ahead of the bag, guys scanning your network? There is a public benefit (free) service open to all organizations that will let you know daily what systems the bad guys can see and what you need to do to protect yourself. There are many commercial Attack Surface Management services, but none offer the comprehensive surface from Shadowserver’s Daily Network Report. Typical ASM reports just “scan” your network. Shadowserver diverse telemetry connects to malware, botnet, and threat actor takedowns. They monitor the malware Command-and-Control systems coming from your network, through your firewall, and beaconing to the Internet. One public benefit ASM++ service provides organization powerful intelligence from Shadowserver – an organization whose mission is to fight the same threat actors who are scanning your network to harm you.

Following a recent Incident Response, McAfee Enterprise‘s Advanced Threat Research (ATR) team worked with its Professional Services IR team to support a case that initially started as a malware incident but ultimately turned out to be a long-term cyber-attack. Operation Harvest has been a long-term operation whereby an adversary maintained access for multiple years to exfiltrate data. The exfiltrated data would have either been part of an intellectual property theft for economic purposes and/or would have provided insights that would be beneficial in case of military interventions. The adversaries made use of techniques very often observed in this kind of attack but also used distinctive new backdoors or variants of existing malware families. Combining all forensic artifacts and cross-correlation with historical and geopolitical data, we have high confidence that this operation was executed by an experienced APT actor.

Gaining visibility into a target network from the outside is one of the first steps in breaching a network’s defences and has become one of the standard elements of criminal attacks. The constant scanning of networks has become commonplace, not just by criminals, but also by organizations that sell access to the data that is collected. Gaining insight into the exposed footprint of your network has never been easier. You should assume attackers have an overview of your potentially vulnerable or misconfigured systems and understand what is exposed and exploitable. What if you, as a defender, could have access to a public benefit, free to use, daily security report that provides an overview of some of your security risks? What if this data allowed you to understand what the criminals might see on your network? What if this data can highlight devices that are infected with malware? In fact, what if this data exposed devices and resources on your network you didn’t even know you had?

New data suggests someone has compromised more than 21,000 Microsoft Exchange Server email systems worldwide and infected them with malware that invokes both KrebsOnSecurity and Yours Truly by name. Let’s just get this out of the way right now: It wasn’t me. The Shadowserver Foundation, a nonprofit that helps network owners identify and fix security threats, says it has found 21,248 different Exchange servers which appear to be compromised by a backdoor and communicating with brian[.]krebsonsecurity[.]top (NOT a safe domain, hence the hobbling). Shadowserver has been tracking wave after wave of attacks targeting flaws in Exchange that Microsoft addressed earlier this month in an emergency patch release. The group looks for attacks on Exchange systems using a combination of active Internet scans and “honeypots” — systems left vulnerable to attack so that defenders can study what attackers are doing to the devices and how.

At the Commonwealth Heads of Government Meeting in London in 2018, the UK and Singapore signed a Memorandum of Cooperation committing to collaborate to help support implementation of the Commonwealth Cyber Declaration across the Commonwealth. The project workshops introduced Commonwealth Member States to nCSIRT Maturity Frameworks as a way to develop and gauge their national cyber incident response capabilities and to identify and prioritise areas as next steps to maturity. They also provided important opportunities for network building and cooperation on cyber security across the Commonwealth. An area which was unanimously requested by the participating countries in the lead up to the event, was information regarding Open Source Monitoring Tools. It was highlighted that Shadowserver and Team Cymru are both reputable private companies who work with national CERTs, and many of the participating countries had already raised that they are indeed using data feeds from those companies already.

How Pittsburgh helped nail hackers in Eastern Europe who’d preyed on U.S. companies with impunity. GozNym malware attacks hit Western Pennsylvania in a big way in the spring of 2016. It took a while for investigators to determine the source of the problem. It was only after the FBI ordered a forensic examination of a victim’s machine that they learned the type of malware involved. The plan to take down the botnet involved seizing, blocking, and sinkholing—redirecting traffic from infected computers to servers controlled by law enforcement—800,000 malicious domains. Additional investigation led to the Avalanche administrator in Ukraine. The investigators’ response was launched on the last day of November. In a press release, Europol listed 30 countries that were involved in the operation. It credited Germany for leading the charge—specifically the Public Prosecutor’s Office in Verden and the Luneburg Police—“in close cooperation with” Tod Eberle’s office, DOJ, the FBI, and Europol and Eurojust. The Shadowserver Foundation also played a key role behind the scenes.

With the internet of things (IoT) gaining more popularity, common IoT devices such as routers, printers, cameras, and network-attached storage (NAS) devices, are becoming more frequent targets for cybercriminals. Unlike typical operating systems such as Windows and macOS, users are less likely to patch IoT devices. This is because users find the task more difficult and inconvenient since, in comparison, the operating systems of these devices have no auto-update feature and some manufacturers rarely even issue security updates at all. These are the kinds of systems that users log on to once in order to set them up and then never to do so again, unless they encounter a big problem. It also is not rare to find an outdated router — one that has been running for as long as the system has. As a result, many systems are left wide open to known vulnerabilities, which can lead to successful attacks even years after the first infection. While looking at these types of infections by known malware families, we found that one of the biggest reported malware families was from 2018’s VPNFilter.

The Institute for Security and Technology (IST) — in partnership with a broad coalition of experts in industry, government, law enforcement, nonprofits, cybersecurity insurance, and international organizations — is today launching a new Ransomware Task Force (RTF) to tackle this increasingly prevalent and destructive type of cybercrime. The RTF’s founding members understand that ransomware is too large of a threat for any one entity to address, and have come together to provide clear recommendations for both public and private action that will significantly reduce the threat posed by this criminal enterprise.