Media Coverage

Shadowserver in the news

Infosec industry calls for more public sector collaboration

TechTarget, August 27, 2024

While the private sector has increasingly contributed to law enforcement operations against cybercriminals and nation-state actors, infosec professionals agree there’s more to be done as threats continue to rise. In some cases, private sector collaborations made those law enforcement operations more successful through information sharing with government agencies.

One of the most significant botnet takedowns ever occurred in May. The international effort resulted in four arrests, more than 100 server seizures and 2,000 domain takeovers. Operation Endgame involved agencies from all over the world as well as private industry partners such as BitDefender, Proofpoint and the Shadowserver Foundation.

Attack on vulnerability in Ivanti Virtual Traffic Manager observed

Heise Online, August 20, 2024

Last week, a critical vulnerability in Ivanti’s Virtual Traffic Manager (vTM) became known. Now IT researchers have discovered an exploit attempt based on a publicly available proof-of-concept exploit. Admins should update the software quickly – updates are now available for all supported versions.

The Shadowserver Foundation has announced on X, formerly Twitter, that it has found very few Ivanti vTM devices openly accessible on the Internet. However, on Saturday last weekend, the group observed an attempt to abuse the vulnerability based on a publicly available proof-of-concept exploit.

Warnings Issued Over Cisco Device Hacking, Unpatched Vulnerabilities

Security Week, August 9, 2024

The US cybersecurity agency CISA on Thursday informed organizations about threat actors targeting improperly configured Cisco devices. The agency has observed malicious hackers acquiring system configuration files by abusing available protocols or software, such as the legacy Cisco Smart Install (SMI) feature.

After CISA published its alert, the non-profit cybersecurity organization The Shadowserver Foundation reported seeing over 6,000 IPs with the Cisco SMI feature exposed to the internet.

Los Angeles Identifies and Targets Critical Vulnerabilities with Splunk

StateTech, August 8, 2024

Daniel Clark Lee (SOC manager) and city of Los Angeles CISO Tim Lee talked about the challenge of battling practically unlimited threats.

The solution to the challenges lies in finding ways to quickly identify the vulnerabilities that put the city at greatest risk. This helps administrators prioritize patching, results in easy wins and allows cybersecurity professionals to clearly communicate their strategic decisions to the rest of the organization.

He added that organizations should look to take advantage of free services to assist with vulnerability scanning. For instance, he highlighted the Shadowserver Foundation, a nonprofit security organization, as well as CISA’s Cyber Hygiene vulnerability and web application scanning services.

Critical Progress WhatsUp RCE flaw now under active exploitation

Bleeping Computer, August 7, 2024

Threat actors are actively attempting to exploit a recently fixed Progress WhatsUp Gold remote code execution vulnerability on exposed servers for initial access to corporate networks. Threat monitoring organization Shadowserver Foundation reports that the attempts started on August 1, 2024, coming from six distinct IP addresses.

The vulnerability leveraged in these attacks is CVE-2024-4885, a critical-severity (CVSS v3 score: 9.8) unauthenticated remote code execution flaw impacting Progress WhatsUp Gold 23.1.2 and older.

 

State of Exploitation - A Peek into 1H-2024 Vulnerability Exploitation

VulnCheck, August 5, 2024

In the first half of 2024, we observed consistent public disclosure of exploitation in the wild from product companies, security firms, researchers, government agencies, and the broader security community. These disclosures provide defenders with crucial visibility into threats to their environments, allowing for timely action. It’s common for security teams to use this knowledge for vulnerability prioritization and security product teams to use this shared knowledge to prioritize building detection capabilities among many other purposes.

For the 390 vulnerabilities first identified in the first half of 2024, VulnCheck collected 10,611 references of exploitation in the wild. From hundreds of reputable sources, we identified 68 different sources that were the earliest reporters of exploitation during this period. The chart above demonstrates the number of unique exploited vulnerabilities reported first by a source.

20,275 VMware ESXi Vulnerable Instances Exposed, Microsoft Warns of Massive Exploitation

Cyber Security News, July 31, 2024

Microsoft has issued a significant security alert regarding a vulnerability in VMware ESXi hypervisors, which ransomware operators have actively exploited. According to the Shadowserver Foundation, the vulnerability, identified as CVE-2024-37085, exposed 20,275 instances as of July 30, 2024.

The CVE-2024-37085 vulnerability is an authentication bypass flaw with a CVSS score of 6.8. It specifically affects domain-joined ESXi hypervisors, allowing attackers with sufficient Active Directory (AD) permissions to gain full administrative control over the hypervisor.

6600+ Vulnerable GeoServer instances Exposed to the Internet

Cyber Security News, July 25, 2024

Security analysts have identified 6,635 GeoServer instances exposed to the Internet, which makes them vulnerable to critical remote code execution (RCE) attacks. A recent tweet from the Shadowserver Foundation stated that the vulnerability, tracked as CVE-2024-36401, affects GeoServer versions before 2.23.6, 2.24.4, and 2.25.2.

GeoServer, an open-source server enabling users to share and edit geospatial data, is widely used in various industries, including urban planning, environmental monitoring, and resource management.

EURid Reveals its Q2 2024 highlights

EURid, July 16, 2024

EURid’s Q2 2024 report highlights its quarterly achievements and strategic advancements.

Partnership with Shadowserver Alliance: EURid has partnered with this prominent global cybersecurity organization to collectively enhance cybersecurity measures.

Apache HugeGraph-Server RCE Vulnerability Under Active Attack

Cyber Security News, July 16, 2024

Attackers are actively  exploiting a critical remote code execution (RCE) vulnerability in Apache HugeGraph-Server, which is tracked as CVE-2024-27348. The vulnerability affects versions 1.0.0 to 1.3.0 of the popular open-source graph database tool.

The flaw, which carries a severe CVSS score of 9.8, allows unauthenticated attackers to execute arbitrary operating system commands on vulnerable servers by  exploiting missing reflection filtering in the SecurityManager. This gives attackers complete control over the affected systems, potentially enabling data theft, network infiltration, ransomware deployment, and other malicious activities.

The Shadowserver Foundation has reported observing exploitation attempts of CVE-2024-27348 from multiple sources, specifically targeting the “/gremlin” endpoint with POST requests.