April honeypot report

First, the data from our Telnet & SSH honeypot. As almost always, the USA holds the top spot:

graphic

Here is how the hourly activity looks like. The honeypot is being attacked slightly more often than 2.1 times per second. The large two-day gap around the beginning of the month was caused by the computer running the honeypot losing Internet connectivity and, due to the pandemic lockdown, there was nobody around to reset it.

graphic

Nearly 96% of the attacks are via Telnet, the rest are via SSH:

graphic

The top-5 URLs from which malware was most actively uploaded to the honeypot. Mirai variants all of them, as usual, although the original variant is not among them.

graphic

Indeed, as you can see, uploads of various Mirai variants (IMO, "Svirtu" is a Mirai variant too) dominate heavily. Gafgyt is substantially different and it accounts for only 1.84% of the uploads. Some kind of generic downloader makes up for another 0.42% of the uploads:

graphic

Details about the top-20 most actively attacking IPs. This surge from Estonia is a bit unusual:

graphic

The top-20 most actively attacking organizations. DigitalOcean is again at the top spot:

graphic

Speaking of DigitalOcean, as you can see, I've been sending them averagely nearly 65 abuse reports every day - but it doesn't seem to be helping very much:

graphic

The top-20 passwords that are the most often used by the attackers; nothing unusual here:

graphic

Moving on to our SMB honeypot.

First, the big picture. Most of the action is in Russia again, although Vietnam is again well-represented too. This month the number of attacks against our SMB honeypot exceeds more than 1.8 times the combined number of attacks against our Telnet and SSH honeypots:

graphic

Hourly activity, showing on average more than 3.8 attacks per second; pretty steady traffic, with some very short-timed pauses. Again, the two-day pause was caused by the honeypot losing internet connectivity and nobody being around to reset it.

graphic

Unique uploaded malware variants, according to Symantec's scanner. The corrupted WannaCry variants (no kill switch check, no encryption) dominate, as usual, although their total number seems to be abating:

graphic

Even if we don't count only the unique variants, WannaCry is well-represented:

graphic

Details about the top-20 most actively attacking IPs. Nothing unusual here:

graphic

The top-20 organizations from which most of the attacks are coming from. Nothing unusual here, either:

graphic

Next, the data from our ADB honeypot.

The big picture. The Far East (China, Hong Kong, Vietnam) dominates as usual, but the USA and and the UK are also well-represented:

graphic

The hourly connection data, showing averagely 3.2 attacks per hour:

graphic

The unique malware uploaded to the honeypot, according to Fortinet's scanner. The two parts of same old Monero mining worm (Trinity) is causing all the malicious uploads:

graphic

Details about the top-20 most actively attacking IPs:

graphic

The top-20 organizations that own the IP addresses attacking us:

graphic

We have added a new honeypot to our roster - for the Remote Desktop Protocol (RDP) this time. Unlike our previous three, this one hasn't been open-sourced yet - mostly because I am not satisfied with its quality. It is based on the RDPY library, which basically means that it sucks. It does not support Python 3.x, it's not fully compatible with the protocol implementation of some popular hacking tools, which means that it fails to capture properly the login credentials used by them, and it often crashes with various errors, as documented here.

Still, it has been running for nearly a month already and I thought that it might be interesting to look at the data collected during this time.

First, the big picture. Vietnam occupies the top spot by far - more than 19 times more attacks coming from there than from the next contender, the USA. Almost all of these attacks have come from a single IP address, as we'll see in a moment.

graphic

Hourly activity, showing almost 1.5 attacks per minute, although they tend to arrive in large bursts from a single attacking address.

graphic

Details about the top-20 attacking IP addresses. You can see that single Vietnamese IP, which is responsible for that country's occupying the top spot:

graphic

The top-20 organizations that own the IP addresses attacking us. Nothing unusual here - the Vietnamese ISP, of course, occupies the top spot but DigitalOcean is well-represented on this protocol too:

graphic

This concludes the April honeypot report.