More than 3.6 million MySQL servers are publicly exposed on the Internet and respond to queries, making them an attractive target for hackers and extortionists.
Of these accessible MySQL servers, 2.3 million are connected via IPv4, with 1.3 million devices via IPv6.
While it is common for web services and applications to connect to remote databases, these instances must be locked down so that only authorized devices can connect to them.
Also, public server exposure should always be accompanied by strict user policies, changing the default access port (3306), enabling binary logging, closely monitoring all queries, and enforcing encryption.
3.6 million MySQL servers exposed
In scans conducted last week by cybersecurity research group The Shadowserver Foundation, analysts found 3.6 million exposed MySQL servers using the default port, TCP port 3306.
“While we did not verify the level of possible access or exposure of specific databases, this type of exposure is a potential attack surface that should be closed,” the Shadow Server report explains.
The country with the most accessible MySQL servers is the United States, exceeding 1.2 million. Other countries with significant figures are China, Germany, Singapore, the Netherlands and Poland.
The scan results in detail are as follows:
- Total population exposed in IPv4: 3,957,457
- Total population exposed in IPv6: 1,421,010
- Total IPv4 “Server Greeting” responses: 2,279,908
- Total IPv6 “Server Greeting” responses: 1,343,993
- 67% of all MySQL services found are accessible from the Internet
To learn how to safely deploy MySQL servers and close any security holes that may be lurking in their systems, Shadow Server recommends administrators read this guide for version 5.7 or this guide for version 8.0.
Data brokers selling stolen databases have told BleepingComputer that one of the most common vectors for data theft is poorly secured databases, which the administrator should always lock down to prevent unauthorized remote access.
Failure to protect MySQL database servers can result in catastrophic data breaches, destructive attacks, ransom demands, Remote Access Trojan (RAT) infections, or even Cobalt Strike compromises.
All of these scenarios have serious consequences for affected organizations, so it is crucial to apply proper security practices and remove access to your devices in simple network scans.