I was just finishing a Shadowserver ticket from a threat researcher who knew how to leverage the Shadowserver Foundation’s trust.
This threat researcher was exploring a risk on one of their customers. While exploring this risk, they discovered an ISP had multiple devices with SNMP wide open (we’ll get to why SNMP open is a critical risk).
The threat researcher didn’t have a way to contact the ISP to alert them to the risk. It was not part of their contract. But the threat researcher knew Shadowserver might have a way to contact the ISP.
Why?
ISPs who have a clue about cybersecurity know all about Shadowserver, subscribe to the daily reports for their ASNs, and use them to lock down their networks. These reports are free – funded by the Shadowserver Alliance community. Unfortunately, many ISPs don’t subscribe to the reports, ignore them, or take no action.
The threat researcher sent an email to contact@shadowserver.org to open a ticket, provide details of their findings, and request help. In this case, the ISP that the threat researcher found the risk on did not have a Shadowserver Subscription. The Shadowserver team validated its finding (yes, the ISP had SNMP wide open to “living off the land” attacks). With both pieces of information, Shadowserver and the threat researcher contacted the National CSIRT for that ISP. The National CSIRT replied that they would contact the ISP.
In this case, we were lucky – the ISP’s country’s new laws make the organization liable if they do not respond to mitigate a risk. It took a couple of days, but the ISP did the simple steps – Infrastructure ACLs on the edge, ACLs on the devices with SNMP open, and configured SNMP to be more resilient with SNMPv3.
What did we learn?
If you are a threat researcher or bug bounty professional, know that groups like the Shadowserver Foundation are your responsible disclosure partners. If you find a vulnerability, you can, in a TLP: RED framework, correspond with Shadowserver Staff and Volunteers. The dialog would help you determine your responsible disclosure path.
In some cases, threat researchers identify a zero-day risk, work with Shadowserver on responsible disclosure, and explore whether Shadowserver’s scans/honeypots can be used. Shadowserver also helps plug the threat researcher into the appropriate CSIRT team or vendor PSIRT Team.
When public disclosure occurs, Shadowserver would publish the details of the new scan, alert all its subscribers, link to the threat researcher’s blog/disclosure, and provide the advisory details from the vendor/operator. This approach is an OODA loop exercise – collaboratively working together to get risk mitigation telemetry out to organizations faster than the threat actors can respond. The key benefit to the threat researcher is that their contribution is a win-win-win. Their work is credited in all disclosures; people reach their blog/alert; the affected vendors/operators are thankful for the time to respond; and CSIRT Teams around the world welcome the time to prepare. Remember, if you are a professional threat researcher or bug bounty expert, Shadowserver is one of your allies. All you need to do is ask via email: contact@shadowserver.org.
