News & Insights

Topic: Reports

Hello IPv6 Scanning World!

July 14, 2022
In the last few months, Shadowserver has been systematically rolling out IPv6 scanning of services. We chose to conduct our scanning based on hitlists of IPv6 addresses observed being used in the wild, maintaining up to 1 billion unique IPv6 addresses on the hitlist at any one time. We currently scan 9 different services (11 ports) uncovering over 120 million active services by unique IPv6 daily.

Over 3.6 million exposed MySQL servers on IPv4 and IPv6

May 31, 2022
We have recently began scanning for  accessible MySQL server instances on port 3306/TCP.  These are instances that respond to our MySQL connection request with a Server Greeting. Surprisingly to us, we found around 2.3M IPv4 addresses responding with such a greeting to our queries. Even more surprisingly, we found over 1.3M IPv6 devices responding as well (though mostly associated with a single AS). IPv4 and IPv6 scans together uncover 3.6M accessible MySQL servers worldwide.

Over 380 000 open Kubernetes API servers

May 17, 2022
We have recently started scanning for accessible Kubernetes API instances that respond with a 200 OK HTTP response to our probes. Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. We find over 380 000 Kubernetes API daily that allow for some form of access, out of over 450 000 that we are able to identify. Data on these is shared daily in our Accessible Kubernetes API Server Report.

More Free Cyber Threat Intelligence For National CSIRTs

April 25, 2022
The UK FCDO have been supporting The Shadowserver Foundation's efforts to provide more free, actionable, daily Cyber Threat Intelligence to National CSIRTs in Africa and the Indo-Pacific. After making some great progress over the past year, we are seeking support from the community to engage some additional countries in the region. Can you help connect us, and the Internet more secure for everyone?

CVE-2022-26143: TP240PhoneHome Reflection/Amplification DDoS Attack Vector

March 8, 2022
A new reflection/amplification distributed denial of service (DDoS) vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch multiple high-impact DDoS attacks. Attacks have been observed on broadband access ISPs, financial institutions, logistics companies, gaming companies, and organizations in other vertical markets. Security researchers, network operators, and security vendors Akamai SIRT, Cloudflare, Lumen Black Lotus Labs, Mitel, NETSCOUT Arbor ASERT, TELUS, Team Cymru, and The Shadowserver Foundation formed a task force to investigate the new DDoS vector and provide mitigation guidance. Vendor Mitel has released software patches which disables the abusable test facility and are actively engaged in remediation efforts with their customers. Vulnerable device information is available through Shadowserver's free daily network reports.

Shadowserver Special Reports – Vulnerable Log4j Servers (2021-12-22 update)

December 22, 2021
A maximum risk critical vulnerability in the popular Apache Log4j open source logging software was made public as CVE-2021-44228 on December 9th 2021, potentially providing attackers with easy remote code execution on thousands of systems globally. Although Shadowserver decided not to scan for this vulnerability, our honeypots continue to detect IPv4 /0 scanning and exploitation attempts. A second run of our Vulnerable Log4j Servers Special Report provides updated data from Alpha Strike Lab's scanning activity performed during the week since our first Special Report. The updated Special Report is being distributed to National CSIRTs and network owners as a public benefit service to aid in rapid remediation.

Continuing Our Africa and Indo-Pacific Regional Outreach

December 1, 2021
Shadowserver received funding from the UK FCDO in Q1 2021 for a short surge to improve the support we offered to Africa and the Indo-Pacific region. We achieved some good results, so we are providing some public highlights in this blog post. We are also pleased to announce that we have received some additional FCDO funding to continue these efforts through Q4 2021 and Q1 2022, and hope to further expand our free public benefit service coverage to more National CSIRT and additional network owner (ASNs) in these target regions.

Announcing the Device Identification Report

September 8, 2021
We have introduced a new report type, the Device Identification Report. This report contains a list of devices we have identified in our daily Internet scans. The assessment is made based on all our IPv4-wide Internet scan types. All scan responses are processed by a scan signature engine that classifies IPs based on predefined rules that match various response fields. The report is intended for recipients to get a better understanding of device population types on networks they are responsible for

21nails: Reporting on Vulnerable SMTP/Exim Servers

May 20, 2021
We have recently started to perform a full IPv4 Internet-wide scan for accessible SMTP services and will report out possible vulnerabilities that have been observed, with a current focus on Exim (in the future non-Exim vulnerabilities may be added). We scan by performing a connection to port 25, recognizing an SMTP response and collecting the banner served. These connections look just like a normal SMTP connection, there is not any attempt to exploit the port, only to collect the banner information from that connection to the server. Our scan uncovered 317,848 distinct Exim IPs that likely contain 21nails vulnerabilities (as discovered by Qualys) based on the connected banner identification.

Announcing the New Report Delta Mode Option

April 29, 2021
A new opt-in feature in our reporting mechanism will allow for reporting only the changes of the data from day to day: the report delta mode option. In this mode, every Sunday we will continue to deliver a full set of reports on all events observed on a report recipients’s network. For the rest of the week, for every distinct report type we will report only the difference between events seen on that day relative to the Sunday report. This will continue throughout the week until the following Sunday, when everything is reset and a full report is delivered again.