Optimize Shadowserver’s Value — Checklist
(Last Updated On: January 9, 2024)
Optimize Shadowserver’s value! Stop the Threat Actors! You are at risk if you get any of the +120 daily reports. Most issues are easily fixed. All these reports share details the threat actor can potentially exploit. Take 15 minutes once a quarter to update your contacts, ASNs, IPs, Domain, APIs, and other details.
Quarterly Reviews with Shadowserver
Once a quarter, Shadowserver will email an update to all subscribers. Look for an email with this subject line:
[Org-Name] Notification about current filters for reportsThis report will list out your organization’s details that Shadowserver has to enable optimized access to Shadowserver’s value. This post is a way for organizations to review the list and check on the full potential of Shadowserver offers as a no-cost, Public Benefit.
As you go through these steps, remember that changes are easy. Just email to report_admin@shadowserver.org. A ticket will be created, and the Shadowserver team will validate and update it. Note: “Validations” are the steps to check authorization to make the changes and the link to the organization.
The first update will be your organization’s contact details with the prime person facilitating the Shadowserver value:
Your organization is known to us as:
Name: {Organization Name}
Address: {Postal Address of the Organization}
Phone: {Organization's Phone Number}
Email: {Email of the primary person who is facilitating the relationship}
Website: {Organization Website}People move around, companies evolve, and organizations mature. Double-check that this information is correct.
Step 2 — Who is on the Mailing List?
Each organization has a Shadowserver mailing list with subscribers. This lists the subscribers to the mailing list. Many organizations will have their own aliases in the Shadowserver mailing list. They will also have scripts and AI plugged into the mailing list. For example (using example.com).
Here are the current subscribers to your reports:
april@example.com
jtsmith@example.com
shadowserver-reports@example.com
sirt@example.com
threat-intel-AI@example.comIn this list, “April” and “JT Smith” are champions who work to optimize Shadowserver’s value for the ‘Example Company.’ Anyone in the company can sign up for the “shadowserver-reports” internal mailing list. The “SIRT” team is the ‘Example Company’s’ SOC Team. Finally, ‘threat-intel-AI’ is a unique Artificial Intelligence system pulling in all the threat risks around the ‘Example Company.’
There is no set way of setting up the organization’s mailing list. Future posts will share examples to give organizations ideas of how to best leverage Shadowserver’s risk reduction value.
Step 3 — Check the API Keys
All of Shadowserver’s reporting can be accessed via APIs. Many organizations have migrated their tools from email parsing to APIs. Check out the API Documentation for all the report formats here: Shadowserver API Documentation.
Here are the current API keys issued to you:
bc9e3d16-db8a-41fb-ba48-783670a7b96e april@example.com
8e86f454-1d83-460d-8ee2-e348a78e6ca2 jtsmith@akamai.comMultiple individuals and teams can get API access. Just reach out to Shadowserver @ https://www.shadowserver.org/contact/ to coordinate API access.
Step 4 — Check Your “Report Filters”
Shadowserver will set up report groups based on what you ask for Shadowserver to match. All the “asks” are validated. For example, if you ask for an IPv4 block to be monitored, Shadowserver will check all Internet records to ensure you and your organization are allocated that IPv4 block.
In the following example, the ‘Example Company’ has 47 Autonomous Systems in the ASN filters, 160 IPv4/IPv6 blocks in the CIDR filter, and 452 DNS domains in the Rhost filter. These will all be used to produce reports for the organization.
Here are the current filters that are set for you:
[ASN]
47 in total - see attachment.
[CIDR]
160 in total - see attachment.
[RHost]
452 in total - see attachmentThese “filters” are all included as attachments. Review the ASNs, IP address blocks, and the DNS zones. The DNS Zone is important for Shadowserver to watch for malware, phishing, ransomware, and other APT tools that include your domains.
Step 5 — Review the RISK Reporting
Shadowserver lists out the last 12 months of reports sent to the organization. If Shadowserver sees a risk, you can be guaranteed that Threat Actors who potentially do damage to your organization will also see this risk.
Month Reports sent Events Reported
======= ============ ===============
2023-02 615 591402
2023-03 679 688732
2023-04 644 656282
2023-05 661 637351
2023-06 685 616571
2023-07 705 657914
2023-08 698 682714
2023-09 650 607226
2023-10 691 178760
2023-11 613 166175
2023-12 601 167227
2024-01 152 39633
------- ------------ ---------------
Total: 7394 5689987In this hypothetical example for the ‘Example Company,’ +600 reports were sent per month. Each report contains a cybersecurity risk to the organization that can be mitigated.
The Shadowserver Team is eager to help organizations optimize their risk mitigation — just email report_admin@shadowserver.org to update this information.
There are 122 Report Types as of 2024–01–09. This will change with new reports added (almost weekly), older reports retired (the risk has been mitigated), and new capabilities added to Shadowserver’s platform. You can find the latest updates at https://www.shadowserver.org/what-we-do/network-reporting/
This list communicates the potential value Shadowserver can provide an organization’s risk reduction, digital safety, and cybersecurity capabilities.
REMEMBER: ALL OF THESE REPORTS ARE A NO-COST PUBLIC BENEFIT AS PART OF SHADOWSERVER’S CYBER CIVIL DEFENSE MISSION! API: Documentation
Basic API documentation
An API to allow querying of the collected SSL data from the daily SSL scans.
A module to allow trusted partners to query information about malware, networks, and trusted programs.
Returns routing details for a given address or ASN.
Returns a JSON response containing static details about the requested sample as well as antivirus vendor and signature details.
An API to query the different reports received as well as do basic queries of the data itself. This is meant as an optional replacement to the emails received with the report URL’s
Returns a JSON response containing the details for the requested program.
Accessible ActiveMQ Service Report
This report identifies hosts that have an ActiveMQ service running, bound to a network port (61616/TCP) and accessible on the Internet. It may also identify any vulnerabilities found. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that have the Android Debug Bridge (ADB) running, bound to a network port (5555/TCP) and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that have the Apple Filing Protocol (AFP) running and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that have the AMQP service enabled on port 5672/TCP. It is a Service Scan and is updated every 24 hours.
Accessible Apple Remote Desktop (ARD) Report
This report identifies hosts that have the Apple Remote Desktop service on port 3283/udp running and accessible on the Internet. It is a Service Scan and it’s updated every 24 hours.
This report identifies hosts that have a BGP service accessible on port 179/TCP. It’s a Service Scan, and it’s updated every 24 hours.
Accessible Cisco Smart Install Report
This report identifies hosts that have the Cisco Smart Install feature running and are accessible to the Internet at large. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that have the Constrained Application Protocol (CoAP) service enabled on port 5683/UDP and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that have the CouchDB server enabled on port 5984/TCP and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
Accessible Docker Service Report
This report identifies hosts that have the Docker service enabled on port 2375/TCP and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
Accessible Erlang Port Mapper Daemon Report
This report identifies hosts that have the Erlang Portmapper Daemon server enabled on port 4369/TCP and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that have an FTP instance running on port 21/TCP that’s accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that are running Hadoop and have either the NameNode or DataNode web interfaces running and accessible to the world on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that have accessible HTTP proxies running on them. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that have the Hypertext Transfer Protocol (HTTP) running on some port and are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that are responding to various specialized ICS protocol queries (such as Modbus or Siemens S7) — ie. are accessible on the Internet. These are various scans, and are updated every 24 hours.
Accessible Kubernetes API Server Report
The report identifies hosts that are responding to queries to the Kubernetes API service on ports 6443 and 443. It’s a Service Scan, and it’s updated every 24 hours.
Accessible MSMQ Service Report
This report identifies hosts that have the Microsoft Message Queuing (MSMQ) enabled and are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that have the the MS RDP UDP extension service available. This service can be abused for amplification DDoS attacks. It’s a Service Scan, and it’s updated every 24 hours.
Accessible MySQL Server Report
This report identifies hosts that have an MySQL server instance accessible. This constitutes a potential attack surface. This is a Service Scan and is updated every 24 hours.
Accessible PostgreSQL Server Report
This report identifies hosts that have an PostgreSQL server instance accessible. This constitutes a potential attack surface. This is a Service Scan and is updated every 24 hours.
Quick UDP Internet Connections (QUIC) is a protocol that potentially will be used to replace standardized web traffic. More can be read at Wikipedia on the details of the protocol. This is a 443/UDP test to see if the server is allow QUIC connections and which version of that protocol is available. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that have the Radmin service running omn port 4899/TCP and are accessible to the world on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that have Remote Desktop (RDP) Service running and are accessible to the world on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that have the SIP service running and are accessible to the world on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that have the Service Location Protocol (SLP) running and are accessible to the world on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that have an SMB instance running on port 445/TCP that are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that have an SMTP instance running on port 25/TCP that are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that have the Secure Shell (SSH) service running and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that have an SSL/TLS service running and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that have an Telnet instance running on port 23/TCP that are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that have a VNC instance running on port 5900/TCP that are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that have the rsync service running, bound to a network port (873/tcp) and accessible on the Internet without a password. It’s a Service Scan, and it’s updated every 24 hours.
Accessible SOCKS 4/5 Proxy Report
This report identifies all hosts that have a SOCKS 4/5 proxy running on port 1080/tcp. It’s a Service Scan, and it’s updated every 24 hours.
Accessible STUN Service Report
This report identifies all hosts that have a STUN service running on port 3478/udp. It’s a Service Scan, and it’s updated every 24 hours.
Accessible WS-Discovery Service Report
This report identifies all hosts that have a WS-Discovery service running on port 3702/udp. It’s a Service Scan, and it’s updated every 24 hours.
Accessible XDMCP Service Report
This report identifies hosts that have the X Display Manager service running and accessible on the Internet. It’s a Service Scan and is updated every 24 hours.
Amplification DDoS Victim Report
This report contains observed reflected amplification DDoS events. Sourced from Honeypots. Updated every 24 hours. This report will be retired and marked as LEGACY after 2021–06–01.
This report is the aggregation of a variety of different Block list providers, for end-users’ reference. This data is aggregated from blacklist providers. Updated every 24 hours.
Exposed F5 iControl REST API Special Report
Exposed F5 iControl REST API one-off Special Report. This is related to a CVE-2022–1388 vulnerability that was recently published. Exposed endpoints have likely been compromised or will be if not patch. If you receive a report of an exposed endpoint act immediately.
This report is a list of compromised e-mail accounts we or our collaborative partners have uncovered (ie. for which we believe attackers have obtained credentials). This is currently not in the form of a daily report, but sent as a one-off whenever we obtain access to new lists.
This report is a list of all the websites we or our partners have verified to be compromised, which are therefore likely to be abused for various types of attacks. Sourced from tracking systems. Updated every 24 hours.
This report records traffic observed to darknet networks (ie. network telescopes). Updated every 24 hours.
This report identifies devices that we have uncovered in our daily Internet scans. Devices are identified by vendor, model and device type. Updated every 24 hours.
This report contains information about IPs involved in DDoS attacks. It is sourced from networking devices observing attacks to a victim or from the target itself. Note the attacking IPs may be the actual IPs used for attacks, or it might be IPs with exposed services used in reflection attacks. Finally, traffic might also be spoofed. Report will activate whenever data is available.
This report identifies DNS servers that have the potential to be used in DNS amplification attacks by criminals that wish to perform denial of service attacks. Sourced from Service Scan. Updated every 24 hours.
HIGH: Honeypot ADB Scanner Events Report
This report identifies hosts scanning for exposed ADB services. Sourced from honeypots. Updated every 24 hours.
Honeypot Amplification DDoS Events Report
This report is a list of amplification DDoS events observed by honeypots. Updated every 24 hours.
Honeypot Brute Force Events Report
This report is a list of brute force events observed by honeypots. Updated every 24 hours.
This report contains information about DDoS attack commands observed by honeypot drones. If you are getting this report, it means a C2 (src_ip) issuing the attack command was located on your network or constituency. Updated every 24 hours.
Honeypot DDoS Target Events Report
This report contains information about DDoS attack targets observed by honeypot drones. If you are getting this report, it means an IP (dst_ip) that was targeted was located on your network or constituency (attack destination). Updated every 24 hours.
Honeypot HTTP Scanner Events Report
This report is a list of HTTP scan and exploit attempts observed by honeypots. Updated every 24 hours.
Honeypot ICS Scanner Events Report
This report is a list of ICS protocol scans observed by honeypots. Updated every 24 hours.
HIGH: Honeypot IKEv2 Scanner Events Report
This report is a list of IKEv2 scan and exploit attempts observed by honeypots. Updated every 24 hours.
Honeypot RDP Scanner Events Report
This reports is a list of RDP scan and exploit attempts observed by honeypots. Updated every 24 hours.
HIGH: Honeypot RocketMQ Scanner Events Report
This report identifies hosts scanning for exposed RocketMQ services. Sourced from honeypots. Updated every 24 hours.
Honeypot SMB Scanner Events Report
This reports is a list of SMB scan and exploit attempts observed by honeypots. Updated every 24 hours.
This report provides a current view of ingress/egress filtering and susceptibility to IP source packet forging (spoofing) on a given network. Sourced from CAIDA. Updated every 24 hours.
This report contains URLs observed as part of exploitation attempts in the last 24 hours. They are most likely used to spread malware or act as C2 instances. Sourced primarily from honeypots, but other sources are possible. Updated every 24 hours.
Microsoft Sinkhole Events Report
This report identifies the IP addresses of all the devices that were reported to Shadowserver from Microsoft after communicating with Microsoft non-HTTP Sinkhole servers. Sourced from Sinkholes. Updated every 24 hours.
Microsoft Sinkhole HTTP Events Report
This report identifies the IP addresses of all the devices that were reported to Shadowserver from Microsoft after communicating with Microsoft HTTP Sinkhole servers. Sourced from Sinkholes. Updated every 24 hours
Netcore/Netis Router Vulnerability Scan Report
This report identifies hosts that appear to have an openly accessible backdoor on a Netcore/Netis router. It’s a Service Scan and is updated every 24 hours.
This report identifies NTP servers that have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. It’s a Service Scan and is updated every 24 hours.
This report identifies hosts that appear to have an openly accessible NTP service running that responds to Mode 6 requests. It’s a Service Scan and is updated every 24 hours.
This report identifies hosts that have a BGP service accessible on port 179/TCP and accept BGP OPEN Messages. It’s a Service Scan and is updated every 24 hours
This report identifies hosts that have the CPE WAN Management Protocol (CWMP) running and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that have the DB2 Discovery Service running and accessible on the Internet. It’s a Service Scan and is updated every 24 hours.
This report identifies hosts running the DVR DHCPDiscover service on port 37810/udp and accessible on the Internet. It’s a Service Scan and is updated every 24 hours.
This report identifies hosts that appear to have an openly accessible chargen service running. It’s a Service Scan and is updated every 24 hours.
This report identifies hosts that appear to have an openly accessible Elasticsearch server running. It’s a Service Scan and is updated every 24 hours.
This report identifies hosts running an open HTTP proxy service (ie. one not requiring authentication). It’s a Service Scan and is updated every 24 hours.
This report identifies hosts that appear to have an openly accessible IPMU service running that responds to an IPMI ping. It’s a Service Scan and is updated every 24 hours.
This report identifies devices that have an open IPP (Internet Printing Protocol) service enabled on port 631/TCP. It’s a Service Scan and is updated every 24 hours.
This report identifies hosts that have an LDAP instance running on port 389/UDP that are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that have an LDAP instance running on port 389/TCP that are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that have the mDNS service running and accessible from the Internet. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that appear to have an openly accessible Memcached key-value server running. It’s a Service Scan and is updated every 24 hours.
The report identifies hosts that appear to have an openly accessible MQTT running. It is a Service Scan and is updated every 24 hours.
This report identifies hosts that appear to have an openly accessible MongoDB NoSQL server running. It’s a Service Scan and is updated every 24 hours.
Open MS-SQL Server Resolution Service Report
This report identifies hosts that appear to have an openly accessible MS-SQL Server Resolution Service running. It’s a Service Scan and is updated every 24 hours.
This report identifies hosts that appear to have an openly accessible NetBIOS service running. It’s a Service Scan and is updated every 24 hours.
This report identifies hosts that appear to have an openly accessible NetBIOS service running. It’s a Service Scan and is updated every 24 hours.
This report identifies any host that appears to have an openly accessible portmapper service running that responds to an rpcinfo request. It’s a Service Scan and is updated every 24 hours.
This report identifies hosts that appear to have an openly accessible Quote Of The Day service running. It’s a Service Scan and is updated every 24 hours.
This report identifies hosts that appear to have an openly accessible Redis key-value server running. It’s a Service Scan and is updated every 24 hours.
This report identifies hosts that appear to have an openly accessible SNMP service running. It’s a Service Scan and is updated every 24 hours.
This report identifies hosts that appear to have an openly accessible Simple Service Discovery Protocol service running. It’s a Service Scan and is updated every 24 hours.
This report identifies hosts that have the TFTP service running and accessible on the Internet. It’s a Service Scan and is updated every 24 hours.
This report identifies hosts that have the Ubiquiti Discovery service running and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
HIGH: Post-Exploitation Framework Report
This report identifies hosts running Post-Exploitation Frameworks. It is updated every 24 hours.
This report includes sets of URLs that were accessed by malware. There are two versions of this report: filtered and unfiltered. Sourced from our sandboxed systems. Updated every 24 hours.
OPTIONAL: Sandbox Connection Report
This report is a summary of all the connections that the sandbox system saw for the specific interval. Sourced from our sandboxed systems. Updated every 24 hours.
This report is a summary of all the IRC based networks that were found after analyzing malware. Sourced from our sandboxed systems. Updated every 24 hours.
HAFNIUM Exchange Victim Special Report
A special one-off report type. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.
Qakbot Historical Bot Infections Special Report
A special one-off report type. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.
This report lists IPs connecting to (non-HTTP based) sinkholes. It is updated every 24 hours.
This report identifies IPs of recursive DNS servers querying for sinkholed domains. Sourced from sinkholes. Updated every 24 hours.
This report identifies all the IPs that joined a HTTP sinkhole server that did not join via a referral URL. Sourced from HTTP sinkholes. Updated every 24 hours.
Sinkhole HTTP Referer Events Report
A list of referral URLs that pushed systems to HTTP sinkhole servers. Sourced from Sinkholes. Updated every 24 hours.
A list of the URLs and relays for spam that was received. Sourced from spam and email. Updated every 24 hours.
This report identifies any host (IP) that could be used in a SSL FREAK attack. It’s a Service Scan and is updated every 24 hours.
This report identifies any host (IP) that appears to be vulnerable to a SSL POODLE attack. It’s a Service Scan and is updated every 24 hours.
This report identifies hosts that are potentially compromised with the SYNful knock back door. It’s a Service Scan, and it’s updated every 24 hours.
Vulnerable DDoS Middlebox Report
This report identifies devices that can be abused for TCP Middlebox reflection DDoS attacks. It’s a Service Scan, and it’s updated every 24 hours.
Vulnerable Exchange Server Report
This report identifies potentially vulnerable Microsoft Exchange Servers. It’s a Service Scan, and it’s updated every 24 hours.
Vulnerable Exchange Servers Special Report #1
A special one-off report type. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.
Vulnerable Exchange Servers Special Report #2
A special one-off report type. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.
Vulnerable Exchange Servers Special Report #3
A special one-off report type. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.
Vulnerable Exchange Servers Special Report #4
A special one-off report type. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.
Vulnerable Exchange Servers Special Report #5
A special one-off report type. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.
Vulnerable Fortinet Special Report
A special one-off report type dedicated to Fortinet devices. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.
The report identifies hosts that have an HTTP server exposed with a potential vulnerability. It’s a Service Scan, and it’s updated every 24 hours.
This report identifies hosts that have a vulnerable IKE service accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.
Vulnerable Log4j Servers Special Report
A special one-off report type. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.
The report identifies hosts that have an SMTP server exposed with a potential vulnerability. It’s a Service Scan, and it’s updated every 24 hours.
Are you looking for low-cost & effective cyber security & resiliency?
Do your homework before spending $$$ on vendor solutions that try to match many of the public benefit cybersecurity tools. Reach out to a community with decades of experience who seek to help organizations minimize their cybersecurity risk through essentials that leverage public benefit services (i.e. Shadowserver).
- Subscribe to the Senki Community Mailing List. Stay connected to Surfing Cybersecurity practical advice and critical “do this now” operation security recommendations by email.
- Subscribe to Senki’s YOUTUBE Channel for videos on this and other security topics.
- Ask questions to Barry Greene — bgreene@senki.org
The materials and guides posted on www.senki.org here are designed to help organizations leverage the talent around them to get started with their security activities. Start with the Operator’s Security Toolkit and Meaningful Security Conversations with your Vendors. Each is no-nonsense security for all Operators. It provides details to help them build more security-resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.
Originally published at https://www.senki.org on January 9, 2024.
