Media Coverage

Following a recent Incident Response, McAfee Enterprise‘s Advanced Threat Research (ATR) team worked with its Professional Services IR team to support a case that initially started as a malware incident but ultimately turned out to be a long-term cyber-attack. Operation Harvest has been a long-term operation whereby an adversary maintained access for multiple years to exfiltrate data. The exfiltrated data would have either been part of an intellectual property theft for economic purposes and/or would have provided insights that would be beneficial in case of military interventions. The adversaries made use of techniques very often observed in this kind of attack but also used distinctive new backdoors or variants of existing malware families. Combining all forensic artifacts and cross-correlation with historical and geopolitical data, we have high confidence that this operation was executed by an experienced APT actor.

Gaining visibility into a target network from the outside is one of the first steps in breaching a network’s defences and has become one of the standard elements of criminal attacks. The constant scanning of networks has become commonplace, not just by criminals, but also by organizations that sell access to the data that is collected. Gaining insight into the exposed footprint of your network has never been easier. You should assume attackers have an overview of your potentially vulnerable or misconfigured systems and understand what is exposed and exploitable. What if you, as a defender, could have access to a public benefit, free to use, daily security report that provides an overview of some of your security risks? What if this data allowed you to understand what the criminals might see on your network? What if this data can highlight devices that are infected with malware? In fact, what if this data exposed devices and resources on your network you didn’t even know you had?

New data suggests someone has compromised more than 21,000 Microsoft Exchange Server email systems worldwide and infected them with malware that invokes both KrebsOnSecurity and Yours Truly by name. Let’s just get this out of the way right now: It wasn’t me. The Shadowserver Foundation, a nonprofit that helps network owners identify and fix security threats, says it has found 21,248 different Exchange servers which appear to be compromised by a backdoor and communicating with brian[.]krebsonsecurity[.]top (NOT a safe domain, hence the hobbling). Shadowserver has been tracking wave after wave of attacks targeting flaws in Exchange that Microsoft addressed earlier this month in an emergency patch release. The group looks for attacks on Exchange systems using a combination of active Internet scans and “honeypots” — systems left vulnerable to attack so that defenders can study what attackers are doing to the devices and how.

At the Commonwealth Heads of Government Meeting in London in 2018, the UK and Singapore signed a Memorandum of Cooperation committing to collaborate to help support implementation of the Commonwealth Cyber Declaration across the Commonwealth. The project workshops introduced Commonwealth Member States to nCSIRT Maturity Frameworks as a way to develop and gauge their national cyber incident response capabilities and to identify and prioritise areas as next steps to maturity. They also provided important opportunities for network building and cooperation on cyber security across the Commonwealth. An area which was unanimously requested by the participating countries in the lead up to the event, was information regarding Open Source Monitoring Tools. It was highlighted that Shadowserver and Team Cymru are both reputable private companies who work with national CERTs, and many of the participating countries had already raised that they are indeed using data feeds from those companies already.

How Pittsburgh helped nail hackers in Eastern Europe who’d preyed on U.S. companies with impunity. GozNym malware attacks hit Western Pennsylvania in a big way in the spring of 2016. It took a while for investigators to determine the source of the problem. It was only after the FBI ordered a forensic examination of a victim’s machine that they learned the type of malware involved. The plan to take down the botnet involved seizing, blocking, and sinkholing—redirecting traffic from infected computers to servers controlled by law enforcement—800,000 malicious domains. Additional investigation led to the Avalanche administrator in Ukraine. The investigators’ response was launched on the last day of November. In a press release, Europol listed 30 countries that were involved in the operation. It credited Germany for leading the charge—specifically the Public Prosecutor’s Office in Verden and the Luneburg Police—“in close cooperation with” Tod Eberle’s office, DOJ, the FBI, and Europol and Eurojust. The Shadowserver Foundation also played a key role behind the scenes.

With the internet of things (IoT) gaining more popularity, common IoT devices such as routers, printers, cameras, and network-attached storage (NAS) devices, are becoming more frequent targets for cybercriminals. Unlike typical operating systems such as Windows and macOS, users are less likely to patch IoT devices. This is because users find the task more difficult and inconvenient since, in comparison, the operating systems of these devices have no auto-update feature and some manufacturers rarely even issue security updates at all. These are the kinds of systems that users log on to once in order to set them up and then never to do so again, unless they encounter a big problem. It also is not rare to find an outdated router — one that has been running for as long as the system has. As a result, many systems are left wide open to known vulnerabilities, which can lead to successful attacks even years after the first infection. While looking at these types of infections by known malware families, we found that one of the biggest reported malware families was from 2018’s VPNFilter.

The Institute for Security and Technology (IST) — in partnership with a broad coalition of experts in industry, government, law enforcement, nonprofits, cybersecurity insurance, and international organizations — is today launching a new Ransomware Task Force (RTF) to tackle this increasingly prevalent and destructive type of cybercrime. The RTF’s founding members understand that ransomware is too large of a threat for any one entity to address, and have come together to provide clear recommendations for both public and private action that will significantly reduce the threat posed by this criminal enterprise.

Iniciativa conjunta de CEDIA y The Shadowserver Foundation que está desplegando una red de sensores en América Latina y el Caribe, usando como base la tecnología desarrollada por Shadowserver para automatizar las implementaciones de los sensores y la experiencia de CEDIA como centro de respuesta a incidentes de seguridad informática (CSIRT). Joint initiative of CEDIA and The Shadowserver Foundation that is deploying a network of sensors in Latin America and the Caribbean, based on the technology developed by Shadowserver to automate sensor deployments and CEDIA’s experience as a security incident response center computer science (CSIRT).

Cybercrime continues to be an evolving threat that requires a collective and quick response. Left unchecked, cybercriminals can destabilize the digital economy and create disruptions that impact our financial security, jobs, access to online services and much more. Here at Mastercard, we find that intolerable. Mastercard is committed to protecting merchants, banks, governments and citizens from cybercrime—we’re going beyond the transaction to protecting every interaction. Today, we’re proud to announce our support and sponsorship of the nonprofit Shadowserver Foundation. We are proud to act as ambassadors for their mission. Our hope is that through our partnership, more organizations and companies will take advantage of the valuable information they provide. By collectively sharing insights, we can build a safer digital ecosystem, one that supports the digital economy working for everyone, everywhere.

Avast donates $500,000 to ensure ongoing cybersecurity community partnership. The Shadowserver Foundation, a nonprofit security organization, works behind the scenes to make the internet more secure for everyone. I am very proud to announce that Avast is funding the foundation with $500,000, the largest single donation in 2020. Avast believes that partnering with others to improve cybersecurity is critical to the cybersec community. Combining forces is paramount in fighting against bad actors, cybergangs, and nation-states from spreading their malware. For more than a decade, Avast has partnered with Shadowserver by sharing threat intelligence with the foundation by allowing them to use our AV scanner. Shadowserver collects intelligence from various players in the cybersecurity industry, and runs their own scans and honeypots, all to reveal security vulnerabilities, combat malicious activities, and help victims. When Shadowserver put out their urgent call for funding, we started assembling resources.