Threat Level:

HIGH

This report summarizes the cyber threat landscape observed across our honeypot network during the reporting period ending Sun, 26 Apr 2026 04:30:01 GMT. The network experienced a significant surge in malicious activity, with a notable increase in VNC scanning and exploitation attempts.

Vector 1: Widespread VNC Service Scanning

High volumes of automated scans targeting the VNC service on TCP port 5900 were observed. This activity suggests an active campaign to identify and exploit vulnerable VNC installations.

• Top Attacker: 107.152.44.215
• Total Events: 766741

Vector 2: SSH Brute-Force Attacks

Persistent attempts to brute-force SSH credentials were detected, primarily targeting the SSH service. Multiple attackers are leveraging common usernames and passwords.

• Top Attacker: 27.150.188.148
• Total Events: 533866 (SSH)

Vector 3: CVE Exploitation Attempts

Exploitation attempts leveraging known vulnerabilities are prevalent. The most targeted CVE is CVE-2024-4577, indicating active exploitation of vulnerable systems.

• Top Attacker (CVE-2024-4577): 204.168.230.237
• CVE-2024-4577 count: 34553

Deduction:

The observed activity is indicative of multiple threat actors employing automated tools for reconnaissance and exploitation. The prevalence of compromised infrastructure hosted in the US, combined with the exploitation of known vulnerabilities, suggests a mix of opportunistic and targeted attacks.

Cluster 1: DigitalOcean-ASN Activity

A significant portion of the malicious activity originates from infrastructure associated with the DIGITALOCEAN-ASN (AS14061). This cluster shows high counts of VNC scans and exploitation attempts.

• Top ASN: AS14061 DIGITALOCEAN-ASN (4921109 events)

Cluster 2: NAMECHEAP-NET Activity

A secondary cluster of malicious activity comes from NAMECHEAP-NET (AS22612), also showing elevated levels of VNC scans and SSH brute-force attempts.

• Top ASN: AS22612 NAMECHEAP-NET (1684336 events)

Top Attacking ASNs:

• AS14061 DIGITALOCEAN-ASN: 4921109 events
• AS22612 NAMECHEAP-NET: 1684336 events
• AS11878 TZULO: 832914 events

Action 1: Block High-Volume IPs

Justification: Immediately block all IPs associated with the top attackers (see the "Top Attackers by IP" section) at the network perimeter.

Action 2: Strengthen SSH Security

Justification: Enforce strong password policies and multi-factor authentication for all SSH access. Monitor SSH logs for suspicious activity, including failed login attempts.

Action 3: Patch Vulnerable Systems

Justification: Prioritize patching systems vulnerable to the identified CVEs, particularly CVE-2024-4577. Implement vulnerability scanning to identify further vulnerable assets.

Action 4: Monitor VNC Traffic

Justification: If VNC services are essential, restrict access via network segmentation and implement strong authentication. Regularly audit VNC configurations for security best practices.

Action 5: Enhance Intrusion Detection Rules

Justification: Update intrusion detection rules to specifically target the identified attack signatures and CVEs. Review and refine alerting thresholds to minimize false positives and ensure timely detection of malicious activity.