Media Coverage

Shadowserver in the news

Analyzing Encrypted RDP Connections

Security Boulevard, May 13, 2020

Microsoft’s Remote Desktop Protocol (RDP) is used to remotely administer systems within Windows environments. RDP is everywhere Windows is and is useful for conducting remote work. Just like every other remote administration tool, RDP can be used for legitimate or malicious control of a computer and is used by administrators and attackers alike for command and control of a remote system. Financially motivated attackers aren’t the only classes of threat making use of RDP, however. RDP services are also a vector of attack for advanced offensive groups like APT39 and APT40. Discovered in January of 2020, the Trickbot malware family added a new module, rdpScanDll, giving the malware the capability of credential bruteforcing. Wormable exploits like BlueKeep, DejaBlue, and BlueGate plague RDP servers across the Internet. Shodan recently identified an increase in publicly exposed RDP services on the Internet, a measure which Shadowserver and Kaspersky also monitor.

International Partners - Shadowserver

CSIRT.CY, April 30, 2020

The operations of the National Computer Security Incident Response Team of Cyprus (National CSIRT-CY) are vital for the secure functioning of the state and its economy. One of the most valuable operations of National CSIRT-CY which contributes greatly to proactive security is the processing of threat intelligence, daily reports and feeds received by external sources concerning current threats and malicious internet activity. One such external source is Shadowserver, a platform which provides valuable information and insights relating to emerging security threats. The main goal of the Shadowserver Foundation is to foster collaboration and to contribute to a culture in which the cybersecurity industry delivers ever greater service and capability. Shadowserver collaborates with major organizations such as Europol’s European Cybercrime Centre (EC3), Trend Micro, and the European Organization for Nuclear Research (CERN). Shadowserver is one of National CSIRT-CY’s primary threat intelligence sources. Close collaboration with the Shadowserver Foundation offers valuable operational intelligence enhancement. This puts National CSIRT-CY on the map of organizations and other entities which share the privilege of using Shadowserver’s services.

Botnet Designed to Mine Virtual Currency Shut Down

Bank Info Security, April 24, 2020

VictoryGate, a recently discovered botnet that infected about 35,000 devices with malware, has been disabled by researchers from security firm ESET. The botnet was designed to mine for the virtual currency monero, according to ESET analysts. It’s one of several recently discovered botnets that mine for cryptocurrencies other than bitcoin. The botnet mainly targeted victims in South America, with Peru accounting for about 90 percent of all infected endpoints, according to the report. ESET is working with No-IP and the nonprofit Shadowserver Foundation, which researches and tracks botnets, to notify victims and help clean devices of the VictoryGate malware.

ESET takes down VictoryGate cryptomining botnet

ZDNet, April 23, 2020

ESET announced today that it took down a malware botnet that infected more than 35,000 computers. The botnet’s primary purpose was to infect victims with malware that mined the Monero cryptocurrency behind their backs. ESET reported and took down the botnet’s command and control (C&C) server and set up a fake one (called a sinkhole) to monitor and control the infected hosts. The company is now working with members of the Shadowserver Foundation to notify and disinfect all computers who connect to the sinkhole.

Researchers Take Down Massive Crypto-Mining Botnet

Silicon UK, April 21, 2020

Security researchers have taken down a crypto-mining botnet that infected at least 35,000 devices and which is continuing to spread. The VictoryGate botnet mainly affects systems located in Latin America and particularly in Peru, where 90 percent of the infected machines are located. ESET was able to take down the botnet’s command and control servers and set up its own servers in their place, a technique called sinkholing. ESET said it is working with the Shadowserver Foundation to notify the owners of the affected systems and has made a tool available that removes the malware.

Protect Your Network from an Internet Worm during COVID-19

Senki, April 20, 2020

Do you want a repeat of Wanacry? Do you want an Internet Impacting Worm in the middle of the COVID-19 Crisis? All organizations can take two steps to minimize the risk of a potential Internet worm. First, they can deploy an access-list on the edge of their network that block TCP/UDP port 445. This can be part of your organization’s Exploitable Port Filtering. Second, organizations can monitor their network with Shadowserver’s Daily Network Report. This public benefit service provides an outside-in view of risk on your network. The Daily Network Reports provide a tool to reduce risk through action and then monitor the impact of that risk reduction. Both services are “no-cost.” Routers on the edge of the network can deploy Exploitable Port Filtering. Shadowserver’s Daily Network Report is a public benefit supported by organizations throughout the world.

Support unsung hero to keep Internet secure

APNIC, April 20, 2020

Information security is very much like a professional team sport, where you not only have to work with your internal teammates but also need assistance from a range of supporting partners too. There are many so great collaboration stories in the security response community, but one support organization worth highlighting is the ShadowServer Foundation. Sharing information with a national CERT helps with understanding the local context of this malicious activity and identifying how many systems are a part of certain botnets. This can then allow the CERT to initiate relevant outreach activities ranging from issuing advisories, doing awareness campaigns and proactively working with stakeholders, such as ISPs, to fix the issue.

To this day, I continue to see that whenever a new CERT/CSIRT reaches out to ShadowServer, they will be provided with the feeds and appropriate support, at no cost. ShadowServer has also supported the LEA community in various botnet ’take down’ efforts, which has led to successful criminal seizures and arrests. Having lost their funding, APNIC has provided some financial support to their cause and I hope by highlighting their story and how they have helped our community you can help spread the word or also consider supporting their cause. Join APNIC and others to support the ShadowServer Foundation

BitMEX operator commits $400K to cybersecurity nonprofit Shadowserver

Yahoo Finance, April 6, 2020

HDR Global Trading, the operator of cryptocurrency exchange BitMEX, has offered a $400,000 grant to nonprofit security organization Shadowserver Foundation. “Shadowserver is an extremely highly regarded player in the botnet defense community,” Samuel Reed, HDR’s co-founder and chief technology officer, said in a statement. “Cross-industry collaboration is going to be essential to the future security of the Internet at large, and not least the cryptocurrency industry. We’re keen to play our part championing security over the long term by supporting such a brilliant organisation.”

The Internet needs your help

Mybroadband - South Africa, March 21, 2020

Countless malware threats that have previously been contained are at risk of being released into the wild again. This is because the world’s largest non-profit cybersecurity organisation, Shadowserver, is at risk of shutting down. Shadowserver has historically aided federal law enforcement institutions, including the FBI, in “sinkholing” domain names which are used by extensive malware operations. Shadowserver has published a statement stating that it is desperate for financial assistance from donors because Cisco recently informed Shadowserver that it would no longer provide support to the organisation. To continue operating, Shadowserver needs $400,000 in commitments by 31 March, while these commitments will need to be paid by 15 May and need $2.1 million for total 2020 costs. “Without immediate assistance from our friends and supporters in the global community, who we have served to the best of our ability for the past 15 years, The Shadowserver Foundation will no longer be able to continue to operate most of our core public benefit services, including free daily network reports for all constituents,” said Shadowserver.

INSIDE THE SHADOWSERVER CRISIS

Sector CA, March 20, 2020

This week hasn’t been the best for the Shadowserver Foundation. The nonprofit is fighting for its life after its main US sponsor pulled the plug. How did we get here, what does this mean for the internet, and what’s next? Shadowserver began in 2004 as a purely voluntary initiative started by Nicholas Albright. Furious to discover that cybercriminals had infected his recently-deceased father’s computer with botnet malware, he worked with ISPs to shut the criminal network down, and Shadowserver was born. Now, it’s a multinational non-profit with full-time staff doing the same thing that Albright did when he first began – gathering information and delivering it to organizations that can make a difference. That includes 107 national CERTs in 136 countries, and over 4,600 network owners ranging from ISPs to hosting companies, universities, and banks.

Now, Shadowserver faces an existential threat after Cisco, which is its largest US sponsor, pulled its funding. This is a big deal, because Cisco contributes 95% of Shadowserver’s US money. Perlotto doesn’t blame Cisco at all. “Cisco done a great job,” he says. “Everything we do while we provide our services for free, there’s still a cost associated with it. And Cisco’s been paying that bill for the whole internet for 15 years”

The internet is a part of the critical national infrastructure, and nowhere is that more clear than during a health crisis like the one we face now, where people rely on it for critical information and services while they self-isolate. The US government refers to the internet explicitly in its list of CNI sectors, which include the communications and IT industries.