Profile picture
Vess
@VessOnSecurity
, 19 tweets, 6 min read Read on Twitter
OK, the month of January is over, so it's time for my monthly report from our honeypots.

We couldn't figure out a fast way to query the database containing our Telnet & SSH honeypot data, but we found another solution.
Basically, I wrote a scrip which, at the end of the month, copies the relevant data for the previous month only into temporary tables. Then I created a new visualization that uses only these temporary tables. 4-mil row tables are easier to handle than 30-mil ones.
So, here is the big picture from our Telnet & SSH honeypot for the month of January. As always, the USA holds the top spot:
Picture of the hourly activity. We're getting hit averagely 1.6 times per second:
More than 93% of the attacks are via Telnet; the rest is via SSH:
The top URLs from which malware is most often uploaded to the honeypot. Mirai variants all of them, as always:
Details about the top-20 IP addresses that have attacked us the most, in decreasing order of attacks. I'm surprised that DigitalOcean isn't at the top. That dubious honor belongs to FranTech, another often-abused cloud provider.
Details about the top-20 organizations that own the most actively attacking IPs. No surprises here - DigitalOcean and FranTech hold the top spots, with everybody else far behind.
Finally, the top-20 most often used passwords when trying to break into the honeypot. Again, nothing particularly unusual here.
Next, the report from our SMB honeypot, starting with the big picture. The top spot this month belongs to the Netherlands instead of Russia, as is usually the case.
Next, hourly activity. Averagely one hit every couple of minutes. The spikes you see on the chart are caused by that bizarre IP in the Netherlands.
The unique malware variants uploaded, according to Symantec's scanner. 94% are corrupted WannaCry variants (no kill switch check, no encryption), the rest is various crypto miners. No Conficker this month, either.
The top-20 most actively attacking IPs. That Dutch IP has the top spot, of course, followed by a Russian one. A Bulgarian one occupies the 4th spot, ugh.
Finally, the top-20 organizations that own the most aggressively attacking IPs. Yep, that Dutch cloud provider has the top spot because of that IP.
Last, the information from our ADB honeypot. Much lower activity there. Starting with the big picture, China and Hong-Kong hold the top spots, as usual for this protocol:
Hourly activity. We're hit averagely once every half an hour.
Unique malware variants uploaded, according to DrWeb's scanner. Basically, the same shit is being uploaded over and over - mostly crypto miners.
Details about the top-20 most aggressively attacking IPs. Unsurprisingly, most of them reside in China and Hong-Kong.
Finally, the top-20 organizations from which most of the attacks are coming from. Chinese ones occupy the top spots.

Wait a sec, Hurricane Electric? Ugh, that's our DNS provider... Wouldn't have expected such stuff from them.

Anyway, this concludes the monthly report.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Vess
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @VessOnSecurity see all

Profile picture
Vess
@VessOnSecurity
OK, folks, the month of October is over here, so it is time for my honeypot report. Let's start with our Telnet & SSH honeypot.
First, the big picture. As always, the USA is at the top of the list of countries where the attacks are coming from. Three TIMES more attacks from there than from the next contender, Germany. The latter is somewhat unusual, Germany is rarely near the top.
Next, a graph of the number of attacks per hour. The honeypot is being attacked nearly once every second on average!
Read 14 tweets
Profile picture
Vess
@VessOnSecurity
My honeypot just caught something substantially new. Spreads via Telnet but not your run-of-the-mill Mirai variant or Monero miner...

First stage is just a few commands that download a rather sophisticated shell script, disguised as a CSS file. (URL is still live.)
The script is quite sophisticated, unlike the usual Mirai crap. It eventually downloads the executable for the appropriate CPU architecture, like

http://104.237.218.85/0/DIGIT1/DIGIT2

where DIGIT1 and DIGIT2 are two decimal digits.
I downloaded one of the executables - zero detections in VirusTotal both for it and for the script.

virustotal.com/#/file/cf3bfd3…

virustotal.com/#/file/9ef5864…
Read 3 tweets
Profile picture
Vess
@VessOnSecurity
@siri_urz @Malwageddon @decalage2 @DissectMalware @James_inthe_box @ItsReallyNick @_devonkerr_ @likethecoins @angealbertini No, the code isn't there, although there is something strange...

You are looking at the raw file with a hex editor and are seeing stuff that's in unallocated clusters that aren't part of the OLE2 stream structures at all. You need a more intelligent tool.

Take a look:
@siri_urz @Malwageddon @decalage2 @DissectMalware @James_inthe_box @ItsReallyNick @_devonkerr_ @likethecoins @angealbertini First, we have the OLE2 structure of the file. This is what you have to look at. The VBA structures are there. The module streams are:

Module1
UserForm1
ThisDocument
@siri_urz @Malwageddon @decalage2 @DissectMalware @James_inthe_box @ItsReallyNick @_devonkerr_ @likethecoins @angealbertini Now, let's inspect each one of them as a stream, not as raw sectors from the file. Again, you need a tool that understands this. The compressed source is at the end of the stream, with the p-code immediately preceding it.

Module1:
Read 10 tweets

Related threads

Profile picture
Jenn @ Katsu Prep
@quicksparrows
Do you sand your 3D prints? Do you want to but it takes too damn long? Do you want to do it more efficiently? A thread!
Meet Menace’s staff’s carousel. The brighter white part is completely unsanded and fresh off the printer. Let’s catch it up with its sister.
The #1 reason why bodyshopping can take so long is that you aren’t starting with a high enough grit to remove print lines. We start at 100-150. Shearing off print lines takes a fraction of the time with a grittier sandpaper, so we start there. And 150 is fast.
Read 38 tweets
Profile picture
UCCat20
@UCC_Official
UCC had opportunity to comment on the #Data.Protection & Privacy Bill. The enactment of this law is long overdue. A comprehensive law on the collection & processing personal information gives effect to the right to Privacy envisaged under Article 27(2) of the Constitution
UCC welcome the protections offered by the Bill in terms of export of data, breach notification requirements, data subjects access rights, automated decision making, compensation and the right to be forgotten and provision for financial and penal sanctions for breach of the law.
Distinction between Data collectors & data controllers.
The Bill should however clarify & distinguish Data Collectors, from Data Processors & Data Controllers. Clause 2 is inconsistent with international good practice which provides for two broad categories of Data Controllers
Read 17 tweets
Profile picture
바👏🏼바👏🏼바👏🏼
@TayHoBae
Jimin wouldn’t allow himself to be trapped on his shift for any longer than necessary.

“Go, go,” Taehyung hurried, taking Jimin’s apron to let him slip out from behind the counter more quickly. Jimin decided he could get the grounds out from under his nails at home.
This morning had been absolute hell. Two girls ordered seven drinks, Jimin made them all only for them to say they were supposed to be with almond milk.

‘Oh I’m so sorry,’ was he all he had legally been allowed to say at the time, while his mind had far more colorful ideas.
With Jimin officially clocked out, he slumped on the customer side of the now empty service counter, looking to his friend with tired eyes.

“You wanna grab dinner later?”
“I can’t, remem—?
“Ah, right...”

Jimin’s disappointment vanished as Taehyung suddenly smiled to himself.
Read 1016 tweets
Profile picture
Karol 🍃
@karolcummins
⚠️NatSecCrisis⚠️

US Officials ‘at a F*cking Loss’ Over Latest Russia Sell Out

WH says they are considering handing over US citizens if Putin asks.😱

Russian spy Maria Butina ‘offered sex’ for job with ‘special interest organization’: How many GOP fell into the #HoneyPot?🍯
⚠️NatSecCrisis⚠️

TX Republican:

We are better than what this president suggests we are.

We eschew ugliness and divisiveness.

Trump is no longer our leader.

It is time to push him into the ash bin of history.

Today, I ask you to impeach Trump.
⚠️NatSecCrisis3⚠️

#Traitor Gaetz fails to get enough votes to impeach DAG Rosenstein. 🤗🤗

Since Trump has been president, he has increased the national debt by over $1T.

Yes. One trillion dollars.

The fastest any president in U.S. history has accrued that level of debt.
Read 67 tweets
Profile picture
Joe
@Jtruzmah
1/7 #Report
According to Palestinian reports, at approximately 18:00 hours, an #IDF airstrike struck downtown Gaza City. Two teens were killed as a result of the strike. Reports claimed an empty structure, a children’s park and a mosque were damaged. #Gaza #Israel #Hamas #IDF
2/7
 The children’s park in reality is #Qassam Brigade’s “Battalions Square” and the teens who died were inside the structure circled in red. Beside it is the mosque circled in blue which was damaged by the strike.
3/7
 Why did the #IDF target this site with air strikes? How does the #IDF know this site is used by #Qassam Brigades? Can we just take their word for it? Here is video of the actual strike.
Read 7 tweets
Profile picture
Rakyat: Yoong Khean
@twt_malaysia
Ok since it's Monday noon (no mood to work), I'll start off with my first cerita, an experience which I hold very dear to my heart.

I would like to share with u the time of the East Coast floods in 2014, specifically in Kelantan.

*ini thread (always wanted to say that 😂)
Most of u will remember the EC '14 floods as 1 of the worst. 200,000 ppl were affected, 21 deaths & the effects are still seen today.

Early Dec '14, I was transferred back to Selangor after a year in N9 serving in primary health & placed in the Nephrology Department in H Serdang
News of the flood came suddenly & situation was worse than many expected. Being in Nephrology (kidney subspeciality), the concern is where do all the kidney failure patients in Kelantan go for their dialysis, as many centres were damaged by the floods. Cant operate at all.
Read 36 tweets

Trending hashtags

#SaudiGov #TradeWar #techlash #GlobalSupport #WMD #Data #LafiyaDole #finance #Traitor #Khashoggi #OsamaBinLaden #Syria #International #EmbraceUnity #NYTimes #SaudiArabia #DeepState #NPR #SuudiBaharı #OperationGladio #Embassy #Italy #MachineLearning #PBS #Divorce
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!