July honeypot report

First, the data from our Telnet & SSH honeypot. This time the Netherlands holds the top spot, followed by Croatia, which is unusual. The USA is at the third place this month, all the rest are way behind:

graphic

Here is how the hourly activity looks like. The honeypot is being attacked almost 2.3 times per second.

graphic

More than 96% of the attacks are via Telnet, the rest are via SSH:

graphic

The top-5 URLs from which malware was most actively uploaded to the honeypot. Mirai variants all of them, as usual, although the original variant is not among them.

graphic

Indeed, as you can see, uploads of various Mirai variants (IMO, "Svirtu" is a Mirai variant too) dominate heavily. The only exceptions are two generic downloaders (Downloader-AAN and Agent-AGS) and Hajime:

graphic

Details about the top-20 most actively attacking IPs. Interestingly, none of the top-3 is in the USA this time and you can see why the Netherlands and Croatia are at the top two places of attacking countries:

graphic

The top-20 most actively attacking organizations. Unusually, DigitalOcean doesn't occupy the top spot this month, either:

graphic

Speaking of DigitalOcean, as you can see, I've been sending them averagely nearly than 44 abuse reports every day:

graphic

The top-20 passwords that are the most often used by the attackers; nothing unusual here:

graphic

Moving on to our SMB honeypot.

First, the big picture. This time Vietnam has taken over the top spot although Russia is again very active and pretty close. Venezuela is a distant third, although it is unusual to see so many attacks from this country. This month the number of attacks against our SMB honeypot is again lower than the number of attacks against our Telnet and SSH honeypots but not by much:

graphic

Hourly activity, showing on average around 1.9 attacks per second; pretty steady traffic:

graphic

Unique uploaded malware variants, according to Symantec's scanner. The corrupted WannaCry variants (no kill switch check, no encryption) dominate, as usual, although their total number has decreased significantly:

graphic

Even if we don't count only the unique variants, WannaCry is well-represented:

graphic

Details about the top-20 most actively attacking IPs. Nothing unusual here:

graphic

The top-20 organizations from which most of the attacks are coming from. Nothing unusual here, either, but you can see why Vietname, Russia, and Venezuela are among the top attackers:

graphic

Next, the data from our ADB honeypot.

The big picture. This month China again holds the top spot:

graphic

The hourly connection data, showing averagely 2.5 attacks per hour:

graphic

The unique malware uploaded to the honeypot, according to Fortinet's scanner. The two parts of same old Monero mining worm (Trinity) is causing all the malicious uploads:

graphic

Details about the top-20 most actively attacking IPs:

graphic

The top-20 organizations that own the IP addresses attacking us:

graphic

Next, moving to the Remote Desktop Protocol honeypot.

First, the big picture. The USA occupies the top spot this time. Sadly, our country (Bulgaria) also figures prominently and has moved up to the second place this month:

graphic

Hourly activity, showing more than 2 attacks per minute, although they tend to arrive in large bursts from a single attacking address.

graphic

Details about the top-20 attacking IP addresses. You can see why the USA is among the top attackers. Clearly DigitalOcean's virtual machines are being abused heavit for attacks over this protocol, too. You can also see that the Bulgarian traffic is caused mostly by some machine at the Bulgarian Academy of Sciences, where we happen to work. Unfortunately, the BAS is a rather decentralized (both administratively and territorially) ogranization, and we have been unable to pinpoint where this machine is.

graphic

The top-20 organizations that own the IP addresses attacking us:

graphic

Fnally, moving to our Elasticsearch honeypot.

First, the big picture. China formly holds the top spot, mostly due to a single IP address whose only purpose in life seems to be scanning the whole Internet for open Elasticsearch databases, but Russia is starting to catch up too:

graphic

Hourly activity. You can see the steady traffic caused by the scans from that Chinese IP address and the unexplicable pause of 3 days that it has made:

graphic

The scans dominate although there are a significant number of attempts to exploit the seemingly vulnerable server and to run code on it (mostly a crypto miner), or to syphon its conents:

graphic

Details about the top-20 IP addresses that have connected to the honeypot. You can see at the top the Chinese IP address whose entire purpose in life seems to be periodically scanning the Internet for open Elasticsearch servers:

graphic

Information about the top-20 organizations that own the IP addresses attacking the honeypot. Naturally, China is at the top:

graphic

The top-20 queries most often used by the attackers. I have blanked out the name of the index, in order to make the fingerprinting of the honeypot more difficult.

graphic

The top-10 payloads used by the attackers. All of them try to install a Monero miner (there is probably a worm or a botnet that does this):

graphic

This concludes the July honeypot report.