Media Coverage

Information security is very much like a professional team sport, where you not only have to work with your internal teammates but also need assistance from a range of supporting partners too. There are many so great collaboration stories in the security response community, but one support organization worth highlighting is the ShadowServer Foundation. Sharing information with a national CERT helps with understanding the local context of this malicious activity and identifying how many systems are a part of certain botnets. This can then allow the CERT to initiate relevant outreach activities ranging from issuing advisories, doing awareness campaigns and proactively working with stakeholders, such as ISPs, to fix the issue.

To this day, I continue to see that whenever a new CERT/CSIRT reaches out to ShadowServer, they will be provided with the feeds and appropriate support, at no cost. ShadowServer has also supported the LEA community in various botnet ’take down’ efforts, which has led to successful criminal seizures and arrests. Having lost their funding, APNIC has provided some financial support to their cause and I hope by highlighting their story and how they have helped our community you can help spread the word or also consider supporting their cause. Join APNIC and others to support the ShadowServer Foundation

HDR Global Trading, the operator of cryptocurrency exchange BitMEX, has offered a $400,000 grant to nonprofit security organization Shadowserver Foundation. “Shadowserver is an extremely highly regarded player in the botnet defense community,” Samuel Reed, HDR’s co-founder and chief technology officer, said in a statement. “Cross-industry collaboration is going to be essential to the future security of the Internet at large, and not least the cryptocurrency industry. We’re keen to play our part championing security over the long term by supporting such a brilliant organisation.”

Countless malware threats that have previously been contained are at risk of being released into the wild again. This is because the world’s largest non-profit cybersecurity organisation, Shadowserver, is at risk of shutting down. Shadowserver has historically aided federal law enforcement institutions, including the FBI, in “sinkholing” domain names which are used by extensive malware operations. Shadowserver has published a statement stating that it is desperate for financial assistance from donors because Cisco recently informed Shadowserver that it would no longer provide support to the organisation. To continue operating, Shadowserver needs $400,000 in commitments by 31 March, while these commitments will need to be paid by 15 May and need $2.1 million for total 2020 costs. “Without immediate assistance from our friends and supporters in the global community, who we have served to the best of our ability for the past 15 years, The Shadowserver Foundation will no longer be able to continue to operate most of our core public benefit services, including free daily network reports for all constituents,” said Shadowserver.

This week hasn’t been the best for the Shadowserver Foundation. The nonprofit is fighting for its life after its main US sponsor pulled the plug. How did we get here, what does this mean for the internet, and what’s next? Shadowserver began in 2004 as a purely voluntary initiative started by Nicholas Albright. Furious to discover that cybercriminals had infected his recently-deceased father’s computer with botnet malware, he worked with ISPs to shut the criminal network down, and Shadowserver was born. Now, it’s a multinational non-profit with full-time staff doing the same thing that Albright did when he first began – gathering information and delivering it to organizations that can make a difference. That includes 107 national CERTs in 136 countries, and over 4,600 network owners ranging from ISPs to hosting companies, universities, and banks.

Now, Shadowserver faces an existential threat after Cisco, which is its largest US sponsor, pulled its funding. This is a big deal, because Cisco contributes 95% of Shadowserver’s US money. Perlotto doesn’t blame Cisco at all. “Cisco done a great job,” he says. “Everything we do while we provide our services for free, there’s still a cost associated with it. And Cisco’s been paying that bill for the whole internet for 15 years”

The internet is a part of the critical national infrastructure, and nowhere is that more clear than during a health crisis like the one we face now, where people rely on it for critical information and services while they self-isolate. The US government refers to the internet explicitly in its list of CNI sectors, which include the communications and IT industries.

Not all the work done to prevent the internet from becoming too uncertain and lawless is equally well known. Many people contribute without seeking so much attention. Among these is Shadowserver. It is a small non-profit organization that, despite its size, plays an important role in internet security by providing key IT security players and many other businesses with free access to a huge collection of up-to-date data and malicious activity analytics on the Internet. Unfortunately, Shadowserver is now in danger of having to shut down significant parts business. Cisco has been the organization’s main sponsor, but the company can no longer fund them. The company has provided data center facilities (which) must be relocated to a new location by May 26 in order for operations to continue. The organization needs $ 2.1 million in donations by the end of March.

The Shadowserver team supports law enforcement agencies to stop cyber gangsters. Now they need timely (financial) help themselves. The free work of the Shadowserver Foundation is at risk. According to its own statements, the nonprofit organization needs a total of more than $ 2 million in 2020 – with $400,000 of these by mid-May for the relocation of its complete data center infrastructure. The Shadowserver team explains the reasons for the sudden need for money in a detailed call for donations.

The German BSI and its CERT association have also worked with the Shadowserver team on several occasions in the fight against cybercrime, for example in the destruction of the botnet infrastructure Avalanche .

“The BSI appreciates the excellent and tireless work with which the Shadowserver Foundation has supported the international security community for many years. The data made available to network operators and national CERTs around the world on malware infections and system vulnerabilities is high-quality information Notification to those affected: If the Shadowserver infrastructure is actually shut down, it would be a black day for IT security” the BSI told Heise Security.

Blender maker is the latest victim of Magecart. Blender manufacturer NutriBullet on Wednesday said it had identified and removed malicious code on its website that allowed attackers to steal data from customers entering payment card information on it when purchasing products. Researchers at RiskIQ, working in concert with ShadowServer and Abuse.ch — two malware fighting nonprofits — instead took down the domain the attackers were using to store stolen credit card data.

The Shadowserver Foundation, a non-profit foundation registered in the Netherlands and the United States that works to combat botnets and cybercrime, is in serious financial difficulties now that Cisco has withdrawn as a sponsor. The foundation collects large amounts of information about botnets, malware and other criminal networks and shares it with providers and government services, such as Computer Emergency Response Teams (CERTs). In recent years, the Shadowserver Foundation has played an important role in the roll-up of several large botnets. At the end of February, Cisco announced that it was discontinuing as the largest financial sponsor. As a result, the Shadowserver Foundation immediately lost four of the seven donated staff and the other three employees will stop on May 26. Shadowserver also has to move the entire American data center infrastructure to a new location before May 26. Therefore, without immediate help, Shadowserver will have to stop offering the most important services, including free network reports with information about infected systems.

According to new research by security firm RiskIQ, hackers broke into the blender maker’s website several times over the past two months, injected malicious credit card-skimming malware on its payment pages and siphoned off the credit card numbers and other personal data — like names, billing addresses, expiry dates and card verification values — of unsuspecting blender buyers.

The data was scraped and sent to a third-party server operated by the attackers. The stolen credit card data is then sold to buyers on dark web marketplaces. With the help of security outfits AbuseCH and Shadowserver, RiskIQ began efforts to take down the malicious domain that the hackers were using to send stolen credit card numbers.