Researchers at The Shadowserver Foundation have unearthed over 3.6 million MySQL susceptible MySQL servers on the internet, making them a lucrative target to attackers and extortionists.
In scans conducted last week, researchers identified 3.6 million exposed MySQL servers using the default port, TCP port 3306. Out of 3.6 million, 2.3 million of these servers are linked over IPv4, while 1.3 million devices are connected over IPv6.
"While we do not check for the level of access possible or exposure of specific databases, this kind of exposure is a potential attack surface that should be closed," explains the report from Shadow Server.
The country with the most accessible IPv4 servers is the United States (at more than 740,000), followed by China (just shy of 300,000), and Germany (at roughly 175,000).
The US also leads when it comes to accessible IPv6 MySQL servers (with close to 461,000 instances) followed by the Netherlands (at over 296,000), and Singapore (at 218,000). A detailed explanation of the results of the scan is mentioned below:
• Total exposed population on IPv4: 3,957,457
• Total exposed population on IPv6: 1,421,010
• Total "Server Greeting" responses on IPv4: 2,279,908
• Total "Server Greeting" responses on IPv6: 1,343,993
• MySQL services can be accessed through the internet in 67% of cases.
According to researchers, it is common for web services and applications to connect to remote databases. To mitigate the risks, servers should be guarded properly so only authorized devices can connect to them.
Furthermore, public server exposure should always be accompanied by strict user policies, altering the default access port (3306), enabling binary logging, monitoring all queries closely, and enforcing encryption.
Administrators are also recommended to keep their MySQL servers updated at all times especially since attacks targeting MySQL servers are not uncommon.
"It is unlikely that you need to have your MySQL server allowing for external connections from the Internet (and thus a possible external attack surface)," Shadowserver explained in a post regarding the MySQL findings. "If you do receive a report on your network/constituency, take action to filter out traffic to your MySQL instance and make sure to implement authentication on the server."
Failing to secure MySQL database servers can result in data breaches, ransom demands, remote access trojan (RAT) infections, or even Cobalt Strike compromises.