Media Coverage

Shadowserver in the news

The Best 10 Free Cybersecurity Services

WellAware Security, June 29, 2022

I’ve seen several recent posts about lots of free and open source tools in the security community. These kinds of tools are incredibly important, but they often are targeted towards individuals with some experience to be able to use. This is a challenge for small businesses or nonprofits who may not have the resources or staff to put those tools into practice.

If you’re a small business or nonprofit, this article is for you. There are a ton of free services that can provide real value today, even if you are the only IT person in the company and you don’t have any security experience. 1. ShadowServer. The Shadowserver Foundation was created in 2004 as a nonprofit to help with security reporting and investigation. One of the free services that Shadowserver offers is a report for owners of networks to show vulnerable services that are running on your network so that you can remove them or offer more secure options. This is a really easy way for organizations that may not have scanning tools to prevent an incident before it happens. To sign up, go to You’ll need to provide some detailed information and the Shadowserver team will verify if you actually own the network first.

Millions Of MySQL Server Users’ Data Found On The Internet

Natural Networks, June 28, 2022

Do you maintain a MySQL server?  If so, you’re certainly not alone.  What you may not know is that according to research conducted by The Shadowserver Foundation, (a cybersecurity research group) there are literally millions of MySQL servers visible on the internet that shouldn’t be. In all, the group found more than 3.6 million MySQL servers visible on the web and using the default port, TCP port 3306. The company noted that they did not check for the level of access possible, or the exposure of specific data. The fact remained that the server itself was visible and that alone was a security risk, regardless of any other factors. The United States led the world in terms of total number of exposed servers, with just over 1.2 million, but there were also substantial numbers to be found in Germany, Singapore, the Netherlands, and China.

Over 900,000 Kubernetes instances found exposed online

Bleeping Computer, June 28, 2022

Over 900,000 misconfigured Kubernetes clusters were found exposed on the internet to potentially malicious scans, some even vulnerable to data-exposing cyberattacks. Kubernetes is a highly versatile open-source container orchestration system for hosting online services and managing containerized workloads via a uniform API interface. It enjoys massive adoption and growth rates thanks to its scalability, flexibility in multi-cloud environments, portability, cost, app development, and system deployment time reductions. However, if Kubernetes isn’t configured properly, remote actors might be able to access internal resources and private assets that weren’t meant to be made public. Additionally, depending on the configuration, intruders could sometimes escalate their privileges from containers to break isolation and pivot to host processes, granting them intial access to internal corporate networks for futher attacks. Researchers at Cyble have conducted an exercise to locate exposed Kubernetes instances across the internet, using similar scanning tools and search queries to those employed by malicious actors. Last month, The Shadowserver Foundation released a report on exposed Kubernetes instances where they discovered 381,645 unique IPs responding with a 200 HTTP error code.

Why are you leaving your SNMP ports open to the world?

SENKI, June 15, 2022

Too many organizations are ignoring the risk of SNMP abuse and leaving their SNMP ports open to the world. Simple Network Manage Protocol (SNMP) is one of our core networking building blocks. We – the community who build and run networks – use all types of networks. It is a powerful tool for monitoring, managing, and controlling devices. Yet, SNMP’s security is an afterthought, allowing risk that endangers the organization. We’ll focus on deploying Multi-Factor Authentication (MFA) while leaving the devices that manage the MFA with open and exploitable SNMP ports. SNMP is a gold mine for the miscreant who learns how to leverage it. Shadowserver’s long-term measurement of the SNMP Risk has millions of devices open to exploitation.

Scanning Finds Over 3.6 Million Internet-Accessible MySQL Servers

Security Week, June 1, 2022

The Shadowserver Foundation warns of the security risk associated with more than 3.6 million internet-exposed MySQL servers that accept connections on port 3306/TCP. While scanning the internet for accessible MySQL servers, the organization’s researchers identified a total population of roughly 5.4 million IPv4 and IPv6 instances on port 3306/TCP, but say that only two-thirds of these appear to accept a connection. The scanning revealed that the US is home to the largest number of IPv4 MySQL servers (at more than 740,000), followed by China (just shy of 300,000), and Germany (at roughly 175,000). The Shadowserver Foundation’s research is meant to raise awareness on the wide attack surface created by MySQL servers that are potentially unnecessarily exposed to the internet.

Millions of MySQL servers found exposed online - is yours among them?

Techradar, June 1, 2022

Millions of MySQL servers were recently discovered to be publicly exposed to the internet, and using the default port, researchers have found. Nonprofit security organization, The ShadowServer Foundation, discovered a total of 3.6 million servers are configured in such a way that they can easily be targeted by threat actors. Most of the servers are found in the United States (more than 1.2 million), with China, Germany, Singapore, the Netherlands, and Poland, also hosting significant numbers of servers.

381,000-plus Kubernetes API servers 'exposed to internet'

The Register, May 23, 2022

A large number of servers running the Kubernetes API have been left exposed to the internet, which is not great: they’re potentially vulnerable to abuse. Nonprofit security organization The Shadowserver Foundation recently scanned 454,729 systems hosting the popular open-source platform for managing and orchestrating containers, finding that more than 381,645 – or about 84 percent – are accessible via the internet to varying degrees thus providing a cracked door into a corporate network. “While this does not mean that these instances are fully open or vulnerable to an attack, it is likely that this level of access was not intended and these instances are an unnecessarily exposed attack surface,” Shadowserver’s team stressed in a write-up.” They also allow for information leakage on version and build.”

Researchers, NSA cybersecurity director warn of hackers targeting Zyxel vulnerability

The Record, May 17, 2022

A widespread, critical vulnerability affecting Zyxel firewalls is being exploited by hackers, according to several researchers and the director of cybersecurity for the NSA. Cybersecurity nonprofit Shadowserver Foundation said it began seeing exploitation attempts starting on May 13. CVE-2022-30525 was first discovered by cybersecurity firm Rapid7 and the firewalls affected by the vulnerability are sold to both small companies and corporate headquarters. The tools are used for VPN solutions, SSL inspection, web filtering, intrusion protection, and email security. The vulnerability allows attackers to modify specific files and then execute some OS commands on a vulnerable device. It has a CVSS v3 score of 9.8 — indicating a high severity — and affects Zyxel firewalls supporting Zero Touch Provisioning (ZTP), which includes the ATP series, VPN series, and the USG FLEX series.

Nasty Zyxel remote execution bug is being exploited

ZDNet, May 15, 2022

At the end of last week, Rapid7 disclosed a nasty bug in Zyxel firewalls that could allow for an unauthenticated remote attacker to execute code as the nobody user. At the time, Rapid7 said there were 15,000 affected models on the internet that Shodan had found. However, over the weekend, Shadowserver Foundation has boosted that number to over 20,800. The Foundation also said it had seen exploitation kick off on May 13, and urged users to patch immediately.

Hackers are exploiting critical bug in Zyxel firewalls and VPNs

Bleeping Computer, May 15, 2022

Hackers have started to exploit a recently patched critical vulnerability, tracked as CVE-2022-30525, that affects Zyxel firewall and VPN devices for businesses. Successful exploitation allows a remote attacker to inject arbitrary commands remotely without authentication, which can enable setting up a reverse shell. The severity of the security issue and the damage it could lead to is serious enough for the NSA Cybersecurity Director Rob Joyce to warn users about exploitation and encourage them to update the device firmware version if it is vulnerable. Starting Friday the 13th, security experts at the nonprofit Shadowserver Foundation reported seeing exploitation attempts for CVE-2022-30525. It is unclear if these efforts are malicious or just researchers working to map up Zyxel devices currently exposed to adversary attacks. Given the severity of the vulnerability and the popularity of the devices, security researchers have released code that should help administrators detect the security flaw and exploitation attempts.