Executive Summary

Threat Level:

MODERATE

Over the past 7 days, our network has been subjected to a significant volume of attack attempts. The most prevalent threat vector continues to be brute-force attempts against VNC services. This report details the major attack vectors, attribution analysis, and actionable countermeasures, based on data collected and analyzed up to Thu, 04 Sep 2025 20:13:26 GMT.

Primary Threat Vectors

Vector 1: Widespread VNC Service Scanning

Automated, high-frequency scanning targeted at TCP ports 5900, 5901, 5902 and 5903 continues to be the most active threat. The majority of these scans originate from within the US, with a significant portion from DIGITALOCEAN-ASN (AS14061). Many of these probes have a number of associated VT positives.

  • Top Attacker: 159.89.225.170
  • Top Port: 5900
  • Top ASN: AS14061 DIGITALOCEAN-ASN

Vector 2: Other Port Probes

Sporadic activity was detected on other ports, including 8159 and 8443. These were observed over the reporting period, but were far less frequent than VNC scans.

  • Top Attacker: 207.90.244.12
  • Top Port: 8159
  • Top ASN: AS174 COGENT-174

Attribution & Pattern Analysis

Deduction:

The prevalence of VNC scanning suggests attackers are actively seeking to exploit improperly secured VNC servers. The concentration of scanning activity originating from cloud providers such as DigitalOcean suggests compromised infrastructure used for malicious activities.

Cluster 1: DigitalOcean-Based Scanning

A significant cluster of activity is associated with the ASN AS14061 DIGITALOCEAN-ASN. Attacks from these sources are largely concentrated on scanning activities. Further investigation into the IPs within this ASN is recommended.

  • Top Attacking ASN: AS14061 DIGITALOCEAN-ASN
  • Top Attacking IP: 159.89.225.170

Cluster 2: Other Port Activity

Activity on ports 8159 and 8443 shows a different pattern. The targeting on these ports appears more random compared to the sustained VNC scanning.

  • Top Attacking ASN: AS174 COGENT-174
  • Top Attacking IP: 207.90.244.12

Actionable Countermeasures

Action 1: Block High-Volume IPs

Justification: Immediate mitigation of high-volume scanning activity. Block all IPs with sustained high-frequency scans, focusing on the top attackers identified, particularly those within the AS14061 ASN.

Action 2: Harden VNC Servers

Justification: The primary attack vector is targeted at VNC services. Secure all exposed VNC servers. Disable VNC if not needed, or change default ports. Implement strong passwords, and restrict access by IP address.

Action 3: Monitor Network Traffic

Justification: Enhanced monitoring of network traffic for unusual patterns and indicators. Implement alerts for suspicious traffic, particularly on commonly targeted ports.

Action 4: Review Firewall Rules

Justification: Review and update firewall rules to block traffic from known malicious IPs and ASNs. Implement rate limiting to mitigate brute-force attacks.