October honeypot report
First, the data from our Telnet & SSH honeypot. The big picture looks like this. As usual, most attacks have come from the USA, with the Netherlands in the second place - again. Our country (Bulgaria) is again among the Top-15, because of three machines at Netcube running Mirai C2 servers. It took us a while to have it shut down:
Here is how the hourly activity looks like. The honeypot is being attacked on the average slightly more often than 1.6 times per second:
More than 90% of the attacks are via Telnet, the rest are via SSH:
The top-5 URLs from which malware was most actively uploaded to the honeypot. Mirai variants all of them, as usual, although the original variant is not among them.
Details about the top-20 most actively attacking IPs. As usual, DigitalOcean is heavily present, although this time an IP owned by FranTech Solutions, another big cloud hosting provider, occupies the first place:
The top-20 most actively attacking organizations. DigitalOcean is way ahead of everybody else, as usual:
As you can see, I've been sending averagely more than 40 automated abuse reports to DigitalOcean every day - but it doesn't seem to be helping very much.
The top-20 passwords that are the most often used by the attackers; nothing unusual here:
Moving on to our SMB honeypot.
First, the big picture. Most of the action is in Russia and Ukraine this time. In general, there has been significant increase of the SMB traffic - like, a couple of orders of magnitude - starting from mid-October. However, the number of uploaded files hasn't increased noticeably:
Hourly activity, showing on average more than one attack per second. (For comparison, it used to be once per minute in the past.)
Unique uploaded malware variants, according to Symantec's scanner. Lots of corrupted WannaCry variants, as usual (no kill switch check, no encryption).
Note that WannaCry uploads dominate, although not as overwhelmingly, even if we don't count only the unique variants:
Details about the top-20 most actively attacking IPs:
The top-20 organizations from which most of the attacks are coming from. Nothing unexpected here:
Finally, the data from our ADB honeypot.
The big picture. Hong Kong, the USA, South Korea, Russia, and China dominate:
The hourly connection data, showing averagely one attack every half an hour:
The malware uploaded to the honeypot, according to Fortinet's scanner. The same old Monero mining worm (Trinity) is causing most of the ADB traffic, plus something that is uploading a shell script that looks vaguely Mirai-like:
Details about the top-20 most actively attacking IPs. Nothing unusual here:
The top-20 organizations that own the IP addresses attacking us:
This concludes the October honeypot report.