Scans performed by cybersecurity research group The Shadowserver Foundation revealed more than 3.6 million MySQL databases on the internet exposed using the default TCP port 3306.
Of these databases, around 2.3 million connect using IPv4 and 1.3 million use IPv6. The USA leads the number of databases exposed at just over 1.2 million. Other significant exposures are from China, Germany, Singapore, Netherlands and Poland.
The most accessible IPv4 MySQL servers were found in the United States (740,100), China (296,300) and Germany (174,900). For IPv6, the US leads with 460,800 servers, then the Netherlands with 296,300 servers, Singapore with 218,200 servers and Germany with 173,700 servers.
The Shadowserver Foundation’s report further details the following numbers:
|Total number of exposed databases on IPv4
|Server greeting responses on IPv4
|Total number of exposed databases on IPv6
|Server greeting responses on IPv6
Overall, 67% of all MySQL services found are accessible from the internet. The report also recommends guides for securely deploying MySQL servers and covering any security loopholes for versions 5.7 and 8.0.
The scan was run by issuing MySQL connection requests over the default port (TCP 3306) and collecting server responses with a MySQL server greeting messages, including TLS and non-TLS responses. The report further clarifies that Shadowserver did not perform any intrusive checks to discover the level of access possible to any of the databases.
While many services need to access external databases, failing to secure them properly can result in severe consequences for the organisation, including but not limited to data breaches, ransomware attacks, remote access trojan infections, or even Cobalt Strike deployments.