Media Coverage

The Shadowserver Foundation warns of the security risk associated with more than 3.6 million internet-exposed MySQL servers that accept connections on port 3306/TCP. While scanning the internet for accessible MySQL servers, the organization’s researchers identified a total population of roughly 5.4 million IPv4 and IPv6 instances on port 3306/TCP, but say that only two-thirds of these appear to accept a connection. The scanning revealed that the US is home to the largest number of IPv4 MySQL servers (at more than 740,000), followed by China (just shy of 300,000), and Germany (at roughly 175,000). The Shadowserver Foundation’s research is meant to raise awareness on the wide attack surface created by MySQL servers that are potentially unnecessarily exposed to the internet.

Millions of MySQL servers were recently discovered to be publicly exposed to the internet, and using the default port, researchers have found. Nonprofit security organization, The ShadowServer Foundation, discovered a total of 3.6 million servers are configured in such a way that they can easily be targeted by threat actors. Most of the servers are found in the United States (more than 1.2 million), with China, Germany, Singapore, the Netherlands, and Poland, also hosting significant numbers of servers.

A large number of servers running the Kubernetes API have been left exposed to the internet, which is not great: they’re potentially vulnerable to abuse. Nonprofit security organization The Shadowserver Foundation recently scanned 454,729 systems hosting the popular open-source platform for managing and orchestrating containers, finding that more than 381,645 – or about 84 percent – are accessible via the internet to varying degrees thus providing a cracked door into a corporate network. “While this does not mean that these instances are fully open or vulnerable to an attack, it is likely that this level of access was not intended and these instances are an unnecessarily exposed attack surface,” Shadowserver’s team stressed in a write-up.” They also allow for information leakage on version and build.”

A widespread, critical vulnerability affecting Zyxel firewalls is being exploited by hackers, according to several researchers and the director of cybersecurity for the NSA. Cybersecurity nonprofit Shadowserver Foundation said it began seeing exploitation attempts starting on May 13. CVE-2022-30525 was first discovered by cybersecurity firm Rapid7 and the firewalls affected by the vulnerability are sold to both small companies and corporate headquarters. The tools are used for VPN solutions, SSL inspection, web filtering, intrusion protection, and email security. The vulnerability allows attackers to modify specific files and then execute some OS commands on a vulnerable device. It has a CVSS v3 score of 9.8 — indicating a high severity — and affects Zyxel firewalls supporting Zero Touch Provisioning (ZTP), which includes the ATP series, VPN series, and the USG FLEX series.

At the end of last week, Rapid7 disclosed a nasty bug in Zyxel firewalls that could allow for an unauthenticated remote attacker to execute code as the nobody user. At the time, Rapid7 said there were 15,000 affected models on the internet that Shodan had found. However, over the weekend, Shadowserver Foundation has boosted that number to over 20,800. The Foundation also said it had seen exploitation kick off on May 13, and urged users to patch immediately.

Hackers have started to exploit a recently patched critical vulnerability, tracked as CVE-2022-30525, that affects Zyxel firewall and VPN devices for businesses. Successful exploitation allows a remote attacker to inject arbitrary commands remotely without authentication, which can enable setting up a reverse shell. The severity of the security issue and the damage it could lead to is serious enough for the NSA Cybersecurity Director Rob Joyce to warn users about exploitation and encourage them to update the device firmware version if it is vulnerable. Starting Friday the 13th, security experts at the nonprofit Shadowserver Foundation reported seeing exploitation attempts for CVE-2022-30525. It is unclear if these efforts are malicious or just researchers working to map up Zyxel devices currently exposed to adversary attacks. Given the severity of the vulnerability and the popularity of the devices, security researchers have released code that should help administrators detect the security flaw and exploitation attempts.

Craig Newmark is the first to admit that he’s no cybersecurity expert. But that didn’t stop the Craigslist founder and major philanthropist from announcing last week that Craig Newmark Philanthropies would offer more than $50 million in grants to build what he calls a “cyber civil defense.” Aspen Digital, a program run by the Aspen Institute, will manage it.  Grants will go to organizations like the Ransomware Task Force at the Institute for Security Technology, the Global Cyber Alliance and even Consumer Reports, which Newmark says will create “cybersecurity nutrition labels” to, among other things, disclose security metrics on any smart device, be it a a thermostat or a car. The everyday threat of cyberattacks is very real for Americans. The last five years alone have seen a dramatic uptick in cyber and ransomware attacks, with threat actors not just going after military targets, but exploiting vulnerabilities in anything from baby cameras to major oil pipelines. “We’ve been attacked on our own soil in ways that have never happened before,” Newmark told the Click Here podcast team in an interview. “I wish I had the skills to participate,” he added, “but it seems like my role is to help out the people who can really help defend our country and democracy overall.”

Craig Newmark Philanthropies (CNP) has announced a commitment of more than $50 million in support of a broad coalition of organizations dedicated to educating and protecting Americans amid escalating cybersecurity threats. The grants from the charitable network of craigslist founder Craig Newmark will focus on building the civic infrastructure, policy frameworks, and digital tools necessary to support what Newmark calls a “cyber civil defense” effort to bolster American national and global security in the face of new threats. To that end, the funding will support efforts to raise public awareness of threats and online security choices, in addition to the creation of online tools and digital infrastructure that help secure the country’s networks. The effort also will include programming aimed at developing a diverse, inclusive, and equitable workforce capable of meeting the technical challenges ahead.

Badly prepared telecoms equipment has created an opportunity for cyber criminals to mount denial of service (DoS) attacks on mobile operators that are 4 billion times worse than anything else that’s gone before, say researchers. The revelation, reported in Arstechnica, comes just as state sponsored cyber warfare is booming, in the wake of the conflict in Ukraine. Distributed denial of services (DDoS) attacks are a popular form of DoS because they need minimal bandwidth and computing power. The effect of each small unit of data overload is amplified by the number of units it replicates on. Rather than having to marshal huge amounts of bandwidth and computing power, the DDoSer locates servers on the Internet that will do it for them.

A test mode that shouldn’t be exposed to the internet from a PBX-to-internet gateway responsible for amplification ratio of 4,294,967,296 to 1. Security researchers from Akamai, Cloudflare, Lumen Black Lotus Labs, Mitel, Netscour, Team Cymru, Telus, and The Shadowserver Foundation have disclosed denial-of-service attacks with an amplification ratio that surpasses 4 billion to one that can be launched from a single packet. Dubbed CVE-2022-26143, the flaw resides in around 2,600 incorrectly provisioned Mitel MiCollab and MiVoice Business Express systems that act as PBX-to-internet gateways and have a test mode that should not be exposed to the internet.