Threat Level:

MODERATE

This report summarizes the cyber threat landscape observed across our honeypot network during the reporting period ending Sun, 25 Jan 2026 04:30:02 GMT. The analysis reveals a continued focus on automated scanning, with significant activity targeting several services. The top attacking ASNs are dominated by cloud providers.

Vector 1: Widespread VNC Scanning

High volumes of scanning activity were observed targeting VNC services on various ports. This activity likely aims to identify and exploit systems running vulnerable versions of VNC. The most prevalent signature seen was "GPL INFO VNC server response".

• Top Attacker: 134.199.197.11 (US, ASN: 14061 DIGITALOCEAN-ASN)
• Total Events: 644556

Vector 2: SSH Brute-Force Attempts

Numerous SSH brute-force attempts continue, focusing on common username/password combinations. These attacks leverage compromised infrastructure and credential stuffing techniques to gain access to systems. "Cowrie" honeypots are key in gathering this data.

• Top Attacker: 134.199.202.110 (US, ASN: 14061 DIGITALOCEAN-ASN)
• Total Events: 813551

Vector 3: HTTPS Traffic & Associated Anomalies

The network saw significant HTTPS traffic with the majority of the overall events. While benign, this includes a large amount of scanning activity. Alerts such as "ET INFO User-Agent (python-requests) Inbound to Webserver" could be an indication of probing.

• Top Attacker: 134.199.195.17 (US, ASN: 14061 DIGITALOCEAN-ASN)
• Total Events: 756828

Deduction:

The observed activity is indicative of a diverse set of threat actors. The concentration of attacks originating from cloud providers, particularly DigitalOcean, suggests the use of compromised virtual machines or dedicated attack infrastructure. The presence of both brute-force attempts and VNC scanning suggests opportunistic targeting.

Cluster 1: DigitalOcean Based Attacks

A significant portion of attacks originated from IP addresses associated with DigitalOcean (ASN 14061). This cluster exhibited high volumes of SSH and VNC related activity. Further investigation of these IPs is warranted to determine if they are compromised or used for malicious activity directly.

• Top ASN: AS14061 DIGITALOCEAN-ASN (6789930 events)
• Top Country: US (7168158 events)

Action 1: Block High-Volume IPs

Justification: Implement immediate blocking of the top attacking IPs, especially those originating from known malicious ASNs and countries to mitigate current threats.

Action 2: Enhance SSH Hardening

Justification: Review SSH configuration across the infrastructure to disable password authentication, enforce multi-factor authentication, and implement intrusion detection/prevention systems.

Action 3: Monitor VNC Traffic

Justification: Implement alerts for VNC traffic and log VNC activity. Analyze connection attempts and server responses for unusual behavior. Ensure VNC is not exposed to the public internet.

Action 4: Threat Intelligence Feed Integration

Justification: Integrate the provided IP and CVE information into the existing threat intelligence platform for enhanced detection and proactive defense.