December honeypot report

First, the data from our Telnet & SSH honeypot. The big picture looks like this. As usual, attacks from the USA dominate heavily. However, the Netherlands has become very active again. I think we managed to silence the infected and very active machine in our country (Bulgaria) somewhere mid-month, which is why our country is no longer on second place, although it is still among the top attackers. Hopefully, this will no longer be the case the next month.

graphic

Here is how the hourly activity looks like. The honeypot is being attacked on average 2.3 times per second:

graphic

Nearly 97% of the attacks are via Telnet, the rest are via SSH:

graphic

The top-5 URLs from which malware was most actively uploaded to the honeypot. Mirai variants all of them, as usual, although the original variant is not among them.

graphic

Indeed, as you can see, uploads of various Mirai variants (IMO, "Svirtu" is a Mirai variant too) dominate heavily:

graphic

Details about the top-20 most actively attacking IPs. The offending Bulgarian IP, belonging to Verdina Ltd., is on 4th place:

graphic

The top-20 most actively attacking organizations. Verdina is the company with the infected machine in Bulgaria - fewer attacks from it this month, but still near the top. As almost usual, the top offender by far is DigitalOcean:

graphic

Speaking of DigitalOcean, as you can see, I've been sending them averagely 42 abuse reports every day - but it doesn't seem to be helping very much:

graphic

The top-20 passwords that are the most often used by the attackers; nothing unusual here:

graphic

Moving on to our SMB honeypot.

First, the big picture. Most of the action is in Russia and again, although Vietnam is also well-represented. Again, we get more attacks against our SMB honeypot than against our Telnet & SSH honeypot. Most of them are just scans, though - the number of uploaded files is relatively small. It seems that there is a botnet out there that is looking for vulnerable hosts without actually attacking them:

graphic

Hourly activity, showing on average nearly 4.2 attacks per second. (For comparison, it used to be once per minute in the past.) The big gaps were caused by the honeypot being down for maintenance:

graphic

Unique uploaded malware variants, according to Symantec's scanner. Lots of corrupted WannaCry variants, as usual (no kill switch check, no encryption).

graphic

Even if we don't count only the unique variants, the WannaCry samples are quite a lot:

graphic

Details about the top-20 most actively attacking IPs. Nothing unexpected here. Somebody in Serbia probably needs to learn how to pick a shorter name for themselves, though:

graphic

The top-20 organizations from which most of the attacks are coming from. Nothing unexpected here:

graphic

Finally, the data from our ADB honeypot.

The big picture. The Far East (China, South Korea, Hong Kong) dominates:

graphic

The hourly connection data, showing averagely one attack every half an hour:

graphic

The malware uploaded to the honeypot, according to Fortinet's scanner. The same old Monero mining worm (Trinity) is causing most of the ADB traffic, plus something that is uploading a shell script that looks vaguely Mirai-like:

graphic

Details about the top-20 most actively attacking IPs:

graphic

The top-20 organizations that own the IP addresses attacking us:

graphic

This concludes the December honeypot report.