
The new Dashboard lets you explore some of the many facets of Internet-scale data sets and learn more about how Shadowserver sees the state of cyber security globally, over a rolling period of the last two years. The Dashboard is based on aggregated country level data – no individual IP addresses or personally identifying information (PII) is included.
You can use the Dashboard to start with a global view, and then drill down into observations about a particular threat, or to compare statistics about two countries side by side. Initial filters for Sinkhole, Scan, Honeypot, Distributed Denial of Service (DDoS) and Industrial Control System / Operational Technology (ICS/OT) based data sets are included on the left navigation menu of the home page. There are various forms of data visualization available through the top navigation menu, such as time series graphs, world maps, region maps, treemaps and bubblecharts/tagclouds. Each data visualization should generate a unique URL for your query, so you can share links that easily recreate the same information and presentation style for others to view too, or for when you return to drill down further.
The ambition behind the new Dashboard is to empower security researchers, National CSIRTs, policy makers, journalists in the news media and other interested parties to use Shadowserver’s unique vantage point and extensive aggregated data sets as a public resource to help drive forward research and raise greater awareness of cyber security threats. With attribution, you can freely use the Dashboard for research purposes and to inform policy making, or to educate the public through news articles, but you are not permitted to scrape or resell the data. Please contact us if you have questions about licensing.
To illustrate some of the new capabilities and data sets, here are some examples:
1) The impressive impact of the Emotet botnet takedown on the number of daily infected unique victim IP addresses in March 2021:
The distribution of infected Emotet victim IP addresses by country at the point of initial sinkholing:
2) Good news! The amount of exposed Zimbra Collaboration Suite instances vulnerable to CVE-2022-27925 / CVE-2022-37042 is decreasing. They started reporting these vulnerable instances on 2022-08-13:
Location of vulnerable Zimbra Collaboration Suite systems, treemap by country:
Read more about recent Zimbra ZCS CVE-2022-27925 and CVE-2022-37042 here: https://www.cisa.gov/uscert/ncas/alerts/aa22-228a
Let’s push to reduce the amount of vulnerable instances even further!
3) Mirai/IoT related botnet infections are on the rise again. What is the root cause and how can we work together to more effectively combat these threats?
World map of detected Mirai bot locations:
As you can see, these examples are only the tip of the iceberg. Petabytes of global cyber threat data, including some unique data sets, are being aggregated and made available to the public for interactive exploration and visualization – for the first time.
ChatGPT Powered Malware Bypasses EDR
In research by Jeff Sims at HYAS, he creates “Blackmamba,” an “AI synthesize polymorphic keylogger” that uses python to modify its program randomly. The basic components of this polymorphic keylogger require a LLM, large language model like ChatGPT. The malicious...
Comparing vulnerability assessment with MITRE ATT&CK based gap analysis
The title of this blog post may not be entirely correct, as it is difficult to compare vulnerability assessment with MITRE ATT&CK based gap assessment in objective measures. However, this post aims to evangelize the joint raison d'être of vulnerability assessment...
Windows zero-day & Outlook zero-day resolved
The company corrects actively exploited vulnerabilities that affected Microsoft Outlook and the Windows OS in this month's batch of security updates. Microsoft plugged two zero-days, one affecting Windows systems and another in Microsoft Outlook, for March...