Media Coverage

Shadowserver in the news

Alert - Vulnerability impacting Cisco devices (CVE-2023-20198) - Update 2

Canadian Centre for Cyber Security, October 18, 2023

On October 16, 2023, Cisco reported that a critical, 0-day privilege escalation vulnerability  in the web UI interface  of routers, switches and wireless controllers running IOS XE are being remotely exploited to gain privileged access. This vulnerability is tracked under CVE-2023-20198 and has the maximum security CVSS rating of 10.0. Open source is reporting that thousands of online, vulnerable devices have been compromised. This Alert is being published to raise awareness of this activity, highlight the potential impact to organizations and to provide guidance for organizations who may be impacted by this malicious activity.

Reference 6: Shadowserver IOS XE post

Credential Harvesting Campaign Targets Unpatched NetScaler Instances

Security Week, October 9, 2023

A credential harvesting campaign is targeting Citrix NetScaler gateways that have not been patched against a recent vulnerability, IBM reports. Tracked as CVE-2023-3519 (CVSS score of 9.8), the vulnerability was disclosed in July, but had been exploited since June 2023, with some of the attacks targeting critical infrastructure organizations. By mid-August, threat actors exploited this vulnerability as part of an automated campaign, backdooring roughly 2,000 NetScaler instances. According to the Shadowserver Foundation, at least 1,350 NetScaler instances compromised in previous attacks were appearing in scans last week.

In September, IBM observed a new malicious campaign targeting unpatched NetScaler devices to inject a script on the authentication page and steal user credentials. According to Shadowserver’s scans, there are at least 285 NetScaler instances compromised in this campaign.

Ransomware gangs now exploiting critical TeamCity RCE flaw

Bleeping Computer, October 2, 2023

Ransomware gangs are now targeting a recently patched critical vulnerability in JetBrains’ TeamCity continuous integration and deployment server. The flaw (tracked as CVE-2023-42793 and tagged with a 9.8/10 severity score) allows unauthenticated attackers to gain remote code execution (RCE) after successfully exploiting an authentication bypass weakness in low-complexity attacks that don’t require user interaction.

Security researchers at the nonprofit internet security organization Shadowserver Foundation found 1240 unpatched TeamCity servers vulnerable to attacks.

Ransomware, extortion and the cyber crime ecosystem

National Cyber Security Centre, September 11, 2023

When it comes to cyber security, a lot can change in six years.

In 2017, the National Cyber Security Centre (NCSC) published a detailed report examining the cyber crime business model. Since then, the growth in ransomware and extortion attacks has expanded dramatically, with cyber criminals adapting their business models to gain efficiencies and maximise profits.

This white paper, published by the NCSC and the National Crime Agency (NCA), examines how the tactics of organised criminal groups have evolved as ransomware and extortion attacks have grown in popularity.

Ransomware and the cyber crime ecosystem

National Cyber Security Centre, September 11, 2023

A new white paper, published by the NCSC and the National Crime Agency, examines how the tactics of organised criminal groups (OGCs) have evolved as ransomware and extortion attacks have grown in popularity. It’s particularly aimed at security professionals and resilience sector leads who need to be aware of changes in cyber criminal activity to better protect their systems and inform security policy.

We’d like to thank our industry partners that contributed to the paper, specifically Mandiant, SecureWorks, ShadowServer and PWC.

2023H1 Threat Review: Vulnerabilities, Threat Actors and Malware

Forescout, September 6, 2023

In a new threat briefing report, Forescout Vedere Labs looks back at the most relevant cybersecurity events and data between January 1 and July 31, 2023 (2023H1) to emphasize the evolution of the threat landscape. The activities and data we saw during this period confirm trends we have been observing in our recent reports, including threats to unmanaged devices that are less often studied. Overall, 2023H1 continued the trend of threat actors exploiting an increasingly diverse attack surface.

There were at least 25 CISA vulnerability advisories in the period related to devices used in building automation functions such as access control and power management. Looking into Shadowserver statistics, we see 13 vulnerabilities on building automation devices from nine vendors that are being exploited, while none of them is yet present on CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Rising Cybersecurity Threat Calls for Strategic Realignment in the Public Sector

IT News Africa, September 5, 2023

Africa’s Cybercrime landscape is a cause for great concern. In Interpol’s latest African Cyberthreat Assessment Report it clearly indicates the rising threat of cybercrime for governments. The rapid advancement and interconnectivity of technology is a breeding ground for complex attacks and criminals are exploiting new methods of infiltration in order to access confidential data and sensitive information. Ransomware attacks on public sector entities have crippled major operations and systems incurring exorbitant losses. According to Interpol’s report, the impact of malicious programs should not be underestimated.

The proliferation of ransomware has resulted in a rise in financially motivated cybercrime activities across Africa. This increasingly severe threat will be addressed at the upcoming Public Sector Cybersecurity Summit on 3 October 2023 (#PubliSec2023) in Johannesburg South Africa.

Shadowserver also reported that South Africa is the nation most targeted by ransomware attacks, accounting for 42% of all detected attacks. Morocco is next with 8%, Botswana and Egypt at 6%, Tanzania and Kenya each account for 4% of detected ransomware attacks.

[Information Security Weekly] August 28 to September 1, 2023

iThome Taiwan, September 4, 2023

This week, it was reported that Juniper patched a vulnerability in mid-August. Recently, there have been targeted attacks. In terms of important attack activities and incidents, many information security companies revealed that many incidents were targeted at the Taiwan government and enterprises. 

In this week’s vulnerability news, the information security research team Shadowserver pointed out on the X community platform that Juniper patched the J-Web interface vulnerability CVE-2023-36844 in Junos OS on the 17th, and discovered an attack on the 25th, and on the same day, a proof-of-concept (PoC) attack program was released.

FBI-Led Global Effort Takes Down Massive Qakbot Botnet

Tech Republic, August 30, 2023

A multinational action called Operation “Duck Hunt” — led by the FBI, the Department of Justice, the National Cybersecurity Alliance, Europol, and crime officials in France, Germany, the Netherlands, Romania, Latvia and the U.K. — was able to gain access to the Qakbot network and shut down the malicious botnet, which has affected 700,000 computers worldwide.

Over the course of its more than 15-year campaign, Qakbot (aka Qbot and Pinkslipbot) has launched some 40 worldwide ransomware attacks focused on companies, governments and healthcare operations. The DOJ noted that over just the past year and a half, Qakbot has caused nearly $58 million in damages. As part of the action against Qakbot, the DOJ seized approximately $8.6 million in cryptocurrency in illicit profits.

The DOJ said it received technical assistance from Zscaler and that the FBI partnered with the Cybersecurity and Infrastructure Security Agency, Shadowserver, Microsoft Digital Crimes Unit, the National Cyber-Forensics and Training Alliance, and Have I Been Pwned to aid in victim notification and remediation.

The removal of Qakbot from infected computers is just the first step

Help Net Security, August 30, 2023

The Qakbot botnet has been disrupted by an international law enforcement operation that culminated last weekend, when infected computers started getting untethered from it by specially crafted FBI software. 

The FBI used a computer they control to instruct Tier 1 servers to download and install an FBI-created module that contains a new encryption key, to sever the communication between the Qakbot administrators and the Tier 1 servers and establish communication to an FBI-controlled server. From that server, an additional program is downloaded that uninstalls the Qakbot malware and gathers the computer’s IP address and associated routing information so that the FBI can get in touch with Qakbot victims. 

The list of IPs has been shared with organizations such as The Spamhaus Project, which will notify email service providers and hosting companies responsible for compromised accounts so they can reset the passwords on those accounts, and the Shadowserver Foundation, which will send a report to national computer security incident response team (CSIRTs) and network owners, to help them notify any remaining victims and help them deal with the other malware delivered by Qakbot.