December honeypot report
First, the data from our Telnet & SSH honeypot. The big picture looks like this. As usual, attacks from the USA dominate heavily. However, the Netherlands has become very active again. I think we managed to silence the infected and very active machine in our country (Bulgaria) somewhere mid-month, which is why our country is no longer on second place, although it is still among the top attackers. Hopefully, this will no longer be the case the next month.
Here is how the hourly activity looks like. The honeypot is being attacked on average 2.3 times per second:
Nearly 97% of the attacks are via Telnet, the rest are via SSH:
The top-5 URLs from which malware was most actively uploaded to the honeypot. Mirai variants all of them, as usual, although the original variant is not among them.
Indeed, as you can see, uploads of various Mirai variants (IMO, "Svirtu" is a Mirai variant too) dominate heavily:
Details about the top-20 most actively attacking IPs. The offending Bulgarian IP, belonging to Verdina Ltd., is on 4th place:
The top-20 most actively attacking organizations. Verdina is the company with the infected machine in Bulgaria - fewer attacks from it this month, but still near the top. As almost usual, the top offender by far is DigitalOcean:
Speaking of DigitalOcean, as you can see, I've been sending them averagely 42 abuse reports every day - but it doesn't seem to be helping very much:
The top-20 passwords that are the most often used by the attackers; nothing unusual here:
Moving on to our SMB honeypot.
First, the big picture. Most of the action is in Russia and again, although Vietnam is also well-represented. Again, we get more attacks against our SMB honeypot than against our Telnet & SSH honeypot. Most of them are just scans, though - the number of uploaded files is relatively small. It seems that there is a botnet out there that is looking for vulnerable hosts without actually attacking them:
Hourly activity, showing on average nearly 4.2 attacks per second. (For comparison, it used to be once per minute in the past.) The big gaps were caused by the honeypot being down for maintenance:
Unique uploaded malware variants, according to Symantec's scanner. Lots of corrupted WannaCry variants, as usual (no kill switch check, no encryption).
Even if we don't count only the unique variants, the WannaCry samples are quite a lot:
Details about the top-20 most actively attacking IPs. Nothing unexpected here. Somebody in Serbia probably needs to learn how to pick a shorter name for themselves, though:
The top-20 organizations from which most of the attacks are coming from. Nothing unexpected here:
Finally, the data from our ADB honeypot.
The big picture. The Far East (China, South Korea, Hong Kong) dominates:
The hourly connection data, showing averagely one attack every half an hour:
The malware uploaded to the honeypot, according to Fortinet's scanner. The same old Monero mining worm (Trinity) is causing most of the ADB traffic, plus something that is uploading a shell script that looks vaguely Mirai-like:
Details about the top-20 most actively attacking IPs:
The top-20 organizations that own the IP addresses attacking us:
This concludes the December honeypot report.