Threat Level:

MODERATE

Over the past 7 days, ending Thu, 04 Dec 2025 03:06:12 GMT, the honeypot network observed a sustained level of activity, with a focus on service scanning and exploitation attempts. The total number of events recorded was 1,598,810, originating from 2,708 unique attackers.

Vector 1: VNC Scanning

A significant portion of the observed activity involved high-frequency scanning of VNC services, targeting TCP port 5900. This indicates potential reconnaissance and brute-force attempts to gain unauthorized access to VNC servers.

• Top Attacker: 138.197.213.61

Vector 2: SSH Brute-Force Attempts

The honeypots observed a consistent barrage of SSH brute-force attempts targeting common usernames and passwords. This vector is designed to gain unauthorized access to systems via exposed SSH services.

• Top Attacker: DigitalOcean AS, primarily from the IP range 138.197.213.61, 159.203.173.211, and 162.243.204.125.

Vector 3: SQL Injection Attempts

Exploitation attempts against SQL services were present. Attackers are attempting to leverage SQL injection vulnerabilities to gain control or extract data.

• Top Attacker: Multiple, using SQL related usernames/passwords.

Vector 4: Vulnerability Scanning and Exploitation

Automated vulnerability scanning was detected, with attempts to exploit known vulnerabilities like CVE-2024-14007, CVE-2024-4577, and others.

• Top Attacker: 45.148.10.115 (CVE-2024-14007), 101.36.104.242 (CVE-2024-4577).

Deduction:

The activity suggests a combination of automated scanning, credential stuffing, and targeted exploitation attempts. The concentration of attacks originating from cloud providers, particularly DigitalOcean (ASN 14061), indicates the potential use of compromised or malicious infrastructure.

Cluster 1: DigitalOcean Based Attacks

A large cluster of activity originates from DigitalOcean IP addresses. These IPs are primarily involved in VNC scanning, SSH brute-force attempts, and general vulnerability scanning.

• Top IPs: 138.197.213.61, 159.203.173.211, 162.243.204.125
• ASN: 14061 (DIGITALOCEAN-ASN)

Cluster 2: Vulnerability Scans

A smaller cluster of activity is focused on scanning for and exploiting known vulnerabilities, with some activity originating from different ASNs, suggesting varied actors.

• Top IPs: 45.148.10.115, 101.36.104.242
• Top CVEs: CVE-2024-14007, CVE-2024-4577

Top Attacking ASNs:

• AS14061 (DIGITALOCEAN-ASN): High volume of scanning and brute-force attempts.
• AS49870 (Alsycon B.V.): Primarily associated with scanning.
• AS211632 (Internet Solutions & Innovations LTD.): Scanning and Exploitation attempts.

Action 1: Block High-Volume IPs

Block all incoming traffic from the top attacking IPs, specifically those associated with 138.197.213.61, 159.203.173.211, and 162.243.204.125, and 77.83.240.70.

Justification: This will immediately mitigate a large portion of the observed malicious activity, specifically VNC scanning and SSH brute-force attempts.

Action 2: Implement Geo-Blocking

Implement geo-blocking at the perimeter to restrict access from countries with a high concentration of malicious activity, specifically US, NL, PA, GB and RO.

Justification: Limiting access from high-risk geographic locations will reduce the attack surface and prevent a large number of scans and attacks.

Action 3: Strengthen SSH Configuration

Disable password-based authentication for SSH and enforce the use of key-based authentication. Implement multi-factor authentication where possible.

Justification: This will significantly harden SSH access, making brute-force attempts ineffective.

Action 4: Patch Vulnerable Systems

Prioritize patching systems against the identified CVEs, specifically CVE-2024-14007 and CVE-2024-4577.

Justification: Patching the identified vulnerabilities will prevent successful exploitation attempts.

Action 5: Monitor and Alert

Enhance monitoring and alerting capabilities to detect and respond to suspicious activities, like brute-force attempts, and exploitation attempts in real-time. Review logs for IoCs.

Justification: Real-time monitoring allows for quick identification and response to emerging threats.