Media Coverage

Shadowserver in the news

Justice Department announces seizure of domain behind Russian-backed botnet

CNN, June 1, 2018

The Justice Department announced Wednesday that it had seized an internet domain that’s at the center of a Kremlin-backed hacking campaign, largely thwarting the potential weaponization of a network of more than half a million web-connected devices across the globe, experts say. The network of infected devices, or botnet, was one of the largest of its kind, cybersecurity experts say, and capable of intelligence gathering as well as disruptive denial-of-service attacks, which could have cut off internet access to hundreds of thousands of people. The Shadowserver Foundation, will work to scrub and restore them, the Justice Department said.

To Tackle the VPNFilter Botnet, It’s Going to Take Help from You and Me

Internet Society, May 30, 2018

If you’ve been reading the news lately, you might have seen headlines like “FBI to America: Reboot Your Routers, Right Now” or “F.B.I.’s Urgent Request: Reboot Your Router to Stop Russia-Linked Malware”. These headlines can be pretty alarming, and you may find yourself thinking, “things must be pretty bad if the FBI is putting out such an urgent warning.”

FBI to all router users: Reboot now to neuter Russia's VPNFilter malware

ZDNet, May 29, 2018

The FBI is urging small businesses and households to immediately reboot routers following Cisco’s report that 500,000 infected devices could be destroyed with a single command.

FBI takes control over Russia's VPNFilter router botnet

CSO Online, May 25, 2018

The FBI has seized control of a key domain used to control routers infected with  ‘VPNFilter’ malware that US and Ukraine has attributed to Kremlin-backed hackers. The Justice Department on Wednesday announced the seizure of a single domain, toknowall[.]com, which served as part of the command and control infrastructure used by VPNFilter, the router malware revealed by Cisco’s Talos Intelligence on Wednesday.  The FBI on Tuesday convinced a magistrate to issue a seizure warrant ordering domain registrar Verisign to hand control of the web address to the FBI. The seized domain allows the FBI to capture the IP addresses of infected routers. Non-profit security group, The Shadowserver Foundation, will distribute the IP addresses to various CERTs and ISPs in the US and abroad.

GreyNoise: Knowing the difference between benign and malicious internet scans

CSO Online, May 16, 2018

Researchers hijack huge network of hacked sites that spread ransomware, banking trojans

CSO Online, April 17, 2018

Researchers have severed a link between criminals running the ElTest malware distribution network and computers they infected with ransomware and banking trojans. Researchers at Proofpoint, and have “sinkholed” ElTest, breaking a large network of legitimate but compromised websites that was capable of conducting two million redirects per day to various exploit kits. The attacks targeted Chrome desktop and Chrome on Android, Internet Explorer, and Firefox browsers. is alerting national CERTs around the world while ShadowServer is informing network operators.


Filtering Exploitable Ports and Minimizing Risk from the Internet and from Your Customers

Senki, April 15, 2018

What are you doing to prepare for the next “scanning malware” and “Internet Worm?

Mapping The Internet

Duo, March 14, 2018

Shadowserver has been running Internet-wide scans on a handful of UDP services to identify servers that could be potentially abused. Shadowserver data currently has the best source of information on how the use of UDP services, particularly UPnP, has evolved over the years, Moore says.

UK law enforcement helps protect networks from cyber crime

CyberAware, March 2, 2018

This week the National Crime Agency (NCA), the police, and a range of partners across industry and the public sector are providing help to the public and small businesses in guarding against cybercrime. The NCA is producing customised intelligence reports in conjunction with  the UK’s Computer Emergency Response Team (CERT-UK) and the Shadowserver Foundation to be distributed by regional police forces to local businesses. These reports will inform businesses of the threats on their systems and how to subscribe to live threat update feeds.

Powerful New DDoS Method Adds Extortion

Brian Krebs, March 2, 2018

Attackers have seized on a relatively new method for executing distributed denial-of-service (DDoS) attacks of unprecedented disruptive power, using it to launch record-breaking DDoS assaults over the past week. Now evidence suggests this novel attack method is fueling digital shakedowns in which victims are asked to pay a ransom to call off crippling cyberattacks. Here’s the world at-a-glance, from our friends at