Added 4in6 & 6in4 scans to our Open IP-Tunnel reporting (hosts that accepted unauthenticated packets from an arbitrary source, which can be abused for DoS/other attacks) https://shadowserver.org/what-we-do/network-reporting/open-ip-tunnel-report/
~150K 4in6 open tunnels found (most in Germany)
~1.07M 6in4 open tunnels found
4in6 open tunnel map (2025-01-28:
https://dashboard.shadowserver.org/statistics/combined/map/?map_type=std&day=2025-01-28&source=ip_tunnel&source=ip_tunnel6&tag=4in6&geo=all&data_set=count&scale=log
6in4 open tunnel map (2025-01-28):
https://dashboard.shadowserver.org/statistics/combined/map/?map_type=std&day=2025-01-28&source=ip_tunnel&source=ip_tunnel6&tag=6in4&geo=all&data_set=count&scale=log
4in6 open tunnel tracker:
https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=30&source=ip_tunnel&source=ip_tunnel6&tag=4in6&dataset=unique_ips&style=stacked
6in4 open tunnel tracker:
https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=30&source=ip_tunnel&source=ip_tunnel6&tag=6in4&dataset=unique_ips&style=stacked
Background and more details:
https://github.com/vanhoefm/tunneltester
=> View attached media | View attached media
=> More informations about this toot | View the thread
For the last few days we are sharing SimpleHelp CVE-2024-57727 (path traversal vulnerability) instances in our Vulnerable HTTP report: https://shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/
For patch info from SimpleHelp please see https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier
We see around 580 vulnerable
https://dashboard.shadowserver.org/statistics/combined/tree/?day=2025-01-26&source=http_vulnerable&source=http_vulnerable6&tag=cve-2024-57727%2B&geo=all&data_set=count&scale=log
For background on CVE-2024-57727 and other vulnerabilities please see https://www.horizon3.ai/attack-research/disclosures/critical-vulnerabilities-in-simplehelp-remote-support-software/
=> More informations about this toot | View the thread
We are sharing backdoored Ivanti Connect Secure devices that may have been compromised as part of a CVE-2025-0282 exploitation campaign (but also we believe may include older or other activity).
379 new backdoored instances found on 2025-01-22:
https://dashboard.shadowserver.org/statistics/combined/tree/?day=2025-01-22&source=compromised_website&source=compromised_website6&tag=cve-2025-0282%2B&geo=all&data_set=count&scale=log
Data shared daily in our Compromised Website report https://www.shadowserver.org/what-we-do/network-reporting/compromised-website-report/ tagged 'backdoor;ivanti-connect-secure'
Dashboard tracker: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=compromised_website&source=compromised_website6&tag=backdoor%2B&dataset=unique_ips&limit=1000&group_by=geo&style=stacked
Make sure to investigate your Ivanti Connect Secure instance if you receive an alert from us! @cisacyber mitigation advice is a good start https://www.cisa.gov/cisa-mitigation-instructions-cve-2025-0282
Thank you to @certfi for the insights and detection methods!
=> More informations about this toot | View the thread
We are sharing daily results of Fortinet CVE-2024-55591 (auth bypass) vulnerable instances in our Vulnerable HTTP report - https://shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/
CVE-2024-55591 is known to be exploited in the wild & on @cisacyber KEV.
Around 50K found vulnerable: https://dashboard.shadowserver.org/statistics/combined/map/?map_type=std&day=2025-01-19&source=http_vulnerable&source=http_vulnerable6&tag=cve-2024-55591%2B&geo=all&data_set=count&scale=log
Our test is based on the methodology published by watchTowr:
https://github.com/watchtowrlabs/fortios-auth-bypass-check-CVE-2024-55591/blob/main/CVE-2024-55591-check.py - thank you!
CVE-2024-55591 vulnerability tracker: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=cve-2024-55591%2B&dataset=unique_ips&group_by=geo&style=stacked
Fortinet advisory: https://fortiguard.com/psirt/FG-IR-24-535
Make sure to check for signs of compromise!
Additional background: https://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/
=> More informations about this toot | View the thread
Thank you to Simon Scannell and Max Hils for the collaboration!
=> More informations about this toot | View the thread
We are now sharing rsync instances vulnerable to CVE-2024-12084 RCE (version check only) in our updated daily Accessible Rsync report: https://shadowserver.org/what-we-do/network-reporting/accessible-rsync-report/
Please note even though the report severity is by default MEDIUM, IPs tagged as CVE-2024-12084 have severity level set to CRITICAL
17,475 instances found vulnerable (out of population of 146,844) on 2025-01-16. Top affected: US (5K)
https://dashboard.shadowserver.org/statistics/combined/map/?map_type=std&day=2025-01-16&source=rsync&source=rsync6&tag=cve-2024-12084&geo=all&data_set=count&scale=log
Vulnerability tracker: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=rsync&source=rsync6&tag=cve-2024-12084&dataset=unique_ips&style=stacked
Make sure to patch to the latest version: https://rsync.samba.org
We also enhanced the report with an IPv6 version - 1002 found vulnerable out of a population of 7636 on 2025-01-16.
To view stats, you can select 'rsync' and/or 'rsync6' as source and select the cve-2024-12084 tag on the Dashboard.
=> More informations about this toot | View the thread
Now sharing open IP tunnel hosts in a new daily Open IP-Tunnel report https://shadowserver.org/what-we-do/network-reporting/open-ip-tunnel-report/
These hosts accept tunnelling packets such as IPIP, GRE without authenticating the source IPv4 or IPv6 addr, which can be abused for DoS/other attacks
~436K GRE & ~66K IPIP vulnerable IPs found on 2025-01-14
Geo breakdown (GRE/GRE6):
https://dashboard.shadowserver.org/statistics/combined/tree/?day=2025-01-14&source=ip_tunnel&source=ip_tunnel6&tag=gre&tag=gre*&geo=all&data_set=count&scale=log
Geo breakdown (IPIP/IP6IP6):
https://dashboard.shadowserver.org/statistics/combined/tree/?day=2025-01-14&source=ip_tunnel&source=ip_tunnel6&tag=ip6ip6&tag=ipip&geo=all&data_set=count&scale=log
These vulnerabilities were discovered by Angelos Beitis and Mathy Vanhoef @vanhoefm at the DistriNet Reseach Unit at KU Leuven University in Belgium. Thank you for the collaboration!
You can find more details on the vulnerabilities at: https://github.com/vanhoefm/tunneltester
=> View attached media | View attached media | View attached media
=> More informations about this toot | View the thread
Current Ivanti Connect Secure CVE-2025-0282 scanning results: around 800 exposed unpatched devices (IPs) seen as of 2025-01-12 (drop from around 2000 seen 2025-01-09)
CVE-2025-0282 vulnerability tracker: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-0282%2B&dataset=unique_ips&style=stacked
=> More informations about this toot | View the thread
We have started reporting unpatched Ivanti Connect Secure instances likely vulnerable to the new known to be exploited in the wild CVE-2025-0282.
We see 2048 likely vulnerable instances worldwide on 2025-01-09. Top: US
Dashboard overview by country: https://dashboard.shadowserver.org/statistics/combined/tree/?day=2025-01-09&source=exchange&source=exchange6&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-0282%2B&geo=all&data_set=count&scale=log
Vulnerable IP data is shared daily for your network/constituency in our https://shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/ tagged 'cve-2025-0282'
If you receive an alert from us, make sure to follow @cisacyber mitigation instructions: https://cisa.gov/cisa-mitigation-instructions-cve-2025-0282
Ivanti patch info: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US
Thank you to @watchtowrcyber for the insights and collaboration!
=> More informations about this toot | View the thread
UPDATE: After feedback from various National CSIRTs & mail server operators (thank you!), we have identified a number of potential false positives in data being shared. We have suspended the vulnerable POP3/IMAP reports & are working on improvements before restarting reporting
=> More informations about this toot | View the thread
We have started notifying about hosts running POP3/IMAP services without TLS enabled, meaning usernames/passwords are not encrypted when transmitted. We see around 3.3M such cases with POP3 & a similar amount with IMAP (most overlap).
It's time to retire those services!
Data shared in:
Vulnerable POP3 report: https://shadowserver.org/what-we-do/network-reporting/vulnerable-pop3-report/
Vulnerable IMAP report: https://shadowserver.org/what-we-do/network-reporting/vulnerable-imap-report/
Geo breakdown of instances:
POP3 (no encryption): https://dashboard.shadowserver.org/statistics/combined/tree/?day=2024-12-30&source=pop3_vulnerable&source=pop3_vulnerable6&geo=all&data_set=count&scale=log
IMAP (no encryption): https://dashboard.shadowserver.org/statistics/combined/tree/?day=2024-12-30&source=imap_vulnerable&source=imap_vulnerable6&geo=all&data_set=count&scale=log
Note that regardless whether TLS is enabled or not service exposure may enable password guessing attacks against the server.
You can find POP3 and IMAP servers that use TLS in our Accessible POP3 https://shadowserver.org/what-we-do/network-reporting/accessible-pop3-report/ &
Accessible IMAP https://shadowserver.org/what-we-do/network-reporting/accessible-imap-report/ reports
=> View attached media | View attached media
=> More informations about this toot | View the thread
The Dutch Digital Trust Center (www.digitaltrustcenter.nl) funded CR4NGO consortium (which we are a part of) recently released the "Cyber Resilience for NGOs: A Collective Intelligence Effort” report.
You can read more about the project & report by following the links below.
Project information: https://humanityhub.net/cyber-resilience-for-ngos/
English version of the report: https://humanityhub.net/wp-content/uploads/2024/11/Cyber-Resilience-NGOs_Threat-Landscape-Report.pdf
Dutch version of the report: https://humanityhub.net/wp-content/uploads/2024/12/Cyberweerbaarheid-van-NGOs.pdf
Thank you to our project partners The Hague Humanity Hub (humanityhub.net), CyberPeace Institute (cyberpeaceinstitute.org) & Connect2Trust (connect2trust.nl) for the collaboration and the continued efforts to strengthen the cyber resilience of Dutch NGOs and beyond!
=> More informations about this toot | View the thread
For the last few days we are scanning & sharing IPs of Cleo Harmony/VLTrader/LexiCom CVE-2024-50623/CVE-2024-55956 vulnerable file transfer instances. These RCE vulnerabilities are being exploited in the wild.
We see around 930 vulnerable in our daily scans. Majority in US.
IP data shared in our Vulnerable HTTP Report: https://shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/
Make sure to review also for compromise if you receive a report from us!
Dashboard tracker: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=cve-2024-12632%2B&tag=cve-2024-50623%2B&dataset=unique_ips&limit=1000&group_by=tag&style=overlap
Map:
https://dashboard.shadowserver.org/statistics/combined/map/?map_type=std&day=2024-12-14&source=http_vulnerable&source=http_vulnerable6&tag=cve-2024-12632%2B&tag=cve-2024-50623%2B&geo=all&data_set=count&scale=log
Patch to version 5.8.0.24:
https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update-CVE-2024-55956
(note we currently tag cve-2024-55956 as cve-2024-12632. cve-2024-12632 is now rejected as a duplicate of cve-2024-55956. We will replace it with cve-2024-55956 in future scans)
=> View attached media | View attached media
=> More informations about this toot | View the thread
We are seeing large numbers of sources scanning for RDP services - especially port 1098/TCP (!) - in our honeypot sensors last 2 weeks (up to 740 000 (!) distinct source IPs daily, incl up to 405 000 from Brazil).
Tracker: https://dashboard.shadowserver.org/statistics/honeypot/device/time-series/?date_range=30&type=rdp-scan&geo=BR&dataset=unique_ips&limit=1000&group_by=geo&style=stacked
Map of source IPs (2024-12-03): https://dashboard.shadowserver.org/statistics/honeypot/device/map/?day=2024-12-03&type=rdp-scan&geo=all&data_set=count&scale=log
Make sure to limit unnecessary exposure of RDP and enable MFA.
Note recent MS patch Tuesday had multiple fixes for RDP vulnerabilities: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49132, CVE-2024-49116, CVE-2024-49128
We observe many MikroTik routers behind the probes, but these could be other devices/residential proxies behind the routers
Source IPs by device type (in cases where we are able to identify the device type): https://dashboard.shadowserver.org/statistics/honeypot/device/time-series/?date_range=30&type=rdp-scan&dataset=unique_ips&limit=1000&group_by=vendor&style=stacked
We share data on the source IPs doing the scans in our Honeypot RDP Scanner Events report https://shadowserver.org/what-we-do/network-reporting/honeypot-rdp-scanner-events-report/
The file name for that report is event4_honeypot_rdp_scan
Insights welcome!
=> View attached media | View attached media | View attached media
=> More informations about this toot | View the thread
We are happy to support the Hanover Police Department, the Verden Public Prosecutor's Office, Europol & other LE agencies in the takedown of "Manson Market". Hats off to all involved in the operation!
https://presseportal.de/blaulicht/pm/66841/5924114
https://europol.europa.eu/media-press/newsroom/news/fraudulent-shopping-sites-tied-to-cybercrime-marketplace-taken-offline
=> More informations about this toot | View the thread
Great to have our cybersecurity capacity building work in the Indo-Pacific featured in UK Gov's CSSF Annual Report
https://www.gov.uk/government/publications/conflict-stability-and-security-fund-annual-report-2023-to-2024/conflict-stability-and-security-fund-annual-report-2023-to-2024#transnational-threats
We encourage all nCSIRTs and network owners (large and small) to sign up for our free daily reports on your network space here: https://www.shadowserver.org/what-we-do/network-reporting/get-reports/
Together with our funding partners we strive to make the Internet safer globally by enabling its defenders.
=> More informations about this toot | View the thread
Please check out our interview on Shadowserver & our unique non-profit approach to raising the bar on cybersecurity worldwide by sharing free threat intelligence, supporting LE in disrupting cybercrime & cybersecurity capacity building all around the planet!
https://www.helpnetsecurity.com/2024/12/05/piotr-kijewski-shadowserver-foundation-secure-internet/
=> More informations about this toot | View the thread
We are excited to welcome Nihon Cyber Defence as a new Shadowserver Alliance partner (Bronze tier).
We look forward to raising the bar on cybersecurity together!
Read more about Nihon Cyber Defence: https://nihoncyberdefence.co.jp/en/
Shadowserver Alliance details: https://www.shadowserver.org/partner/
=> More informations about this toot | View the thread
Heads-up! Thanks to collaboration with the Saudi National Cybersecurity Authority (NCA) we are now scanning & reporting Palo Alto Networks devices COMPROMISED as a result of a CVE-2024-0012/CVE-2024-9474 campaign.
We found ~2000 instances compromised on 2024-11-20:
https://dashboard.shadowserver.org/statistics/combined/map/?map_type=std&day=2024-11-20&source=compromised_website&source=compromised_website6&tag=panos-compromised%2B&geo=all&data_set=count&scale=log
Top affected: US & India
We are sharing IP data tagged 'panos-compromised' in our daily Compromised Website report, filtered by your network/constituency https://shadowserver.org/what-we-do/network-reporting/compromised-website-report/
We appreciate feedback on any IoCs you may find as a result of investigations based on our reporting
Background: https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/
=> More informations about this toot | View the thread
We have started to report Palo Alto Networks devices still vulnerable to CVE-2024-0012 in our Vulnerable HTTP reports (filtered by network/constituency of recipient): https://shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/
~2700 found vulnerable on 2024-11-20: https://dashboard.shadowserver.org/statistics/combined/tree/?day=2024-11-20&source=http_vulnerable&source=http_vulnerable6&tag=cve-2024-0012%2B&geo=all&data_set=count&scale=log
Top affected: US & India
Thanks to @watchtowrcyber for the insights!
Please check for compromise if you receive a report from us for your device.
Patch info: https://security.paloaltonetworks.com/CVE-2024-0012
https://security.paloaltonetworks.com/CVE-2024-9474
=> More informations about this toot | View the thread
=> This profile with reblog | Go to shadowserver@infosec.exchange account This content has been proxied by September (3851b).Proxy Information
text/gemini
