May honeypot report

First, the data from our Telnet & SSH honeypot. As almost always, the USA holds the top spot, with nearly three times more attacks coming from there than from the next contender, the Netherlands:

graphic

Here is how the hourly activity looks like. The honeypot is being attacked slightly more often than 2.1 times per second. The one-day gap around the beginning of the month was caused by the computer running the honeypot losing Internet connectivity and, due to the pandemic lockdown, there was nobody around to reset it.

graphic

Nearly 96% of the attacks are via Telnet, the rest are via SSH:

graphic

The top-5 URLs from which malware was most actively uploaded to the honeypot. Mirai variants all of them, as usual, although the original variant is not among them.

graphic

Indeed, as you can see, uploads of various Mirai variants (IMO, "Svirtu" is a Mirai variant too) dominate heavily. Gafgyt is substantially different and it accounts for only 0.57% of the uploads. Some kind of generic downloader makes up for another 0.69% of the uploads:

graphic

Details about the top-20 most actively attacking IPs. Sadly, a Bulgarian one occupies the top spot:

graphic

The top-20 most actively attacking organizations. DigitalOcean again figures prominently, but surprisingly, this time it isn't at the top spot. That dubious honor belongs to Hostwinds this time. Numerous attacks from Microsoft-owned IPs are also interesting:

graphic

Speaking of DigitalOcean, as you can see, I've been sending them averagely more than 52 abuse reports every day - but it doesn't seem to be helping very much:

graphic

The top-20 passwords that are the most often used by the attackers; nothing unusual here:

graphic

Moving on to our SMB honeypot.

First, the big picture. Most of the action is in Veitnam this time, although Russia is again well-represented too. This month the number of attacks against our SMB honeypot is lower than the number of attacks against our Telnet and SSH honeypots but not by much and there are hotspots all over the world:

graphic

Hourly activity, showing on average nearly 1.6 attacks per second; pretty steady traffic. Again, the pause was caused by the honeypot losing internet connectivity and nobody being around to reset it.

graphic

Unique uploaded malware variants, according to Symantec's scanner. The corrupted WannaCry variants (no kill switch check, no encryption) dominate, as usual, although their total number decreased significantly:

graphic

Even if we don't count only the unique variants, WannaCry is well-represented:

graphic

Details about the top-20 most actively attacking IPs. Nothing unusual here:

graphic

The top-20 organizations from which most of the attacks are coming from. Nothing unusual here, either:

graphic

Next, the data from our ADB honeypot.

The big picture. This month we have an unusually big spike of activity from some Canadian IP in Montreal:

graphic

The hourly connection data, showing averagely 11.1 attacks per hour. Even at a logarithmic scale, the spike from that Canadian machine is drowning out everything else:

graphic

The unique malware uploaded to the honeypot, according to Fortinet's scanner. The two parts of same old Monero mining worm (Trinity) is causing all the malicious uploads:

graphic

Details about the top-20 most actively attacking IPs:

graphic

The top-20 organizations that own the IP addresses attacking us:

graphic

Next, moving to the relatively new (and still not good enough to be open sourced) Remote Desktop Protocol honeypot.

First, the big picture. Russia occupies the top spot this time. Sadly, our country (Bulgaria) also figures prominently among the attackers:

graphic

Hourly activity, showing more than 2 attacks per minute, although they tend to arrive in large bursts from a single attacking address.

graphic

Details about the top-20 attacking IP addresses. You can see that about half of the attacks coming from Bulgaria fome from some machine at the Bulgarian Academy of Sciences, where we happen to work. Ooops. Sadly, the BAS is a rather decentralized (both administratively and territorially) ogranization, so it's not easy to figure out who this machine belongs to and where it resides:

graphic

The top-20 organizations that own the IP addresses attacking us. Nothing unusual here - a big Russian ISP occupies the top spot and DigitalOcean is well-represented in this protocol too:

graphic

The top credentials used to log in. Sadly, due to technical problems in the third-party RDP library that the honeypot uses, only a very small portion of the login credentials are captured; there seems to be some kind of incompatibility in the RDP protocol implementation of the popular attacking tools and this library.

graphic

We have yet another new honeypot this month - one listening to the Elasticsearch protocol. We are pretty satisfied with its quality and have open-sourced it there.

First, the big picture. China holds the top spot, mostly due to a single IP address whose only purpose in life seems to be scanning the whole Internet for open Elasticsearch databases. These scans are performed several times per day and they are only scans, not attacks.

graphic

Hourly activity. You can see when we have launched the honeypot (May 8) and the steady traffic caused by the scans from that Chinese IP address:

graphic

The scans dominate although there are a significant number of attempts to exploit the seemingly vulnerable server and to run code on it (mostly a crypto miner), to syphon its conents, or even to ransomware it, as we'll see in a moment:

graphic

Details about the top-20 IP addresses that have connected to the honeypot. You can see at the top the Chinese IP address whose entire purpose in life seems to be periodically scanning the Internet for open Elasticsearch servers:

graphic

Information about the top-20 organizations that own the IP addresses attacking the honeypot. Naturally, China is at the top but DigitalOcean is well-represented in this protocol too:

graphic

The top-20 queries most often used by the attackers. I have blanked out the names of the indexes, in order to make the fingerprinting of the honeypot more difficult.

graphic

The top-10 payloads used by the attackers. Most of them try to install a Monero miner (there is probably a worm or a botnet that does this) but at the bottom you can see somebody uploading a ransom note, claiming that he has ransomwared the honeypot. (That's nonsense, of course; the honeypot has registered no attempts to delete or encrypt the database.)

graphic

This concludes the May honeypot report.