Media Coverage

Cybersecurity watchdog Shadowserver has identified 256,000+ publicly exposed servers vulnerable to a critical Remote Code Execution (RCE) flaw in Microsoft Message Queuing (MSMQ) services.

The flaw, designated CVE-2024-30080, poses a significant threat to global cybersecurity. It could allow malicious actors to execute arbitrary code on affected systems.

These servers span various industries, including finance, healthcare, and government sectors, highlighting the widespread risk posed by this vulnerability.

As a national CERT, one of our extremely important tasks is to proactively inform network operators about potential or confirmed security issues that could affect Austrian companies. 

As you can imagine, handling every possible case would be impossible. Therefore, we focus on the most typical issues and automate much of our processes. Our approach heavily relies on automated data processing and sending notifications via email. To accomplish this, we subscribe to data feeds from partners like ShadowServer.  Our partners who conduct scans ensure they do so legally and non-intrusively, typically operating their servers in countries where scanning isn’t prohibited. This is the approach chosen by ShadowServer, our main data source.

If we don’t scan, what exactly is our role? Simply put: we inform YOU. 

Over the past year, we developed a process that includes regular meetings of representatives from all involved teams. This new process and a one-time review of existing sources resulted in a significant increase in the types of issues we process. For our main provider, ShadowServer, we doubled the number of processed feeds in the last year, currently supporting about 70 of their feeds. 

A remote code execution (RCE) vulnerability in PHP has been discovered by DEVCORE during their continuous offensive research. Due to the widespread use of PHP in the web ecosystem and the ease of exploitability, the severity of the vulnerability has been classified as critical (CVSS score 9.8). This issue was promptly reported to the PHP official team, who released a patch on June 6, 2024.

On June 7, The Shadowserver Foundation posted a tweet on X (formerly Twitter) that they have observed multiple IPs trying to exploit this vulnerability against their honeypots.

The critical PHP vulnerability, CVE-2024-4577, is currently being exploited to deploy TellYouThePass ransomware.

First, given the FBI’s history, it should not be surprising that one of our core focuses is investigating and attributing cyber activity to disrupt cybercriminals and raise their cost to operate. Bottom line, we want to punish cybercriminals and take them off of the playing field.

Next, we must gather and operationalize domestic intelligence to bolster victim recovery and support operational activity, or, as we say, we must pressure the common threats we face. We pressure these common threats by initiating joint and sequenced operations and on network operations to fight back against cyber adversaries from a domestic position and as a foothold for USIC [U.S. Intelligence Community] partners to engage. It’s an all-tools/all-partners approach. When I say “all-partners,” I mean it. We look to partner with domestic and global partners in both the public and private sectors. This is how we have the most significant impact on our adversaries.

For instance, in January, the FBI Field Office here in Boston led Operation Dying Ember, an international effort against Russian military intelligence: the GRU. In this case, the GRU was taking advantage of a botnet to target the U.S. government, cleared defense contractors, NATO allies, and the Ukrainian aid shipment network. Our court-authorized technical operation kicked the GRU off more than 1,000 home and small-business routers belonging to unwitting victims all over the world—including here in Massachusetts.

This was an operation we could not have accomplished without corporate partners, particularly Microsoft and the Shadowserver Foundation.

By killing the GRU’s access to a botnet they were using to run cyber operations around the world, we both helped to protect unwitting businesses and individuals and put a dent in Russia’s cyber-enabled intelligence operations.

Between 27 and 29 May 2024 Operation Endgame, coordinated from Europol’s headquarters, targeted droppers including, IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. The actions focused on disrupting criminal services through arresting High Value Targets, taking down the criminal infrastructures and freezing illegal proceeds. This approach had a global impact on the dropper ecosystem.

This is the largest ever operation against botnets, which play a major role in the deployment of ransomware. The operation, initiated and led by France, Germany and the Netherlands was also supported by Eurojust and involved Denmark, the United Kingdom and the United States. In addition, Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland and Ukraine also supported the operation with different actions, such as arrests, interviewing suspects, searches, and seizures or takedowns of servers and domains. The operation was also supported by a number of private partners at national and international level including Bitdefender, Cryptolaemus, Sekoia, Shadowserver, Team Cymru, Prodaft, Proofpoint, NFIR, Computest, Northwave, Fox-IT, HaveIBeenPwned, Spamhaus and DIVD.

A court-authorized international law enforcement operation led by the U.S. Justice Department disrupted a botnet used to commit cyber attacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations.

“This Justice Department-led operation brought together law enforcement partners from around the globe to disrupt 911 S5, a botnet that facilitated cyber-attacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations,” said Attorney General Merrick B. Garland.

“Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet—likely the world’s largest botnet ever,” said FBI Director Christopher Wray.

The Department appreciates the significant assistance provided by the Attorney-General’s Chambers of Singapore, Singapore Police Force (SPF), Royal Thai Police, and the Office of the Attorney General and the Anti-Money Laundering Office of the Kingdom of Thailand. The Justice Department’s Office of International Affairs and Money Laundering and Asset Recovery Section provided crucial support to this operation. The Treasury Department’s OFAC also provided support to this operation. Additionally, the Department offers its thanks to Chainalysis, the Shadowserver Foundation, and Microsoft for the assistance provided by each during the investigation and the operation.

CREST recently visited the UN to take part in discussions throughout the day as part of the UN’s cyber focus group. The UN’s cyber focused open ended working group is working towards international agreement on key cyber capability development priorities.

CREST President, Rowland Johnson, and CEO, Nick Benson, attended the working group at the UN HQ in NY on 10 May 2024. Rowland presented on the benefits of consistent international standards for high quality cyber service providers and practitioners.

We were also honoured to be referenced by the UK’s representative who sited the valuable contribution of non-profits including CREST, Global Cyber Alliance, Shadowserver and FIRST.

In a recent conversation with Mastercard Newsroom, Rigo Van den Broeck (executive vice president of cybersecurity product innovation at Mastercard) shares what RiskRecon’s research reveals about the current risk landscape for cities and how to better protect critical systems and data.

For cities that scored lower, what are the easiest and most immediate steps they could be taking?

Developing strong cyber hygiene takes time, so it’s always important to evaluate ways to mitigate risks throughout your cybersecurity journey. There are resources that can help cities no matter their size. Cybersecurity agencies at various levels of government and computer emergency response teams have expansive missions that aid in securing the internet. Mastercard also proudly supports several organizations that provide no-cost cybersecurity services, including the CyberPeace Institute, the Global Cyber Alliance, and the Shadowserver Foundation.

Like it or not, you rely on the internet. So here’s a not-so-fun-fact: the functioning and security of the internet we all rely on, relies on non-profit organisations, many of which depend on uncertain funding streams and volunteer networks.

We’re talking here about organisations like the Shadowserver Foundation which scans the entire internet every day and reports vulnerabilities, free of charge, to network owners. Or Quad 9, which provides secure Domain Name Services (or an internet ‘address book’) for individuals and companies. Or MITRE, whose ATT&CK knowledge base is the go-to source for defence against cyber attackers.

We, the companies and individuals who get the benefit, just expect the internet to work. Yet the organisations on which we rely to make it work have very real costs, often in the millions of dollars per month. And all of these vital but little acknowledged organisations are funded through grants, donations and intermittent government-funded projects, and all of them suffer the extremes of perpetual funding uncertainty.

The good news is that this precarious model for sustaining a secure and functioning internet is recognised problem, and increasingly attracting attention and serious thought. At the forefront of this effort are the incredibly special people at the Global Cyber Alliance, who, rather than simply accepting that this frightening dependency is a hard-wired and permanent norm, are pioneering solutions to address this funding conundrum. This is the essence of the Common Good Cyber initiative

A maximum severity vulnerability that allows hackers to hijack GitLab accounts with no user interaction required is now under active exploitation, federal government officials warned as data showed that thousands of users had yet to install a patch released in January. While exploits require no user interaction, hijackings work only against accounts that aren’t configured to use multifactor authentication. Even with MFA, accounts remained vulnerable to password resets, but the attackers ultimately are unable to access the account, allowing the rightful owner to change the reset password. The vulnerability, tracked as CVE-2023-7028, carries a severity rating of 10 out of 10.

According to Internet scans performed by security organization Shadowserver, more than 2,100 IP addresses showed they were hosting one or more vulnerable GitLab instances. The number of IP addresses showing vulnerable instances has fallen over time. Shadowserver shows that there were more than 5,300 addresses on January 22, one week after GitLab issued the patch.

GitLab users should also remember that patching does nothing to secure systems that have already been breached through exploits. GitLab has published incident response guidance here.