June honeypot report

First, the data from our Telnet & SSH honeypot. As almost always, the USA holds the top spot, with the Netherlands getting pretty close:

graphic

Here is how the hourly activity looks like. The honeypot is being attacked slightly more often than 2.2 times per second.

graphic

Nearly 96% of the attacks are via Telnet, the rest are via SSH:

graphic

The top-5 URLs from which malware was most actively uploaded to the honeypot. Mirai variants all of them, as usual, although the original variant is not among them.

graphic

Indeed, as you can see, uploads of various Mirai variants (IMO, "Svirtu" is a Mirai variant too) dominate heavily. Gafgyt is substantially different and it accounts for 7.78% of the uploads, which is somewhat unusual - normally it is less than one percent. Another unusual thing is the presence of Hajime (also not a Mirai variant); we hadn't seen it for a very long time:

graphic

Details about the top-20 most actively attacking IPs. Interestingly, none of the top-3 is in the USA this time:

graphic

The top-20 most actively attacking organizations. Unusually, DigitalOcean doesn't occupy the top spot this month, either:

graphic

Speaking of DigitalOcean, as you can see, I've been sending them averagely more than 42 abuse reports every day:

graphic

The top-20 passwords that are the most often used by the attackers; nothing unusual here:

graphic

Moving on to our SMB honeypot.

First, the big picture. This time Russia has taken over the top spot althoough Vietnam is again very active and pretty close. This month the number of attacks against our SMB honeypot is again lower than the number of attacks against our Telnet and SSH honeypots but not by much:

graphic

Hourly activity, showing on average nearly 2 attacks per second; pretty steady traffic:

graphic

Unique uploaded malware variants, according to Symantec's scanner. The corrupted WannaCry variants (no kill switch check, no encryption) dominate, as usual, although their total number has decreased significantly:

graphic

Even if we don't count only the unique variants, WannaCry is well-represented:

graphic

Details about the top-20 most actively attacking IPs. Nothing unusual here:

graphic

The top-20 organizations from which most of the attacks are coming from. Nothing unusual here, either, but you can see why Russia and Vietnam are among the top attackers. Also, it is a bit unusual to see such high activity from Venezuela:

graphic

Next, the data from our ADB honeypot.

The big picture. This month China is back to the top spot:

graphic

The hourly connection data, showing averagely 2.3 attacks per hour:

graphic

The unique malware uploaded to the honeypot, according to Fortinet's scanner. The two parts of same old Monero mining worm (Trinity) is causing all the malicious uploads:

graphic

Details about the top-20 most actively attacking IPs:

graphic

The top-20 organizations that own the IP addresses attacking us:

graphic

Next, moving to the Remote Desktop Protocol honeypot.

First, the big picture. Somewhat surprisingly, Germany occupies the top spot this time, closely followed by Russia. Seeing Iran in the top-3 is also unusual. Sadly, our country (Bulgaria) also figures prominently - at the fourth place:

graphic

Hourly activity, showing more than 1.8 attacks per minute, although they tend to arrive in large bursts from a single attacking address.

graphic

Details about the top-20 attacking IP addresses. You can see why Iran was among the top attackers. You can also see that the Bulgarian traffic was caused by some machine at the Bulgarian Academy of Sciences, where we happen to work. Unfortunately, the BAS is rather a decentralized (both administratively and territorially) ogranization, and we have been unable to pinpoint where this machine is.

graphic

The top-20 organizations that own the IP addresses attacking us. Nothing unusual here except that DigitalOcean is well-represented in this protocol too:

graphic

Fnally, moving to our Elasticsearch honeypot.

First, the big picture. China holds the top spot, mostly due to a single IP address whose only purpose in life seems to be scanning the whole Internet for open Elasticsearch databases. These scans are performed several times per day and they are only scans, not attacks.

graphic

Hourly activity. You can see the steady traffic caused by the scans from that Chinese IP address and the unexplicable pause of 3 days that it has made:

graphic

The scans dominate although there are a significant number of attempts to exploit the seemingly vulnerable server and to run code on it (mostly a crypto miner), or to syphon its conents:

graphic

Details about the top-20 IP addresses that have connected to the honeypot. You can see at the top the Chinese IP address whose entire purpose in life seems to be periodically scanning the Internet for open Elasticsearch servers:

graphic

Information about the top-20 organizations that own the IP addresses attacking the honeypot. Naturally, China is at the top:

graphic

The top-20 queries most often used by the attackers. I have blanked out the names of the indexes, in order to make the fingerprinting of the honeypot more difficult.

graphic

The top-10 payloads used by the attackers. All of them try to install a Monero miner (there is probably a worm or a botnet that does this):

graphic

This concludes the June honeypot report.