April honeypot report
First, the data from our Telnet & SSH honeypot. As almost always, the USA holds the top spot:
Here is how the hourly activity looks like. The honeypot is being attacked slightly more often than 2.1 times per second. The large two-day gap around the beginning of the month was caused by the computer running the honeypot losing Internet connectivity and, due to the pandemic lockdown, there was nobody around to reset it.
Nearly 96% of the attacks are via Telnet, the rest are via SSH:
The top-5 URLs from which malware was most actively uploaded to the honeypot. Mirai variants all of them, as usual, although the original variant is not among them.
Indeed, as you can see, uploads of various Mirai variants (IMO, "Svirtu" is a Mirai variant too) dominate heavily. Gafgyt is substantially different and it accounts for only 1.84% of the uploads. Some kind of generic downloader makes up for another 0.42% of the uploads:
Details about the top-20 most actively attacking IPs. This surge from Estonia is a bit unusual:
The top-20 most actively attacking organizations. DigitalOcean is again at the top spot:
Speaking of DigitalOcean, as you can see, I've been sending them averagely nearly 65 abuse reports every day - but it doesn't seem to be helping very much:
The top-20 passwords that are the most often used by the attackers; nothing unusual here:
Moving on to our SMB honeypot.
First, the big picture. Most of the action is in Russia again, although Vietnam is again well-represented too. This month the number of attacks against our SMB honeypot exceeds more than 1.8 times the combined number of attacks against our Telnet and SSH honeypots:
Hourly activity, showing on average more than 3.8 attacks per second; pretty steady traffic, with some very short-timed pauses. Again, the two-day pause was caused by the honeypot losing internet connectivity and nobody being around to reset it.
Unique uploaded malware variants, according to Symantec's scanner. The corrupted WannaCry variants (no kill switch check, no encryption) dominate, as usual, although their total number seems to be abating:
Even if we don't count only the unique variants, WannaCry is well-represented:
Details about the top-20 most actively attacking IPs. Nothing unusual here:
The top-20 organizations from which most of the attacks are coming from. Nothing unusual here, either:
Next, the data from our ADB honeypot.
The big picture. The Far East (China, Hong Kong, Vietnam) dominates as usual, but the USA and and the UK are also well-represented:
The hourly connection data, showing averagely 3.2 attacks per hour:
The unique malware uploaded to the honeypot, according to Fortinet's scanner. The two parts of same old Monero mining worm (Trinity) is causing all the malicious uploads:
Details about the top-20 most actively attacking IPs:
The top-20 organizations that own the IP addresses attacking us:
We have added a new honeypot to our roster - for the Remote Desktop Protocol (RDP) this time. Unlike our previous three, this one hasn't been open-sourced yet - mostly because I am not satisfied with its quality. It is based on the RDPY library, which basically means that it sucks. It does not support Python 3.x, it's not fully compatible with the protocol implementation of some popular hacking tools, which means that it fails to capture properly the login credentials used by them, and it often crashes with various errors, as documented here.
Still, it has been running for nearly a month already and I thought that it might be interesting to look at the data collected during this time.
First, the big picture. Vietnam occupies the top spot by far - more than 19 times more attacks coming from there than from the next contender, the USA. Almost all of these attacks have come from a single IP address, as we'll see in a moment.
Hourly activity, showing almost 1.5 attacks per minute, although they tend to arrive in large bursts from a single attacking address.
Details about the top-20 attacking IP addresses. You can see that single Vietnamese IP, which is responsible for that country's occupying the top spot:
The top-20 organizations that own the IP addresses attacking us. Nothing unusual here - the Vietnamese ISP, of course, occupies the top spot but DigitalOcean is well-represented on this protocol too:
This concludes the April honeypot report.