News & Insights

We are happy to announce multiple enhancements to our public Dashboard, particularly to the Exploited Vulnerability data collected by our server-side honeypot sensors, thanks to funding provided by the UK Foreign Commonwealth and Development Office (FCDO).

The Shadowserver Foundation is grateful for the continued support and generosity of craigslist founder, Craig Newmark. Earlier this month, Craig Newmark provided Shadowserver with a substantial donation of $500,000.

The Shadowserver Foundation today launched its new Alliance to Continue to Build a Safer, More Secure Internet. The new Shadowserver Alliance partner program will accelerate growth and scale up delivery of no cost cybersecurity and cyber threat intelligence services to internet defender organizations and law enforcement. The Alliance represents a significant expansion to Shadowserver's freely provided internet security services and enables partners, including some of the world’s most trusted organizations such as Mastercard, Craig Newmark Philanthropies, Avast, Trend Micro and Akamai, to aid its mission to create a safer, more secure Internet. The Shadowserver Alliance is actively seeking new partners to join us now in the next phase of our journey. As a strong community, we can continue to raise the bar on global cyber security together.

We are happy to announce the first major extension to our newly launched Dashboard - the addition of IoT device statistics and server-side attack statistics, data sets that have been collected as part of the HaDEA EU CEF VARIoT project.

After many years of not having public interface for exploring our extensive cyber threat intelligence data sets, Shadowserver are very excited to make available our new public Dashboard, kindly funded by the UK FCDO. Use our Dashboard to dig into two years of aggregated country level data about many different type of threats, including some unique data sets and vantage points, then visualize the data in various ways that can be easily shared via URLs. Free to use (with attribution) for research, informing policy makers and by journalists/news media in educating the public about cyber security threats.

Publicly thanking all of the generous individuals and organizations who kindly provided financial support to The Shadowserver Foundation during 2020-2022, thereby enabling us to continue providing free, timely, actionable cyber threat Intelligence that raises the bar on Internet security for everyone. We could not continue to serve the Internet defender community without your vision, leadership and generosity. We look forward to continuing to work with you and others who believe in an open, secure, resilient Internet for all, through our soon-to-be-announced Shadowserver Alliance.

In the last few months, Shadowserver has been systematically rolling out IPv6 scanning of services. We chose to conduct our scanning based on hitlists of IPv6 addresses observed being used in the wild, maintaining up to 1 billion unique IPv6 addresses on the hitlist at any one time. We currently scan 9 different services (11 ports) uncovering over 120 million active services by unique IPv6 daily.

We have recently began scanning for  accessible MySQL server instances on port 3306/TCP.  These are instances that respond to our MySQL connection request with a Server Greeting. Surprisingly to us, we found around 2.3M IPv4 addresses responding with such a greeting to our queries. Even more surprisingly, we found over 1.3M IPv6 devices responding as well (though mostly associated with a single AS). IPv4 and IPv6 scans together uncover 3.6M accessible MySQL servers worldwide.

We have recently started scanning for accessible Kubernetes API instances that respond with a 200 OK HTTP response to our probes. Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. We find over 380 000 Kubernetes API daily that allow for some form of access, out of over 450 000 that we are able to identify. Data on these is shared daily in our Accessible Kubernetes API Server Report.

We recently began scanning for middlebox devices that are vulnerable to Middlebox TCP reflection, which can be abused for DDoS amplification attacks.  Our results are now shared daily, filtered for your network or constituency in the new Vulnerable DDoS Middlebox report. We uncover over 18,800,000 IPv4 addresses responding to our Middlebox probes. In some cases the amplification rates can exceed 10,000!