Over 3.6 million MySQL servers are publicly accessible and responding to queries on the Internet, making them an appealing target for hackers and extortionists.
2.3 million of these accessible MySQL servers are connected via IPv4, while 1.3 million are connected via IPv6.
While web services and applications frequently connect to remote databases, these instances should be secured so that only authorised devices can connect to them.
Furthermore, public server exposure should always be accompanied by stringent user policies, such as changing the default access port (3306), enabling binary logging, closely monitoring all queries, and requiring encryption.
3.6 million MySQL servers are vulnerable
Analysts discovered 3.6 million exposed MySQL servers using the default port, TCP port 3306, in scans conducted last week by cybersecurity research group The Shadowserver Foundation.
“While we do not check for the level of access possible or database exposure, this type of exposure is a potential attack surface that should be closed,” explains the Shadow Server report.
The United States has the most MySQL servers available, with over 1.2 million.
China, Germany, Singapore, the Netherlands, and Poland also have significant populations.
The scan results in detail are the following:
- Total exposed population on IPv4: 3,957,457
- Total exposed population on IPv6: 1,421,010
- Total “Server Greeting” responses on IPv4: 2,279,908
- Total “Server Greeting” responses on IPv6: 1,343,993
- 67% of all MySQL services found are accessible from the internet
Shadow Server recommends that administrators read this guide for version 5.7 or this one for version 8.0 to learn how to securely deploy MySQL servers and close security gaps that may exist in your systems.
According to data brokers who sell stolen databases, one of the most common vectors for data theft is improperly secured databases, which administrators should always lockdown to prevent unauthorised remote access.
Failure to secure MySQL database servers can lead to disastrous data breaches, destructive attacks, ransom demands, remote access trojan (RAT) infections, and even Cobalt Strike compromises.
All of these scenarios have serious consequences for the organisations affected, so it is critical to implement appropriate security practises and prevent your devices from being accessible via simple network scans.