April honeypot report

First, the data from our Telnet & SSH honeypot. Switzerland is at the top spot this month, which is unusual, followed by Ireland and the USA:

graphic

Here is how the hourly activity looks like. The frequency with which the honeypot is being attacked has dropped significantly. Now we see averagely one attack every 1.5 seconds, while it used to be more than one attack per second in the past. The large gap on the chart with no activity is caused by the honeypot machine losing Internet connection and there being nobody around to restart it, due to the pandemic.

graphic

More than 65% of the attacks are via Telnet, the rest are via SSH. This marks a significant increase of the proportion of SSH attacks compared to a few months ago:

graphic

The top-5 URLs from which malware was most actively uploaded to the honeypot. Mirai variants all of them, as usual, although the original variant is not among them:

graphic

Indeed, as you can see, uploads of various Mirai variants (IMO, "Svirtu" is a Mirai variant too) dominate heavily. The only exceptions are some generic downloader and a DDoS bot, as well as a Gafgyt variant:

graphic

Details about the top-20 most actively attacking IPs:

graphic

The top-20 most actively attacking organizations. DigitalOcean barely registers any more:

graphic

Speaking of DigitalOcean, as you can see, I've been sending them averagely more than 25 abuse reports every day. Maybe it has finally started having an impact.

graphic

The top-20 passwords that are the most often used by the attackers; nothing unusual here:

graphic

Moving on to our SMB honeypot.

First, the big picture. Vietnam has the top spot again but India and Russia are close behind - again:

graphic

Hourly activity, showing nearly one attack per second; pretty steady traffic - noticeably more than against Telnet. The gap is caused by the honeypot machine losing connection to the router and there being nobody around to reset it, due to the pandemic:

graphic

Unique uploaded malware variants, according to Symantec's scanner. The corrupted WannaCry variants (no kill switch check, no encryption) dominate, as usual, although their total number has decreased significantly:

graphic

Even if we don't count only the unique variants, WannaCry is well-represented:

graphic

Details about the top-20 most actively attacking IPs. Nothing unusual here:

graphic

The top-20 organizations from which most of the attacks are coming from. Nothing unusual here, either:

graphic

Next, the data from our ADB honeypot.

The big picture. This month the USA is at the top spot, followed by Germany:

graphic

The hourly connection data, showing averagely nearly 2.3 attacks per hour. Again, the gap is caused by the honepot machine losing Internet connection and there being nobody around to reset it, due to the pandemic:

graphic

The unique malware uploaded to the honeypot, according to Fortinet's scanner. The two parts of same old Monero mining worm (Trinity) are causing all the uploads again:

graphic

Details about the top-20 most actively attacking IPs:

graphic

The top-20 organizations that own the IP addresses attacking us:

graphic

Next, moving to the Remote Desktop Protocol honeypot.

First, the big picture. Russia is at the top spot this month, by far:

graphic

Hourly activity, showing 4 attacks per minute. Again, the gap is caused by the honeypot machine losing connection to the Internet and there being nobody around to reset it, due to the pandemic:

graphic

Details about the top-20 attacking IP addresses. You can see why Russia is at the top spot:

graphic

The top-20 organizations that own the IP addresses attacking us:

graphic

Moving on to our Elasticsearch honeypot.

First, the big picture. Turkey is at the top spot this month, by far:

graphic

Hourly activity, showing 8 attacks per hour. Again, the gap is caused by the honeypot machine losing connection to the Internet and there being nobody around to reset it, due to the pandemic:

graphic

The scans dominate although there is a significant number of attempts to exploit the seemingly vulnerable server and to run code on it (mostly a crypto miner):

graphic

Details about the top-20 IP addresses that have connected to the honeypot:

graphic

Information about the top-20 organizations that own the IP addresses attacking the honeypot:

graphic

The top-20 queries most often used by the attackers:

graphic

The payloads most often used by the attackers. Mostly trying to install a Monero miner (there is probably a worm or a botnet that does this):

graphic

Finally, moving to our Internet Printer Protocol honeypot.

First, the big picture. This month, too, not all attacks come from the USA - there are some from Germany as well. (There are also generic HTTP hits from other countries as well - from machines that scan random IP addresses for the presence of an HTTP server on any port - but I have filtered only the attacks which explicitly use the IPP protocol.)

graphic

The attacks come roughly twice per day. So far they have been only scans - the attackers are using only the Get-Printer-Attributes operation and are not actually trying to print anything. Again, the gap is caused by the honeypot machine losing Internet connection and there being nobody around to reset it, due to the pandemic:

graphic

Details about the top-20 IP addresses scanning the honeypot. As you can see, almost all of them are in the USA and belong to a very small set of ISPs. Each address has scanned the honeypot only a few times, though (1-3), suggesting that whoever is doing this (probably Censys), is rotating VMs at these ISPs when doing the scanning from them:

graphic

Information about the top-20 organizations that own the IP addresses attacking the honeypot - except that there are only 6 different ones:

graphic

This concludes the April honeypot report.