The new Dashboard lets you explore some of the many facets of Internet-scale data sets and learn more about how Shadowserver sees the state of cyber security globally, over a rolling period of the last two years. The Dashboard is based on aggregated country level data – no individual IP addresses or personally identifying information (PII) is included.

You can use the Dashboard to start with a global view, and then drill down into observations about a particular threat, or to compare statistics about two countries side by side. Initial filters for Sinkhole, Scan, Honeypot, Distributed Denial of Service (DDoS) and Industrial Control System / Operational Technology (ICS/OT) based data sets are included on the left navigation menu of the home page. There are various forms of data visualization available through the top navigation menu, such as time series graphs, world maps, region maps, treemaps and bubblecharts/tagclouds. Each data visualization should generate a unique URL for your query, so you can share links that easily recreate the same information and presentation style for others to view too, or for when you return to drill down further.

The ambition behind the new Dashboard is to empower security researchers, National CSIRTs, policy makers, journalists in the news media and other interested parties to use Shadowserver’s unique vantage point and extensive aggregated data sets as a public resource to help drive forward research and raise greater awareness of cyber security threats. With attribution, you can freely use the Dashboard for research purposes and to inform policy making, or to educate the public through news articles, but you are not permitted to scrape or resell the data. Please contact us if you have questions about licensing.

To illustrate some of the new capabilities and data sets, here are some examples:

1) The impressive impact of the Emotet botnet takedown on the number of daily infected unique victim IP addresses in March 2021:

https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=other&d1=2021-03-25&d2=2021-06-10&source=sinkhole%2Bsinkhole6&tag=emotet&style=stacked

The distribution of infected Emotet victim IP addresses by country at the point of initial sinkholing:

https://dashboard.shadowserver.org/statistics/combined/visualisation/?date_range=other&d1=2021-03-25&d2=2021-03-26&source=sinkhole%2Bsinkhole6&tag=emotet&dataset=unique_ips&group_by=geo&count_as=avg&style=bubble_diagram

2) Good news! The amount of exposed Zimbra Collaboration Suite instances vulnerable to CVE-2022-27925 / CVE-2022-37042 is decreasing. They started reporting these vulnerable instances on 2022-08-13:

Location of vulnerable Zimbra Collaboration Suite systems, treemap by country:

https://dashboard.shadowserver.org/statistics/combined/tree/?day=2022-08-31&source=http_vulnerable&tag=zimbra%3Bcve-2022-37042&geo=all&data_set=count

Read more about recent Zimbra ZCS CVE-2022-27925 and CVE-2022-37042 here: https://www.cisa.gov/uscert/ncas/alerts/aa22-228a

Let’s push to reduce the amount of vulnerable instances even further!

3)  Mirai/IoT related botnet infections are on the rise again. What is the root cause and how can we work together to more effectively combat these threats?

https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=180&source=honeypot&tag=mirai&style=stacked

World map of detected Mirai bot locations:

https://dashboard.shadowserver.org/statistics/combined/map/?map_type=std&day=2022-08-31&source=honeypot&tag=mirai&geo=all&data_set=count&scale=log

As you can see, these examples are only the tip of the iceberg. Petabytes of global cyber threat data, including some unique data sets, are being aggregated and made available to the public for interactive exploration and visualization – for the first time.