News & Insights

We are happy to announce the first major extension to our newly launched Dashboard - the addition of IoT device statistics and server-side attack statistics, data sets that have been collected as part of the HaDEA EU CEF VARIoT project.

After many years of not having public interface for exploring our extensive cyber threat intelligence data sets, Shadowserver are very excited to make available our new public Dashboard, kindly funded by the UK FCDO. Use our Dashboard to dig into two years of aggregated country level data about many different type of threats, including some unique data sets and vantage points, then visualize the data in various ways that can be easily shared via URLs. Free to use (with attribution) for research, informing policy makers and by journalists/news media in educating the public about cyber security threats.

Publicly thanking all of the generous individuals and organizations who kindly provided financial support to The Shadowserver Foundation during 2020-2022, thereby enabling us to continue providing free, timely, actionable cyber threat Intelligence that raises the bar on Internet security for everyone. We could not continue to serve the Internet defender community without your vision, leadership and generosity. We look forward to continuing to work with you and others who believe in an open, secure, resilient Internet for all, through our soon-to-be-announced Shadowserver Alliance.

In the last few months, Shadowserver has been systematically rolling out IPv6 scanning of services. We chose to conduct our scanning based on hitlists of IPv6 addresses observed being used in the wild, maintaining up to 1 billion unique IPv6 addresses on the hitlist at any one time. We currently scan 9 different services (11 ports) uncovering over 120 million active services by unique IPv6 daily.

We have recently began scanning for  accessible MySQL server instances on port 3306/TCP.  These are instances that respond to our MySQL connection request with a Server Greeting. Surprisingly to us, we found around 2.3M IPv4 addresses responding with such a greeting to our queries. Even more surprisingly, we found over 1.3M IPv6 devices responding as well (though mostly associated with a single AS). IPv4 and IPv6 scans together uncover 3.6M accessible MySQL servers worldwide.

We have recently started scanning for accessible Kubernetes API instances that respond with a 200 OK HTTP response to our probes. Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. We find over 380 000 Kubernetes API daily that allow for some form of access, out of over 450 000 that we are able to identify. Data on these is shared daily in our Accessible Kubernetes API Server Report.

We recently began scanning for middlebox devices that are vulnerable to Middlebox TCP reflection, which can be abused for DDoS amplification attacks.  Our results are now shared daily, filtered for your network or constituency in the new Vulnerable DDoS Middlebox report. We uncover over 18,800,000 IPv4 addresses responding to our Middlebox probes. In some cases the amplification rates can exceed 10,000!

The UK FCDO have been supporting The Shadowserver Foundation's efforts to provide more free, actionable, daily Cyber Threat Intelligence to National CSIRTs in Africa and the Indo-Pacific. After making some great progress over the past year, we are seeking support from the community to engage some additional countries in the region. Can you help connect us, and the Internet more secure for everyone?

A new reflection/amplification distributed denial of service (DDoS) vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch multiple high-impact DDoS attacks. Attacks have been observed on broadband access ISPs, financial institutions, logistics companies, gaming companies, and organizations in other vertical markets. Security researchers, network operators, and security vendors Akamai SIRT, Cloudflare, Lumen Black Lotus Labs, Mitel, NETSCOUT Arbor ASERT, TELUS, Team Cymru, and The Shadowserver Foundation formed a task force to investigate the new DDoS vector and provide mitigation guidance. Vendor Mitel has released software patches which disables the abusable test facility and are actively engaged in remediation efforts with their customers. Vulnerable device information is available through Shadowserver's free daily network reports.

In May 2018, the US DoJ, FBI and industry partners sinkholed the modular network device infecting malware known as VPNFilter, which Shadowserver has been reporting out for remediation to nCSIRTs and network owners each day since. In February 2022 the UK NCSC, US FBI, CISA and NSA jointly announced the discovery of new network device malware, which they have called Cyclops Blink, and see as a more advanced replacement for VPNFilter. A new Shadowserver Cyclops Blink Special Report was issued to our free daily network report subscribers today, detailing IP addresses believed likely to be infected with the Cyclops Blink malware, and the associated C2 servers.