Threat Level:

MODERATE

This report summarizes the cyber threat landscape observed by our honeypot network for the reporting period ending Wed, 11 Mar 2026 04:30:02 GMT. The network observed a high volume of scanning and attempted exploitation across multiple services, with a continued emphasis on brute-force attacks and vulnerability exploitation. DigitalOcean ASNs remain a primary source of malicious activity.

Vector 1: Widespread VNC Service Scanning

Automated, high-frequency scanning targeted at TCP port 5900, indicative of attackers searching for vulnerable VNC servers. Activity from this vector is consistent with previous weeks.

• Top Attacker: 129.212.181.84 (US)
• Total Events: 1,559,140 (GPL INFO VNC server response)
• Notable Signature: GPL INFO VNC server response

Vector 2: SSH Brute-Force Attacks

Persistent attempts to brute-force SSH credentials, primarily targeting common usernames and passwords. DigitalOcean ASNs are a major source.

• Top Attacker: 152.42.255.97 (SG)
• Top Credential: 345gs5662d34 / 345gs5662d34 (1330 attempts)
• Top Source Country: KR

Vector 3: Vulnerability Exploitation Attempts

Exploitation attempts against known vulnerabilities, including CVE-2018-13379 (Fortinet), and CVE-2024-14007. These attacks are spread across multiple IPs.

• Top Attacker for CVE-2018-13379: 194.50.16.198 (NL)
• Notable CVE: CVE-2018-13379 (3465 attempts)
• Notable CVE: CVE-2024-14007 (2036 attempts)

Deduction:

The observed activity indicates a blended threat landscape, with automated scanning tools used for service discovery and exploitation attempts, in combination with credential brute-force attacks. The persistence of these attacks suggests automated processes.

Cluster 1: DigitalOcean Infrastructure

A significant portion of the malicious activity originates from the AS14061 DIGITALOCEAN-ASN. This includes a high volume of SSH brute-force attempts and VNC scanning. The concentration of activity from this ASN suggests it is being used to conduct large-scale attacks.

• Top Attacker: 152.42.255.97 (SG) - 1,964,463 events
• Top ASN: AS14061 DIGITALOCEAN-ASN (6,825,411 events)

Cluster 2: Vulnerability Scanners

Several IPs show a pattern consistent with vulnerability scanners, actively probing for known CVEs. The source countries involved are widely distributed, making mitigation more complex.

• Top CVE: CVE-2018-13379 (3465 attempts) - 194.50.16.198 (NL)

Action 1: Block High-Volume IPs

Justification: Immediate mitigation of active threats by blocking IPs exhibiting a high volume of malicious activity.

• Block 152.42.255.97, 134.199.206.124, 159.203.173.211, 134.199.201.207

Action 2: Strengthen SSH Configuration

Justification: Prevent brute-force attacks from succeeding. Implement multi-factor authentication and consider disabling password-based authentication.

• Disable password authentication for SSH.
• Enforce strong password policies.

Action 3: Patch Vulnerable Systems

Justification: Prevent successful exploitation of known vulnerabilities. Prioritize patching systems exposed to the internet.

• Ensure all systems are patched against CVE-2018-13379, CVE-2024-14007, and other identified CVEs.

Action 4: Monitor Network Traffic

Justification: Enhance detection of malicious activity. Continuously review network logs for suspicious behavior and anomalous traffic patterns.

• Monitor for unusual activity on ports 5900, 22, and other potentially vulnerable services.
• Review all alerts from Suricata and P0f.