June honeypot report
First, the data from our Telnet & SSH honeypot. The big picture looks like this. As usual, most attacks have come from the USA, although the Netherlands is close behind - again:
Here is how the hourly activity looks like. Slightly more than 2 attacks per second. Sorry about the gaps; we've had several outages this month:
More than 96% of the attacks are via Telnet, the rest are via SSH:
The top-5 URLs from which malware was most actively uploaded to the honeypot. Mirai variants all of them, as usual, although the original variant is not among them.
Details about the top-20 most actively attacking IPs. As usual, DigitalOcean is heavily present. The Dutch KV Solutions is playing catch-up but still noticeably behind overall. Surprisingly, the the top spot is occupied by a Russian IP this time:
The top-20 most actively attacking organizations. DigitalOcean is at the top, as usual. You see what I meant when I said that KV Solutions is trying to catch up but still noticeably behind:
As you can see, I've been sending averagely more than 70 automated abuse reports to DigitalOcean every day - but it doesn't seem to be helping very much.
The top-20 passwords that are the most often used by the attackers; nothing unusual here:
Moving on to our SMB honeypot.
First, the big picture. Here China not only holds the top spot, as usual, but is way ahead of everybody else:
Hourly activity, showing averagely a bit more than one attack per minute. I've switched to a logarithmic scale, otherwise the lonely spikes of more than a thousand attacks coming from a single IP (usually infected with a WannaCry variant) tend to drown out everything else. Otherwise the traffic is pretty steady, albeit much lower than the one that the Telnet honeypot gets.
Unique uploaded malware variants, according to Symantec's scanner. Lots of corrupted WannaCry variants, as usual (no kill switch check, no encryption).
Note that WannaCry uploads dominate, although not as overwhelmingly, even if we don't count only the unique variants:
Details about the top-20 most actively attacking IPs. Somebody in Guandong, China, still has a WannaCry problem - two months in a row already; always the same IP:
The top-20 organizations from which most of the attacks are coming from. Nothing unexpected here; that same WannaCry-infected thing dominates:
Finally, the data from our ADB honeypot.
The big picture shows that the usual suspects (China, Hong Kong, South Korea) seem to have a huge population of devices with the ADB port open to the Internet with no authentication.
The hourly connection data, showing averagely slightly more than one attack every half an hour:
The malware uploaded to the honeypot, according to Fortinet's scanner. (I've switched from Dr.Web to Fortinet because I like better the detection, naming, and identification that it has for SMB-related malware.) The same old Monero mining worm (Trinity) is causing most of the ADB traffic, plus something that is uploading a shell script that looks vaguely Mirai-like:
Details about the top-20 most actively attacking IPs. Nothing unusual here:
The top-20 organizations that own the IP addresses attacking us:
This concludes the June honeypot report.