Cybercriminals are scanning Shodan for easy marks

Cybercriminals are scanning Shodan for easy marks

Organizations are urged to be more proactive when it comes to protecting against vulnerabilities, after a report found that malicious attackers routinely exploit unpatched systems.

The 2021 Trustwave SpiderLabs Telemetry Report, released this week, found that a huge number of companies are falling foul to cyber-attacks despite having ready access to suitable fixes.

This is happening because malicious actors are using Shodan to scan for networks that are exposed to known vulnerabilities and exploit them before the victim can apply the patch.


Trustwave SpiderLabs researchers reported that there was a record-breaking number (around 18,352) of new security vulnerabilities in the year 2020, a 6% increase from 2019 and a “staggering” 184.66% increase from 2016.

And while some of these flaws were deemed to be high severity, more than 50% of the servers were vulnerable to exploitation weeks and even months after a security update was released.

Researchers said this was because either the servers were not patched in a timely manner or had an unsupported (and therefore unpatchable) version of the software running.

High-profile targets

The report assessed a number of high-profile vulnerabilities that appeared in 2021 including the Apache Tomcat HTTP request smuggling vulnerability (CVE-2021-33037), multiple vulnerabilities in VMware vCenter (CVE-2021-21986 and CVE-2021-21985), and multiple vulnerabilities in Microsoft Exchange Server aka ProxyLogon (CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-270650).

The team used Shodan to determine how many networks were still left open to these security issues, despite patches being widely available.

The results were varied – while just 5.9% of networks were still vulnerable to ProxyLogon, 49% were open to exploit by the issues in VMware vCenter, and a staggering 54% were vulnerable to the Apache Tomcat HTTP request smuggling bug.

The full report contains more details of other vulnerabilities studied.

READ MORE VMware warning: Multiple vulnerabilities in vCenter Server could allow remote network access

The report reads: “Attackers are leveraging telemetry from Shodan to gather information about vulnerable instances, sometimes faster than ethical hackers.

“Thus, it is imperative that organizations proactively identify vulnerabilities and patch them.

“The Shodan telemetry report reviewed some of 2021’s high-profile vulnerabilities on targets accessible on the Internet. As mentioned, our team observed that for the vulnerabilities reviewed, at least 3 of them saw over 50% of instances accessible over the Internet were vulnerable.

“Indeed, this was the case weeks and even months after patch release. Another key observation saw high numbers of end-of-life and end of general support software on the Internet.

“Unsupported versions of software do not receive security patches, greatly increasing the risk of exploitation.”

YOU MAY ALSO LIKE OWASP toasts 20th anniversary with revised Top 10 for 2021