Media Coverage

The cybersecurity community is on high alert after uncovering a serious flaw in Ivanti VPN devices, tracked as CVE-2024-21894. This critical vulnerability holds grave consequences for entities relying on Ivanti for secure remote access. The threat posed by this exploit is considerable, as it could allow unauthorized remote control over affected systems, endangering both operational integrity and the confidentiality of sensitive information. Businesses employing Ivanti’s VPN must act swiftly to implement necessary safeguards.

The Shadowserver Foundation’s extensive network scanning has cast a spotlight on a significant security concern—a widespread vulnerability in the Ivanti VPN software, evidenced by the startling discovery of over 16,000 instances at risk to the critical vulnerability designated as CVE-2024-21894. The Shadowserver Foundation has played a crucial role in unmasking the extent of exposure, which suggests that the issue is not isolated but rather prevalent, raising the alarm on an international scale. Encouragingly, a follow-up check conducted by Shadowserver as of April 7 indicated a reduction in the number of vulnerable instances—to about 10,000.

Shadowserver stands as a key player in the cybersecurity field, relentlessly scanning the internet to pinpoint vulnerabilities. Their role is critical; by detecting and alerting firms to security gaps, they enable proactive defense strategies. Their efforts reflect a significant, broader principle in cybersecurity: collaboration is essential. As a vigilant entity that assists with early threat detection and raises community awareness about evolving digital dangers, Shadowserver functions as a vital component in the fight to protect online environments against nefarious elements. By doing so, they are not just guards but catalysts of collective cyber resilience, underscoring the shared responsibility in defending cyber spaces. Through Shadowserver’s dedication, the digital world becomes a bit more fortified against the constant threat of cyber incursions.

Cybercriminals have actively exploited a critical vulnerability in D-Link Network Attached Storage (NAS) devices globally.

Identified as CVE-2024-3273, this remote code execution (RCE) flaw poses a significant threat to as many as 92,000 devices worldwide.

The exploit allows attackers to execute arbitrary code on vulnerable devices, potentially leading to data theft, device hijacking, and the spread of malware.

D-Link, the manufacturer of the affected NAS devices, has issued a support announcement regarding the vulnerability.

Shadowserver researchers reported that roughly 16,500 Ivanti Connect Secure and Poly Secure gateways are vulnerable to the recently reported RCE flaw CVE-2024-21894.

This week the company released security updates to address four security flaws impacting Connect Secure and Policy Secure Gateways that could result in code execution and denial-of-service (DoS), including CVE-2024-21894. The flaw CVE-2024-21894 (CVSS score 8.2) is a heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure that allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may lead to the execution of arbitrary code.

Shadowserver researchers have scanned the Internet for instances vulnerable to CVE-2024-21894 and reported that about 16,500 are still vulnerable. Most of the vulnerable systems are in the US (4686 at the time of this writing), followed by Japan (2009), and UK (1032).

Common Good Cyber is a global consortium connecting nonprofit, private sector, and government organizations to fund organizations focused on securing Internet infrastructure.

Much of our everyday lives, from banking to turning on the lights, would be impossible if the elaborate infrastructure underpinning the Internet were unavailable. However, unlike the electrical grid or financial institutions, there’s no single entity responsible for maintaining and securing the Internet. Instead, that task falls upon a diverse group of organizations and individuals that preserve this public utility with little funding or subsisting on tight budgets. The stakes are incredibly high, but the amount of resources available for keeping this infrastructure secure falls short.

The goal of Common Good Cyber is to find new ways to build adequate funding into law and policy, business policies and government, and other funding vehicles sufficient to meet the common need for cybersecurity. Supporting organizations include the Cyber Civil Defense Initiative, the Global Cyber Alliance, the Cyber Threat Alliance, the CyberPeace Institute, the Forum of Incident Response and Security Teams, the Institute for Security and Technology, and the Shadowserver Foundation.

A critical Fortinet vulnerability has been actively exploited since at least March 21 and was added to CISA’s Known Exploited Vulnerability catalog on Monday.

In a security advisory on March 12, Fortinet detailed a pre-authentication SQL injection vulnerability tracked as CVE-2023-48788 or what the vendor identifies internally as FR-IG-24-007. On March 21, Fortinet updated the advisory to warn users that CVE-2023-48788 was being exploited in the wild. On Sunday, the Shadowserver Foundation, a cybersecurity nonprofit organization, revealed its internet scans detected several vulnerable instances around the world.

“We have started scanning/reporting Fortinet FortiClient EMS CVE-2023-48788 (pre-auth SQL injection) vulnerable instances. 130 vulnerable found on 2024-03-23 Top: US with 30 IPs,”

That number is potentially higher. Shadowserver noted that its scans only detect the web interface version, and it does not check port 8013 access, which is required for exploitation.

Patching is vital as Fortinet products have been increasingly targeted by threat actors. Last week, exploitation activity escalated for another critical Fortinet flaw tracked as CVE-2024-21762, two days after a proof-of-concept (PoC) exploit was published.

A sweeping vulnerability has been uncovered, leaving an estimated 167,500 instances across various networks susceptible to a Loop Denial of Service (DoS) attack. This discovery underscores the ever-present and evolving threats in the digital landscape, prompting an urgent call to action for organizations worldwide.

The vulnerability was first identified by Shadowserver, a renowned entity in the cybersecurity realm dedicated to identifying and mitigating cyber threats. Through meticulous analysis and monitoring, Shadowserver’s team stumbled upon a pattern of weakness in a staggering number of instances. This flaw, if exploited, could allow attackers to initiate a Loop DoS attack, effectively crippling the targeted systems by overwhelming them with a flood of traffic.

“Today we started sharing data on IPs vulnerable to the novel “Loop DoS” attack discovered by @CISPA. Data is based on DNS, NTP & TFTP protocol scans. Over 167 500 vulnerable instances found on 2024-03-20.”

According to a recent tweet from Shadowserver, there are over 167,500 instances that are vulnerable to the “Loop DoS” attack. In response to this discovery, Shadowserver has issued a call to action for organizations worldwide. System administrators and IT professionals must assess their networks for the identified vulnerabilities and apply necessary patches or updates.

Scans on the public web show that approximately 150,000 Fortinet FortiOS and FortiProxy secure web gateway systems are vulnerable to CVE-2024-21762, a critical security issue that allows executing code without authentication. America’s Cyber Defense Agency CISA confirmed last month that attackers are actively exploiting the flaw by adding it to its Known Exploited Vulnerabilities (KEV) catalog.

Almost a month after Fortinet addressed CVE-2024-21762, The Shadowserver Foundation announced on Thursday that it found nearly 150,000 vulnerable devices. Shadowserver’s Piotr Kijewski told BleepingComputer that their scans check for vulnerable versions, so the number of affected devices may be lower if admins applied mitigations instead of upgrading. According to Shadowserver data, most vulnerable devices, more than 24,000, are in the United States, followed by India, Brazil, and Canada.

As we explore over 20 years worth of publicly disclosed exploited vulnerabilities, the collaborative effort of global security teams becomes increasingly evident.

My latest data visualization underscores the remarkable contributions from organizations worldwide, including: – Government Agencies like Cybersecurity and Infrastructure Security Agency, National Cyber Security Centre, NHS, United States Department of Defense and Australian Cyber Security Centre. – Security Research Projects/Teams such as Palo Alto Networks Unit 42, Google Project Zero, CitizensLab e.V. , FortiGuard Labs, Cisco Talos Intelligence Group, Trend Micro, SANS Institute, Huntress, The Shadowserver Foundation, Akamai Technologies, and so many more.

In an effort to empower security teams, researchers, and the global security community, we’ve curated a comprehensive index comprising of over 8,500+ publicly cited references of vulnerabilities known to have been exploited in the wild.

A critical ConnectWise ScreenConnect vulnerability that enables authentication bypass was used in a Play ransomware breach and an attempted supply chain attack involving LockBit malware, researchers say. One of the attacks targeted a managed service provider (MSP) for a potential wider supply chain breach against its customers, the At-Bay Cyber Research Team revealed in an article Thursday.

Amidst this spate of attacks, more than 3,800 ScreenConnect instances tracked by nonprofit cybersecurity organization Shadowserver remained vulnerable to CVE-2024-1709 as of Feb. 29. Notably, this is less than half the number Shadowserver reported on Feb. 21, when more than 8,200 vulnerable instances were detected

Users of the ConnectWise ScreenConnect remote desktop management tool are under active cyberattack, after a proof-of-concept (PoC) exploit surfaced for a max-critical security vulnerability in the platform. The situation has the potential to blow up into a mass compromise event, researchers are warning. ScreenConnect can be used by tech support and others to authenticate to a machine as though they were the user. As such, it offers a conduit to threat actors looking to infiltrate high-value endpoints and any other areas of corporate networks to which they might have access.

Piotr Kijewski, CEO at the Shadowserver Foundation, confirmed seeing initial exploitation requests in the nonprofit’s honeypot sensors. “Check for signs of compromise (like new users added) and patch!” he stressed via the Shadowserver mailing list, adding that as of Tuesday, a full 93% of ScreenConnect instances were still vulnerable (about 3,800 installations), most of them located in the US.