News & Insights

We are happy to announce the first major extension to our newly launched Dashboard - the addition of IoT device statistics and server-side attack statistics, data sets that have been collected as part of the HaDEA EU CEF VARIoT project.

After many years of not having public interface for exploring our extensive cyber threat intelligence data sets, Shadowserver are very excited to make available our new public Dashboard, kindly funded by the UK FCDO. Use our Dashboard to dig into two years of aggregated country level data about many different type of threats, including some unique data sets and vantage points, then visualize the data in various ways that can be easily shared via URLs. Free to use (with attribution) for research, informing policy makers and by journalists/news media in educating the public about cyber security threats.

In the last few months, Shadowserver has been systematically rolling out IPv6 scanning of services. We chose to conduct our scanning based on hitlists of IPv6 addresses observed being used in the wild, maintaining up to 1 billion unique IPv6 addresses on the hitlist at any one time. We currently scan 9 different services (11 ports) uncovering over 120 million active services by unique IPv6 daily.

We have recently began scanning for  accessible MySQL server instances on port 3306/TCP.  These are instances that respond to our MySQL connection request with a Server Greeting. Surprisingly to us, we found around 2.3M IPv4 addresses responding with such a greeting to our queries. Even more surprisingly, we found over 1.3M IPv6 devices responding as well (though mostly associated with a single AS). IPv4 and IPv6 scans together uncover 3.6M accessible MySQL servers worldwide.

We have recently started scanning for accessible Kubernetes API instances that respond with a 200 OK HTTP response to our probes. Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. We find over 380 000 Kubernetes API daily that allow for some form of access, out of over 450 000 that we are able to identify. Data on these is shared daily in our Accessible Kubernetes API Server Report.

We recently began scanning for middlebox devices that are vulnerable to Middlebox TCP reflection, which can be abused for DDoS amplification attacks.  Our results are now shared daily, filtered for your network or constituency in the new Vulnerable DDoS Middlebox report. We uncover over 18,800,000 IPv4 addresses responding to our Middlebox probes. In some cases the amplification rates can exceed 10,000!

A maximum risk critical vulnerability in the popular Apache Log4j open source logging software was made public as CVE-2021-44228 on December 9th 2021, potentially providing attackers with easy remote code execution on thousands of systems globally. Although Shadowserver decided not to scan for this vulnerability, our honeypots continue to detect IPv4 /0 scanning and exploitation attempts. A second run of our Vulnerable Log4j Servers Special Report provides updated data from Alpha Strike Lab's scanning activity performed during the week since our first Special Report. The updated Special Report is being distributed to National CSIRTs and network owners as a public benefit service to aid in rapid remediation.

A maximum risk critical vulnerability in the popular Apache Log4j open source logging software was made public as CVE-2021-44228 on December 9th 2021, potentially providing attackers with easy remote code execution on thousands of systems globally. Although Shadowserver decided not to scan for this vulnerability, our honeypots detected rapid growth in IPv4 /0 scanning. This Special Report provides data from Alpha Strike Labs's scanning activity and is being distributed to National CSIRTs and network owners as a public benefit service to aid in rapid remediation.

We have introduced a new report type, the Device Identification Report. This report contains a list of devices we have identified in our daily Internet scans. The assessment is made based on all our IPv4-wide Internet scan types. All scan responses are processed by a scan signature engine that classifies IPs based on predefined rules that match various response fields. The report is intended for recipients to get a better understanding of device population types on networks they are responsible for

A new one-off Special Report covering efforts to identify additional vulnerable and compromised Microsoft Exchange servers and associated common web shell that are configured to use DNS based virtual hosting, rather than direct IPv4 /0 scanning for default web sites, containing data for the period 2021-03-16 to 2021-03-22.