The Shadowserver Foundation
@Shadowserver
Followers
19,164
Following
0
Media
421
Statuses
1,905
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
Global
Joined March 2009
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Brazil
• 1211585 Tweets
Elon Musk
• 727945 Tweets
Meu Twitter
• 491510 Tweets
#BUS1stFANCON_KnockKnockKnock
• 199617 Tweets
Adeus Twitter
• 187935 Tweets
Wisconsin
• 116879 Tweets
Caitlin Clark
• 77858 Tweets
Bluesky
• 50055 Tweets
ブラジル
• 47187 Tweets
#GFRunTheWorldConcertD1
• 45255 Tweets
#プレイバックガチャ
• 39196 Tweets
Angel Reese
• 38472 Tweets
#INZM_30Mviews
• 24335 Tweets
michigan state
• 23117 Tweets
Djokovic
• 22689 Tweets
野菜の日
• 20124 Tweets
Popyrin
• 13432 Tweets
Stanford
• 13246 Tweets
台風一過
• 11532 Tweets
We are reporting out Microsoft Exchange servers still likely vulnerable to CVE-2022-41082
#ProxyNotShell
. Nearly 70K IPs found without MS patches applied (based on version info). Previously recommended mitigation techniques can be bypassed by attackers
6
115
268
We see over 7100 Cisco routers vulnerable to compromise through CVE-2017-6742. While old, this vulnerability is actively exploited by APT28 to deploy malware as detailed in the UK NCSC’s Jaguar Tooth malware analysis report:
Most in France, Nigeria & USA.
6
100
213
At least 20.3K Fortinet devices likely vulnerable to CVE-2023-27997 (heap buffer overflow in sslvpn pre-authentication) seen in our scans (on 2023-06-12)
Fortinet advisory:
Dashboard:
Make sure to update your FortiOS/FortiProxy!
4
89
209
Cisco CVE-2023-20198 exploitation activity: We see over 32.8K Cisco IOS XE IPs compromised with implants based on the check published by Cisco in
IP data on implants shared out daily in: tagged 'device-implant'.
3
98
173
We are reporting Microsoft Exchange Server CVE-2023-36439 vulnerable IPs (post-auth RCE). Over 63K vulnerable worldwide. Patch released Nov 14th -
IP data for your constituency in
Dashboard tracker -
2
62
163
We are sharing out Microsoft Exchange Servers that have reached end-of-life (ie, end of extended support, with no security updates issued).
Still nearly 20K IPs found (!). Top countries: US & Germany.
Country breakdown:
2
67
147
Critical Microsoft Message Queuing (MSMQ) Remote Code Execution (RCE) vulnerability CVE-2024-30080
~256,000 publicly exposed devices:
Check our free Accessible MSMQ Service Report & patch immediately:
4
79
150
We are thrilled to announce the official launch of our new Shadowserver Alliance enabling us to sustain & scale up delivery of no cost cybersecurity & threat intelligence services to Internet defenders & LE worldwide! Join here:
2
59
138
@Shadowserver
urgently needs your financial support to move data center before May 26th, to be able to continue providing public benefit services. Please help
#saveshadowserver
and help secure the Internet!
#shadowserver
#infosec
#CyberSecurity
#appeal
3
216
127
As a PoC exploit was recently published for Microsoft Exchange CVE-2023-36745, we are now reporting servers seen with that vulnerability (version check only). At least 23.5K instances (by unique IP) vulnerable. Data shared in Vulnerable Exchange report:
2
58
122
Now sharing vulnerable Ivanti MobileIron Core instances. CVE-2023-35078 is a CVSS 10.0 pre-auth RCE exploited in the wild. If you received a report for your network from us - patch immediately! Details -
We see 2729 vulnerable unique IPs on 2023-07-24.
1
66
122
We are sharing SSH CVE-2023-48795 (Terrapin attack) vulnerable instances found in our IPv4/IPv6 scans in our Accessible SSH report:
Nearly 11M instances (by unique IP) found vulnerable (~52%).
Background on the vulnerability:
2
66
123
Very shortly after vulnerability details were published today we started observing Progress MOVEit Transfer CVE-2024-5806 POST /guestaccess.aspx exploit attempts. If you run MOVEit & have not patched yet - please do so now:
NVD:
1
66
109
UPDATE: Improved Cisco IOS XE Web UI CVE-2023-20198 implant detection, after threat actor modified their compromised device config (hat tip to
@foxit
)
30,487 unique IPs on 2023-10-23
Latest data in tonight's compromised website report. Dashboard stats updated after end of day.
5
62
106
It’s here! Our new Dashboard lets you explore some of our Internet-scale data sets: scanning for exposed services, large honeypot sensor networks for detecting attacks, botnet sinkholing & more. A special thank you to UK FCDO
@LondonCyber
for funding!
3
47
101
We are sharing out a Special Report on Compromised SSH hosts detected through leakage of malicious public SSH keys placed on them by attackers:
3327 compromised hosts detected on IPv4/IPv6 using this methodology.
For background:
2
43
95
Around 394 000 IPs with accessible BGP service on port 179/TCP found worldwide in our daily scans. These should have ACLs put in place to allow connections only from their BGP neighbors. Most found in China (109.3K) and the US (74.4K).
2
41
91
Using Splunk or Elasticsearch? We have released a Splunk Modular Input Add-On for indexing our daily feeds & ECS logging script to make it easier to integrate with our reports API.
Splunk integration:
Elasticsearch integration:
3
27
88
We have started sharing out daily info on exposed .git folders that we find. We scan by sending a GET /.git/config request. IP data in our Vulnerable HTTP report:
Around 114K found on 2022-11-06, most in US (42.2K).
3
33
89
Our ICS exposed attack surface scanning project so far uncovers over 67K devices daily on the Internet responding to one of 17 specialized ICS/OT protocol probes. Nearly half (32K) are in the United States. These should not be exposed on the Internet!
2
40
88
At least 539 Unitronics PLC instances (port 20256/tcp) still publicly exposed worldwide (2023-12-02 scan). Unitronics PLC instances have been targeted recently as part of attacks against Water & Wastewater systems. (see
@CISACyber
@WaterISAC
alert: )
2
43
86
We are starting regular reporting of ransomware victims (published by ransomware actors on their public data leak sites) to National CSIRTs & LE agencies subscribed to our daily feeds -
Enabled as part of EU ISF MISP-LEA project:
0
35
84
Now scanning for exposed Microsoft Message Queuing (MSMQ) services on IPv4/IPv6. Over 403K found on 2023-04-12. Filter traffic to port 1801/TCP & apply MS patch! IP data shared for your network/constituency in Accessible MSMQ report going out tomorrow -
🚨 We discovered 3 vulnerabilities in Microsoft Message Queuing (MSMQ) service, including
#QueueJumper
(CVE-2023-21554), a Critical vulnerability that could allow unauthorized attackers to remotely execute code.
More details in our blog 👉
#PatchNow
4
111
283
2
27
82
We are also scanning & reporting VMware vCenter CVE-2023-34048 (CVSS 9.8 RCE) IPs. On 2023-11-04, 1402 instances without patches. Out of these 741 have DCERPC accessible (not firewalled) which means they are remotely exploitable!
2
28
76
Cyclops Blink: modular
#malware
framework targeting network devices announced as potential replacement for VPNFilter
New Special Report run today contains 1573 victim IPs in 495 ASNs & 70 countries, plus 25 C2s:
Urgent remediation needed!
#ThreatIntel
1
46
76
Ivanti Connect Secure CVE-2024-22024 activity: we started seeing exploitation attempts to '/dana-na/auth/saml-sso.cgi' Feb 9th, around 8 UTC, shortly after PoC publication. These are primarily callback tests. 47 IPs seen to date.
See Ivanti advisory:
4
32
75
Heads-up: We continue to report out daily lists of Citrix ADC/Gateway IPs that are known to be compromised with webshells installed (CVE-2023-3519 attacks). We see 581 instances on 2023-08-01.
Data for your network in
Dashboard:
5
33
74
Attention: we are sharing a one-off special report on Cactus ransomware group campaign targeting Qlik Sense (data viz & business intelligence tool):
2894 IPs found vulnerable to CVE-2023-48365
91 IPs found compromised by Cactus ransomware group
1
46
74
IntelMQ is a solution for Internet defenders for collecting & process security feeds using a message queuing protocol.
Happy to support the latest release of (3.3.0) - now with dynamic configuration to decouple our feed schema changes from IntelMQ releases
0
26
72
Using Cacti? We started to pick up exploitation attempts for Cacti unauthenticated remote command injection CVE-2022-46169 including subsequent malware download. These started Jan 3rd. Make sure to patch & not expose your Cacti instance to the Internet!
1
23
71
We are seeing an uptick of scans testing for the Sophos Firewall CVE-2022-1040 RCE. The vulnerability published 25th March, but a POC was published 9th May, and that appears to be used. Make sure to patch!
Sophos advisory:
1
30
71
We are reporting out OpenSSH servers potentially vulnerable to CVE-2024-6387 RCE (“regreSSHion”):
~4.5M hosts possibly vulnerable 2024-07-02 (out of over 23.5M seen)
Details:
NVD:
6
34
69
Around 45K exposed Jenkins instances vulnerable to CVE-2024-23897 (Arbitrary file read vulnerability through the CLI can lead to RCE). If you run Jenkins & receive an alert from us make sure to read Jenkins advisory:
World map:
1
40
68
We have added improvements to our Fortinet FortiOS/FortiProxy scans for CVE-2024-21762 vulnerable instances - nearly 150K (!) found on 2024-02-06:
Advisory info:
Note: this vulnerability is known to be exploited in the wild
3
30
66
Attention: Now sharing Palo Alto GlobalProtect instances that we tag as CVE-2024-3400 vulnerable (without the "possible-" prefix). Scanning based on confirming existence of files left behind by exploits.
6634 vulnerable IPs found on 2024-04-20:
We are sharing Palo Alto GlobalProtect instances that we believe are possibly vulnerable (there may be mitigations in place) to CVE-2024-3400:
Data in Vulnerable HTTP report
22, 542 possibly vulnerable IPs found on 2024-04-18:
1
32
60
5
41
66
Over 380K accessible Kubernetes API instances found on the Internet in new daily scan. This is out of over 450K we are able to identify. Most (201.3K) in the United States. An unnecessarily exposed potential attack surface that should be mitigated.
Blog:
1
29
65
Starting today we have included Wannacrypt data from the MalwareTech/Kryptoslogic sinkhole into our reports. Events are tagged as wannacrypt
2
42
62
Cisco IOS XE CVE-2023-20198 compromised instance update: we see around 37K with implants with 19K unique hex values (which may suggest that around 19K is the actual amount of compromised devices). Data for 2023-10-19.
330 IPv6 instances as well.
Cisco CVE-2023-20198 exploitation activity: We see over 32.8K Cisco IOS XE IPs compromised with implants based on the check published by Cisco in
IP data on implants shared out daily in: tagged 'device-implant'.
3
98
173
0
45
65
We have started scanning & reporting Roundcube Webmail servers vulnerable to CVE-2023-5631. While rated "only" CVSS 5.4, it has been used by at least one APT actor to execute JavaScript code in the browser of the victim in context of their Roundcube session.
42K vulnerable!
1
33
66
We see at least 20 800 of the potentially affected Zyxel firewall models (by unique IP) accessible on the Internet. Most popular are USG20-VPN (10K IPs) and USG20W-VPN (5.7K IPs).
Most of the CVE-2022-30525 affected models are in the EU - France (4.5K) and Italy (4.4K).
2
42
61
Heads up! As part of Operation Endgame we are sharing Smokeloader malware infections in our daily sinkhole reports.
Current Dashboard world map view:
Details on Operation Endgame coordinated by
@EC3Europol
:
1
38
65
We started seeing exploitation attempts of CVE-2022-30525 May 13th. If you have any of the affected Zyxel firewalls in your network/constituency, patch now.
Zyxel advisory:
On April 28, Zyxel released firmware that fixed an unauthenticated and remote command injection I'd found in their firewalls: USG FLEX series, ATP series, and USG20-VPN/USG20w-VPN. This was assigned CVE-2022-30525. We published our advisory this morning:
6
46
112
1
31
66
In collaboration with
@Volexity
we have added daily scans & reports of compromised Ivanti Connect Secure VPN instances. Data shared in our Compromised Website report, tagged "ivanti-connect-secure".
609 IPs found on 2023-01-16:
.
@Volexity
provides an update on its Ivanti Connect Secure VPN report concerning chained exploitation of CVE-2024-21887/CVE-2023-46805. Based on new data, 1700+ devices have been compromised following widespread exploitation. Details:
#dfir
#threatintel
3
107
176
1
45
63
Scanning for vulnerable Ivanti Connect Secure (CVE-2023-46805 & CVE-2024-21887) instances has been added to our daily scan list. 6809 found vulnerable for 2024-01-15 scans using methodology from
@watchtowrcyber
- )
More details:
2
37
64
We are sharing out Socks5Systemz proxy botnet infected IPs in our free daily SInkhole HTTP Event reports .
Over 36K IPs seen infected 2023-11-12.
Thank you
@Bitsight
for the collaboration!
Socks5Systemz Infection tracker:
1
28
63
We are sharing Palo Alto GlobalProtect instances that we believe are possibly vulnerable (there may be mitigations in place) to CVE-2024-3400:
Data in Vulnerable HTTP report
22, 542 possibly vulnerable IPs found on 2024-04-18:
Palo Alto GlobalProtect CVE-2024-3400 detailed analysis now public & we started to see attack attempts as of ~14 UTC today (connectivity callback tests). See: for patch info/mitigation
We plan to start reporting out potentially vulnerable instances soon
2
23
59
1
32
60
Attention! We see multiple IPs testing PHP/PHP-CGI CVE-2024-4577 (Argument Injection Vulnerability) against our honeypot sensors starting today, June 7th. Vulnerability affects PHP running on Windows.
Patches released June 6th:
Exploit PoC is public.
3
24
60
Nearly 600K SMB services (port 445/TCP) exposed on the Internet. Down from 1.5M seen in May 2017 when we started scanning and reporting (when
#Wannacry
appeared). Improvements especially in Asia, but still too many out there! Top: US, Russia. See latest:
1
36
59
We observed CVE-2024-21893 exploitation using '/dana-na/auth/saml-logout.cgi' on Feb 2nd hours before
@Rapid7
posting & unsurprisingly lots to '/dana-ws/saml20.ws' after publication. This includes reverse shell attempts & other checks. To date, over 170 attacking IPs involved
We have published our AttackerKB
@rapid7
analysis for CVE-2024-21893, an SSRF vulnerability in the SAML component of Ivanti Connect Secure, that has recently been exploited in the wild, allowing attackers bypass the mitigation for an earlier exploit chain.
4
62
154
1
26
60
Overall still at least 1350 compromised Citrix NetScaler devices seen in our scans (most have webshells installed as a result of previous CVE-2023-3519 exploitation campaigns)
Remediation progress:
Latest country breakdown:
Sharing new data on Citrix NetScaler devices compromised via a CVE-2023-3519 campaign that involves malicious code injection to steal credentials (see the writeup by
@IBM
X-Force for details). We see 285 NetScaler IPs compromised:
2
14
25
0
33
57
Palo Alto GlobalProtect CVE-2024-3400 detailed analysis now public & we started to see attack attempts as of ~14 UTC today (connectivity callback tests). See: for patch info/mitigation
We plan to start reporting out potentially vulnerable instances soon
2
23
59
With many un-patched MS
#Exchange
Servers still being rapidly compromised, we have partnered with
@kryptoslogic
to provide another Special Report covering 6720 exposed webshells that could be used to deploy ransomware, etc. Please remediate urgently!
1
37
57
We have started sharing exposed VMware ESXi vulnerable to CVE-2024-37085 (authentication bypass). While rated only CVSS 6.8 by Broadcom, this vuln has been reported by Microsoft as exploited in the wild by ransomware operators.
We see 20 275 instances vulnerable on 2024-07-30.
3
23
57
Heads-up! We have published details of Citrix CVE-2023-3519 incidents thanks to collaboration with our trusted partners. Please ensure you follow the detection & hunting steps provided for signs of possible compromise & webshell presence.
#cybersecurity
1
36
54
#Log4j
CVE-2021-44228 scanning & exploit activity is being shared in the daily Honeypot HTTP Scanner Events report since the start: . Since 2021-12-12 the vulnerability_id field for these should also contain the CVE-2021-44228 tag.
2
33
55
Sharp increase in queries for "/oauth/idp/.well-known/openid-configuration" endpoint associated with Citrix NetScaler CVE-2023-4966 (leaking of session tokens) observed by our honeypot sensors. This is after recent
@assetnote
publication.
1
23
56
We are happy to announce the first major extension to our newly launched Dashboard – the addition of Internet-wide IoT device fingerprinting and server-side attack statistics, collected through the
@VARIoT_project
.
Dashboard:
2
30
55
US-lead international LE op disrupts long running Qakbot botnet, used to deliver malware/ransomware. Running malware deleted, infrastructure taken down, $8.6M in cryptocurrency seized, LE identify 700K+ potential victims globally. Kudos to all involved:
2
22
54
Over a month after Citrix advisory publication NetScaler CVE-2023-4966 exploitation attempts continue to be one of the most common attacks seen by our honeypot sensor network.
If you are running NetScaler & did not patch initially assume compromise.
Sharp increase in queries for "/oauth/idp/.well-known/openid-configuration" endpoint associated with Citrix NetScaler CVE-2023-4966 (leaking of session tokens) observed by our honeypot sensors. This is after recent
@assetnote
publication.
1
23
56
1
21
52
If you are searching for exposed Ivanti Connect Secure appliances in your network/constituency, you can get a daily breakdown of these (amongst other devices) in our device identification report:
(vendor is set to "Pulse Secure")
Over 17.1K exposed
.
@Volexity
detected an incident where it discovered a threat actor chained 2
#0days
in Ivanti Connect Secure, CVE-2023-46805/CVE-2024-21887, to achieve RCE, modifying components of the software to backdoor the device.
#dfir
#threatintel
#memoryforensics
5
165
298
1
28
51
Zyxel firewalls CVE-2023-28771 (pre-auth remote command OS injection) is being actively exploited to build a Mirai-like botnet. Internet-wide sweeps seen by over 700 of our IKEv2 aware honeypot sensors, since May 26th. Exploit PoC is public, so expect an increase in attacks.
1
26
53
What have we here? Another scanning project online:
Over 466,000 VNC servers reachable.
1
51
51
~3800 vulnerable ConnectWise ScreenConnect instances (authentication bypass using an alternate path or channel (CVSS 10) & path traversal (CVSS 8.4))
IP data in:
~93% instances of ScreenConnect seen on 2024-02-20 still vulnerable:
Using ScreenConnect? ConnectWise has released a security bulletin regarding critical vulnerabilities (incl. a CVSS 10 RCE):
You can track accessible instances on our Dashboard:
~4300 accessible daily (no vulnerability assessment)
1
23
47
2
21
52
Heads up! We are seeing CVE-2022-44877 exploitation attempts for CWP (CentOS Web Panel/Control Web Panel) instances. This is an unauthenticated RCE. Exploitation is trivial and a PoC published. Exploitation first observed Jan 6th.
Make sure to patch -
2
21
52
Additional IPs compromised with credential stealers injected into vulnerable Ivanti Connect Secure VPN devices now shared daily in our Compromised Website report
168 compromised IPs found in our scans on 2023-01-19:
1
20
49
We have also started scanning & sharing F5 BIG-IP instances that remain vulnerable to CVE-2023-46747. 382 vulnerable instances found on 2023-11-29. This vulnerability is actively exploited & on
@CISACyber
KEV list. Assume compromise if you receive a report from us!
Not surprisingly given its inclusion in the Nuclei scanner, since Oct 30th we are seeing F5 BIG-IP CVE-2023-46747 attempts in our honeypot sensors. Make sure to review your system for signs of compromise and patch before more threat actors jump in:
0
6
14
1
24
50
Our Data Center has a new home. As planned, we have spent all of April talking to potential hosting and colocation providers about providing space for our new Shadowserver data center.
2
11
49
Although we are not scanning IPv4 /0 for CVE-2021-44228 &
#Log4Shell
, new one-off Vulnerable
#log4j
Servers Special Report just sent to 132 nCSIRTs and 6000+ network owners globally.
Data courtesy of
@AlphaStrikeLabs
Info & analysis:
Please patch now!
0
34
50
We are now scanning/reporting Ivanti Connect Secure instances vulnerable to CVE-2024-21894 (heap overflow potentially leading to RCE) & others described in
~16 500 likely vulnerable (~4.6K in US):
Data in:
0
19
49
International Law Enforcement coordinated action against Emotet. Great effort: Shadowserver tips its hat to everyone involved & hard work over the years
Sinkholed events included in our free daily reports for CERTs and network owners from today:
Bye-bye botnets👋 Huge global operation brings down the world's most dangerous malware.
Investigators have taken control of the Emotet botnet, the most resilient malware in the wild.
Get the full story:
60
1K
3K
1
14
50
Slowing getting installed in the new Data Center
1
4
48
Donor
#Kudos
:
@craignewmark
philanthropist and all round awesome person, generously offered to cover entire $400k data center move within first 24 hours, funds received before contract deadline. Critical initial impact investment, perfect start for
#appeal
to
#saveshadowserver
!
3
14
49
New Shadowserver one-off Special Report on HAFNIUM Exchange victims. Over 68500 distinct IPs were likely compromised by the HAFNIUM actor based on activity observed during the period 2021-02-26 to 2021-03-03. Blog: . Report details:
0
34
49
Second one-off Special Report on exposed Exchange Servers, based on scanning collaboration with
@DIVDnl
. Kudos for sharing! 64088 of 111988 IPs potentially still vulnerable 20210309 - please patch & remediate quickly. Blog: Report:
2
35
48
Heads up! We are sharing out a second Special Report on Compromised SSH hosts detected through leakage of malicious public SSH keys placed on them by attackers:
This time 10020 compromised hosts found. Top countries US (3K), China (2.9K), Singapore (423)
We are sharing out a Special Report on Compromised SSH hosts detected through leakage of malicious public SSH keys placed on them by attackers:
3327 compromised hosts detected on IPv4/IPv6 using this methodology.
For background:
2
43
95
1
24
47
Two years on from our Data Center move, we would like to thank everyone who provided financial support during 2020-22:
Stay tuned for the next chapter - the Shadowserver Alliance: coming soon! Contact us now to become a founder & help secure the Internet
6
23
48
We first saw exploitation attempts in the wild for Apache Spark CVE-2022-33891 RCE July 26th. Exploitation is public & trivial, though pre-conditions likely limit affected number of instances. If you run Spark, update:
NVD entry:
1
26
46
Using ScreenConnect? ConnectWise has released a security bulletin regarding critical vulnerabilities (incl. a CVSS 10 RCE):
You can track accessible instances on our Dashboard:
~4300 accessible daily (no vulnerability assessment)
1
23
47
We are sharing 153 Ivanti Connect Secure instances still known vulnerable to CVE-2024-21893/CVE-2024-21887 (as of late 2024-02-05 UTC) in a one-off special report -
Make sure to act if you receive an alert from us (also assume compromise!)
1
28
46
We have just sent out a one-off report on Fortinet device IPs very likely vulnerable to CVE-2022-40684. 17415 seen worldwide (scan by
@leak_ix
). See:
Most in US (3.4K) and India (1.7K). These should be patched and not have their admin interface exposed.
2
25
46
A great Shadowserver milestone: a National CERT in every European country is now receiving our free daily network reports (welcome Albania!). Currently serving 107 National CERTs in 136 countries: can you help us achieve 100% coverage globally?
2
15
46
We are scanning & sharing VMware ESXi instances which have vulnerabilities that could allow a malicious actor with local admin privileges to escape sandbox protections -
Tagged as "cve-2024-22252". Based on version checks, we see ~16.5K vulnerable.
1
25
45
Huh. We just realized that we’re now scanning the entire Internet over 30 times a day. Full documentation here:
4
21
44
Now sharing info on likely CVE-2023-3519 vulnerable Citrix ADC/Gateway instances in our Vulnerable HTTP report:
At least 11170 unique IPs found, most in the US (4.1K).
Make sure to patch:
Dashboard stats:
4
22
41
Our first daily ICS/OT scan! New Modbus service scan on port 502/TCP uncovers over 6300 unique IPv4 devices daily. Most are Schneider Electric & ABB. Top countries with exposed Modbus services: USA, Spain, Sweden. Data in new Accessible Modbus report:
2
20
43
With detailed vulnerability/exploit analysis now published, we have started to observe Fortinet CVE-2024-21762 exploitation attempts executing callbacks as of March 17th UTC. These are currently coming from one IP hitting FortiGate devices.
Investigate for compromise & update!
We have added improvements to our Fortinet FortiOS/FortiProxy scans for CVE-2024-21762 vulnerable instances - nearly 150K (!) found on 2024-02-06:
Advisory info:
Note: this vulnerability is known to be exploited in the wild
3
30
66
1
22
43
Heads-up! New free daily report now going out on post-exploitation frameworks (includes Cobalt Strike, Sliver and over a dozen others) observed in daily scans:
Currently over 1200 unique IPs reported daily.
Country distribution:
1
19
43
We started reporting out Zimbra Collaboration Suite instances likely vulnerable to CVE-2022-37042 auth-bypass RCE, a vuln that is exploited in the wild. 26,854 out of 33,733 (79.6%) instances found exposed on the Internet on 2022-08-13 likely vulnerable & may be compromised.
2
29
42
If you are concerned about latest Fortinet CVE-2022-42475 vulnerability being exploited in the wild, make sure to track our daily Device Identification report that provides free intel on potentially exposed Fortinet (& many other devices!). Over 1.5M Fortinet devices seen daily!
1
16
42
All the racks are in place, just waiting for them to be bolted down, grounded, and plugged in.
2
4
41
Data on vulnerable Ivanti Connect Secure devices now available on our Dashboard, for example
World map:
Tree map:
Tracker:
Scanning for vulnerable Ivanti Connect Secure (CVE-2023-46805 & CVE-2024-21887) instances has been added to our daily scan list. 6809 found vulnerable for 2024-01-15 scans using methodology from
@watchtowrcyber
- )
More details:
2
37
64
0
22
41
As part of Operation Endgame we shared a second one-off Special Report on IcedID/Latrodectus bot infections:
Dashboard map view:
Details on Operation Endgame coordinated by
@EC3Europol
:
2
17
42
We've improved the scanning/detection for vulnerable instances of ConnectWise ScreenConnect (CVE-2024-1709/CVE-2024-1708) - we now see over 8200 vulnerable instances (on 2024-02-21).
CVE-2024-1709 is widely exploited in the wild - 643 IPs seen attacking to date by our sensors.
2
21
41
We are reporting out webshells installed on Citrix ADC/Gateway IPs likely compromised as part of CVE-2023-3519 attacks. We found 691 instances on 2023-07-28. If you received a report today for your network/constituency, please make sure to investigate.
1
22
41
We are scanning & reporting vulnerable Metabase instances (CVE-2023-38646, pre-auth RCE). Metabase advisory -
We see 5488 instances vulnerable (26th July) out of 6936 total. Most cloud based.
Data shared in Vulnerable HTTP Report
2
23
38
After a steady drop for over a month, Cisco IOS XE implants have increased between 2023-11-30 and 2023-12-02. Now at 23.5K instances. Large increases in Mexico & Chile. Possible new campaign?
(background: )
1
15
36
We are now sharing daily data on exposed VMware ESXi instances likely vulnerable to CVE-2021-21974 (as well as CVE-2019-5544, CVE-2020-3992). We see around 27K instances likely vulnerable to CVE-2021-21974 (version based assessment). Data shared in:
2
20
38
As of end of last week, we are sharing IPs of PlugX infected machines in our daily sinkhole reports thanks to collaboration with
@sekoia_io
Background at
Dashboard stats for 2024-05-06 (~9K hosts daily):
1
29
39