January honeypot report
First, the data from our Telnet & SSH honeypot. For the first time, the USA is not at the first place. It has been displaced by the Netherlands (which is usually on second place). Almost 70% more attacks have originated from the latter this month - mostly due to 4 infected machines in 3 different Dutch companies, as we'll see in a moment.
Here is how the hourly activity looks like. The honeypot is being attacked more often than twice per second:
Nearly 96% of the attacks are via Telnet, the rest are via SSH:
The top-5 URLs from which malware was most actively uploaded to the honeypot. Mirai variants all of them, as usual, although the original variant is not among them.
Indeed, as you can see, uploads of various Mirai variants (IMO, "Svirtu" is a Mirai variant too) dominate heavily:
Details about the top-20 most actively attacking IPs. You can see why the Netherlands is at the top - the machines behind the four IPs at these three companies are at the very top of the list:
The top-20 most actively attacking organizations. This time the Dutch Vitox Telecom has outpaced even the usual "champion", DigitalOcean:
Speaking of DigitalOcean, as you can see, I've been sending them averagely 40 abuse reports every day - but it doesn't seem to be helping very much:
The top-20 passwords that are the most often used by the attackers; nothing unusual here:
Moving on to our SMB honeypot.
First, the big picture. Most of the action is in Russia again, although Vietnam is also well-represented. Again, we get more attacks against our SMB honeypot than against our Telnet & SSH honeypot - more than twice as many this month. Most of them are just scans, though - the number of uploaded files is relatively small. It seems that there is a botnet out there that is looking for vulnerable hosts without actually attacking them:
Hourly activity, showing on average nearly 4.4 attacks per second. (For comparison, it used to be once per minute in the past.) The big gaps were caused by the honeypot being down for maintenance:
Unique uploaded malware variants, according to Symantec's scanner. Lots of corrupted WannaCry variants, as usual (no kill switch check, no encryption).
Even if we don't count only the unique variants, the WannaCry samples dominate:
Details about the top-20 most actively attacking IPs. Nothing unusual here:
The top-20 organizations from which most of the attacks are coming from. Nothing unusual here, either:
Finally, the data from our ADB honeypot.
The big picture. The Far East (Hong Kong, South Korea, China) dominates but the USA and Sweden figure prominently, too:
The hourly connection data, showing averagely one attack every half an hour:
The malware uploaded to the honeypot, according to Fortinet's scanner. The two parts of same old Monero mining worm (Trinity) is causing all of the malicious uploads:
Details about the top-20 most actively attacking IPs:
The top-20 organizations that own the IP addresses attacking us:
This concludes the January honeypot report.