Threat Level:

MODERATE

Over the past 7 days, ending Sun, 31 May 2026 04:30:01 GMT, our honeypot network observed a sustained level of malicious activity. The primary threats include widespread scanning, exploitation attempts, and credential stuffing attacks. The total number of events recorded was 21,385,100, originating from 24,102 unique attackers.

Vector 1: VNC Scanning

A significant volume of traffic targeting VNC services was observed, indicating automated scanning for vulnerable systems. This activity primarily targeted TCP port 5900.

• Top Attacker: 165.22.9.166

Vector 2: SSH Brute-Force and Credential Stuffing

Numerous attempts to brute-force SSH credentials were recorded, indicating ongoing efforts to gain unauthorized access to systems. Multiple attempts used common usernames and passwords.

• Top Attacker: 185.156.73.73

Vector 3: Exploitation Attempts via CVEs

Exploitation attempts leveraging known vulnerabilities, including CVE-2021-44228, were detected, suggesting attempts to compromise systems.

• Top Attacker: 87.121.84.167

Deduction:

The observed activity suggests a diverse threat landscape, including automated scanners, botnets, and potentially targeted attacks. The variety of services targeted indicates attackers are likely seeking a wide range of compromised systems for various malicious purposes, including botnet recruitment and data exfiltration.

Cluster 1: DigitalOcean Infrastructure

Significant activity originated from IP addresses associated with DIGITALOCEAN-ASN (AS14061), suggesting the potential misuse of cloud infrastructure for malicious purposes. Several top attacking IPs are associated with DigitalOcean.

• Top IPs: 165.22.9.166, 164.92.78.51, 137.184.121.249

Cluster 2: Moroccan Academic Network

A notable number of attacks originated from the Moroccan Academic Network (AS30983), indicating potential compromised academic resources.

• Top IPs: 196.200.143.10, 196.200.143.196

Top Attacking ASNs:

• AS14061 DIGITALOCEAN-ASN: 3,457,645 events
• AS210848 Telkom Internet LTD: 2,016,507 events
• AS30983 Moroccan Academic Network: 1,967,560 events

Action 1: Block High-Volume IPs

Justification: Immediately block all IPs exhibiting a high volume of malicious activity to mitigate active attacks and prevent further compromise. Prioritize IPs from the top attackers list, particularly those from ASNs with a history of malicious behavior.

Action 2: Enhance SSH Security

Justification: Implement stricter SSH security measures, including disabling password authentication, enforcing key-based authentication, and implementing rate limiting to mitigate brute-force attacks. Monitor failed login attempts and investigate suspicious activity.

Action 3: Vulnerability Patching and Monitoring

Justification: Prioritize patching systems against the identified CVEs, especially CVE-2021-44228. Implement robust vulnerability scanning and monitoring to detect and remediate vulnerabilities proactively.

Action 4: Network Segmentation and Access Controls

Justification: Implement network segmentation to isolate critical assets. Enforce strict access controls based on the principle of least privilege to limit the impact of successful compromises.

Action 5: IDS/IPS Rule Updates

Justification: Update intrusion detection and prevention systems (IDS/IPS) with the latest signatures and rules to detect and block malicious traffic, including those targeting the specific vulnerabilities and services identified.