The Shadowserver Foundation

@shadowserver.bsky.social

398

Posts

Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
https://shadowserver.org/partner

Posts Replies Media

CISA has added GeoServer CVE-2024-36401 to its Known Exploited Vulnerability Catalog cisa.gov/news-events/... We first observed CVE-2024-36401 "POST /geoserver/wfs" exploitation July 9th in our sensors. If you use GeoServer, check for signs of compromise & patch github.com/geoserver/ge...

Remote Code Execution (RCE) vulnerability in evaluating property name expressionsgithub.com ### Summary Multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely eval...

We are observing Apache HugeGraph-Server CVE-2024-27348 RCE "POST /gremlin" exploitation attempts from multiple sources. PoC code is public since early June. If you run HugeGraph, make sure to update: lists.apache.org/thread/nx6g6... NVD entry: nvd.nist.gov/vuln/detail/...

lists.apache.org

We are reporting out OpenSSH servers potentially vulnerable to CVE-2024-6387 RCE (“regreSSHion”): shadowserver.org/what-we-do/n... ~4.5M hosts possibly vulnerable 2024-07-02 (out of over 23.5M seen) dashboard.shadowserver.org/statistics/c... Details: qualys.com/2024/07/01/c...

Same botnet now also targeting Netis MW5360 routers with a CVE-2024-22729 CVSS 9.8 command injection RCE NVD entry: nvd.nist.gov/vuln/detail/...

We have started observing Zyxel NAS CVE-2024-29973 RCE exploitation attempts by a Mirai-like botnet in our sensors. Zyxel has released patches for this and other vulnerabilities (though affected products are EOL) zyxel.com/global/en/su... Review for signs of compromise and patch!

Zyxel security advisory for multiple vulnerabilities in NAS products | Zyxel Networkszyxel.com CVEs: CVE-2024-29972, CVE-2024-29973, CVE-2024-29974, CVE-2024-29975, CVE-2024-29976 Summary Zyxel has released patches addressing command injection and remote code execution vulnerabilities in two NAS products that have reached end-of-vulnerability-support. Users are advised to install them for optimal protection. What are the vulnerabilities? CVE-2024-29972 **UNSUPPORTED WHEN ASSIGNED** This command injection vulnerability in the CGI program “remote_help-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request. CVE-2024-29973 **UNSUPPORTED WHEN ASSIGNED** This command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some OS commands by sending a crafted HTTP POST request. CVE-2024-29974 **UNSUPPORTED WHEN ASSIGNED** This remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device. CVE-2024-29975 **UNSUPPORTED WHEN ASSIGNED** This improper privilege management vulnerability in the SUID executable binary in Zyxel NAS326 and NAS542 devices could allow an authenticated local attacker with administrator privileges to execute some system commands as the “root” user on a vulnerable device. CVE-2024-29976 **UNSUPPORTED WHEN ASSIGNED** This improper privilege management vulnerability in the command “show_allsessions” in Zyxel NAS326 and NAS542 devices could allow an authenticated attacker to obtain a logged-in administrator’s session information containing cookies on an affected device. What versions are vulnerable—and what should you do? Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support as outlined in the table below, despite the products already having reached end-of-vulnerability-support*. Affected model Affected version Patch availability NAS326 V5.21(AAZF.16)C0 and earlier V5.21(AAZF.17)C0 NAS542 V5.21(ABAG.13)C0 and earlier V5.21(ABAG.14)C0 *Both NAS326 and NAS542 reached end-of-vulnerability-support on Dec. 31, 2023. Got a question? Please contact your local service rep or visit Zyxel’s Community for further information or assistance. Acknowledgment Thanks to Timothy Hjort from Outpost24 for reporting the issues to us. Revision history 2024-6-4: Initial release.

NVD - CVE-2024-22729nvd.nist.gov

Running Redis in the cloud? P2Pinfect malware has been making the rounds recently infecting vulnerable Redis installations: cadosecurity.com/blog/from-do... As a reminder, we scan for open Redis installations & now see over 40K daily (with no auth): dashboard.shadowserver.org/statistics/c...

Very shortly after vulnerability details were published today we started observing Progress MOVEit Transfer CVE-2024-5806 POST /guestaccess.aspx exploit attempts. If you run MOVEit & have not patched yet - please do so now: community.progress.com/s/article/MO... NVD: nvd.nist.gov/vuln/detail/...

Progress Customer Communitycommunity.progress.com

MS CVE-2024-30080 update: You can track increased interest in MSMQ services as seen by our honeypot sensors dashboard.shadowserver.org/statistics/c... While we have not seen actual exploitation more details about the CVSS 9.8 RCE vulnerability have been made public making exploitation more likely.

Critical Microsoft Message Queuing (MSMQ) Remote Code Execution (RCE) vulnerability CVE-2024-30080 ~256,000 publicly exposed devices: dashboard.shadowserver.org/statistics/c... dashboard.shadowserver.org/statistics/c... Note: above is just the population exposed, not necessarily vulnerable

We are scanning/sharing VMware vCenter CVE-2024-37079 & CVE-2024-37078 vulnerable instances. 1220 unpatched instances found 2024-06-20 Note these only remotely exploitable if DCERPC is also exposed (486 cases) dashboard.shadowserver.org/statistics/c... support.broadcom.com/web/ecx/supp...

We are very happy to welcome Trivest AG as a new Shadowserver Alliance partner (Bronze tier). We look forward to raising the bar on cybersecurity together! Read more about Trivest AG: www.trivest.at Alliance partnership details: shadowserver.org/partner/

We are also scanning for SolarWinds Serv-U Directory Transversal Vulnerability CVE-2024-28995. As of 2024-06-15, 942 exposed instances vulnerable - down from 1191 when we first started scanning/reporting. dashboard.shadowserver.org/statistics/c... dashboard.shadowserver.org/statistics/c...

As part of Operation Endgame we shared a second one-off Special Report on SystemBC bot infections: shadowserver.org/what-we-do/n... Dashboard map view: dashboard.shadowserver.org/statistics/c... Details on Operation Endgame coordinated by Europol EC3: europol.europa.eu/media-press/...

As part of Operation Endgame we shared a second one-off Special Report on IcedID/Latrodectus bot infections: shadowserver.org/what-we-do/n... Dashboard map view: dashboard.shadowserver.org/statistics/c... Details on Operation Endgame coordinated by Europol EC3: europol.europa.eu/media-press/...

Attention! We see multiple IPs testing PHP/PHP-CGI CVE-2024-4577 (Argument Injection Vulnerability) against our honeypot sensors starting today, June 7th. Vulnerability affects PHP running on Windows. Patches released June 6th: php.net Exploit PoC is public.

PHP: Hypertext Preprocessorphp.net PHP is a popular general-purpose scripting language that powers everything from your blog to the most popular websites in the world.

We are observing Progress Telerik Report Server CVE-2024-4358 auth bypass exploitation attempts in our honeypot sensors starting 5th June. We have also started reporting out vulnerable versions seen in our scans (89 seen on 5th June out of 95 exposed). dashboard.shadowserver.org/statistics/c...

As part of Operation Endgame we shared an initial one-off Special Report on SystemBC bot infections: shadowserver.org/what-we-do/n... Dashboard map view: dashboard.shadowserver.org/statistics/c... Details on Operation Endgame coordinated by Europol EC3: europol.europa.eu/media-press/...

As part of Operation Endgame we shared an initial one-off Special Report on IcedID/Latrodectus bot infections: shadowserver.org/what-we-do/n... Dashboard map: dashboard.shadowserver.org/statistics/c... Details on Operation Endgame coordinated by Europol EC3: europol.europa.eu/media-press/...

Heads up! As part of Operation Endgame we are sharing Smokeloader malware infections in our daily sinkhole reports. Current Dashboard world map view: dashboard.shadowserver.org/statistics/c... Details on Operation Endgame coordinated by Europol EC3: europol.europa.eu/media-press/...

Attention: We are sharing current 911 SOCKS5 Proxy infections daily in our sinkhole reports. For more details behind the recent disruption led by the US Department of Justice see: justice.gov/opa/pr/911-s... Dashboard world map view of current infections: dashboard.shadowserver.org/statistics/c...

As a reminder, you can also track the top vulnerabilities daily that we see being used for exploitation attempts against our honeypot sensors: dashboard.shadowserver.org/statistics/h... (sorted by unique source IPs seen)

You can now track Check Point CVE-2024-24919 attack activity on our Dashboard at dashboard.shadowserver.org/statistics/h... In the last 72 hours, 26 src IPs seen attempting exploitation. Make sure to check for compromise & update! Advisory & hot fix details - support.checkpoint.com/results/sk/s...

As of end of last week, we are sharing IPs of PlugX infected machines in our daily sinkhole reports thanks to collaboration with Sekoia: shadowserver.org/what-we-do/n... Background at blog.sekoia.io/unplugging-p... Dashboard stats (~9K hosts daily): dashboard.shadowserver.org/statistics/c...

Coming to #RSAC? Please join us at the Cyber Nonprofits Reception Tuesday, May 7th 6PM-7:30PM to chat with us and others on the role nonprofits play in making the Internet more secure for everyone. All are welcome! #RSAC2024 #cybersecurity

We are happy to contribute once more with our malware & honeypot statistical data to the Verizon 2024 Data Breach Investigations Report! #VZDBIR Download at verizon.com/business/res...

2024 Data Breach Investigations Reportverizon.com Reduce cyber risks with insights from the 2024 Data Breach Investigations Report (DBIR) from Verizon. Read the official report today.

The INTERPOL 10th Africa Working Group Meeting on Cybercrime for Heads of Units (#10AWGC) is ongoing & full on in Abuja. Be in no doubt, cybercrime is taken seriously. Trust & cooperation being forged across #Africa! Honoured to contribute! #cybersecurity

We are also sharing both vulnerable & compromised Qlik Sense instances daily now. Dashboard tracker (vulnerable): dashboard.shadowserver.org/statistics/c... Dashboard tracker (compromised): dashboard.shadowserver.org/statistics/c...

Attention: we are sharing a one-off special report on Cactus ransomware group campaign targeting Qlik Sense (data viz & business intelligence tool): shadowserver.org/what-we-do/n... 2894 IPs found vulnerable to CVE-2023-48365 91 IPs found compromised by Cactus ransomware group

Time series · General statistics · The Shadowserver Foundation dashboard.shadowserver.org

Congratulations @craignewmark.bsky.social on receiving the Cyber Philanthropist of the Year Award in recognition of outstanding contributions to cybersecurity and policy through #CyberCivilDefense! www.youtube.com/watch?v=V8IR...

Thank you Craig Newmark! Reflections on Cyber Civil Defensewww.youtube.com On April 24, 2024, Craig Newmark was presented with the Cyber Policy Award for Cyber Philanthropy/ist of the Year, a recognition of his commitment to advancing the global digital ecosystem's safety, security, and the rule of law through the Cyber Civil Defense initiative. Organizations from across the cyber policy ecosystem came together to reflect on what cyber civil defense means to them, recognize Craig's impact, and thank him for his efforts. "From all of us at the Cyber Civil Defense Initiative, thank you Craig for all that you do to make the world a safer, more cybersecure place," concluded IST Chief Strategy Officer Megan Stifel. Thank you to the following participants! Suzanne Spaulding: Director, Defending Democratic Institutions Project, Center for Strategic and International Studies Megan Stifel: Chief Strategy Officer, Institute for Security and Technology and Executive Director, Ransomware Task Force Philip Reitinger: President & CEO, Global Cyber Alliance Tod Eberle: Alliance Director, Shadowserver Foundation Vivian Yu: STEM Program Manager, Girl Scouts of Greater New York Lorrie Cranor: Director and Bosch Distinguished Professor in Security and Privacy Technologies, CyLab, Carnegie Mellon University Stacey Higginbotham: Policy Fellow, Consumer Reports Katharine Brooks: Director, Global Cyber Policy, Aspen Institute Ally Armeson: Executive Director of Programs, Cybercrime Support Network Ann Cleaveland: Executive Director, UC Berkeley’s Center for Long-Term Cybersecurity Tarika Barrett: Chief Executive Officer, Girls Who Code J. Michael Daniel: President & CEO, Cyber Threat Alliance Rebekah Skeete: Chief Operating Officer, Black Girls Hack Lauren Bean Buitta: Founder and CEO, Girl Security [Learn more about the Cyber Policy Awards: https://securityandtechnology.org/inaugural-cyber-policy-awards/]

We are now sharing CrushFTP CVE-2024-4040 (CrushFTP VFS Sandbox Escape Vulnerability) vulnerable instances. At least 1400 vulnerable on 2024-04-24. CVE-2024-4040 is currently exploited in the wild & on US CISA KEV. Top affected: US, Germany, Canada dashboard.shadowserver.org/statistics/c...