Analysis of 24-hour honeypot statistics reveals a dual-pronged, high-volume threat landscape targeting common vulnerabilities and critical enterprise services.
💥 Executive Summary
- Dominant Threat: A high-volume SSH Brute-Force and Credential Stuffing campaign accounts for $54.8\%$ of total malicious traffic. This campaign primarily originates from Russia (RU) and Romania (RO) and targets weak/default credentials on Linux/IoT systems for botnet recruitment and cryptomining.
- Secondary Threat: A highly targeted Web-Based Reconnaissance campaign is actively probing for sensitive configuration files (.env) and exploiting known vulnerabilities in popular enterprise services like Outlook Web Access (OWA).
- Key Takeaway: The current threat is a combination of large-scale, low-effort botnet recruitment and specific, high-value initial access attempts against corporate networks.
🌍 Attack Geography, Volume, and Indicators of Compromise (IOCs)
The attacks are heavily centralized in Eastern European infrastructure, suggesting a reliance on sophisticated, high-volume botnet and scanning networks.
Top Attacker Countries
| Country (ISO) | Volume | Percentage | Threat Profile |
| RU (Russia) | 395 | 39.6% | Primary source of high-volume SSH attacks; origin of highly malicious infrastructure (e.g., Proton66 LLC). |
| RO (Romania) | 187 | 18.8% | Secondary source; likely compromised consumer or datacenter hosts. |
| US (United States) | 156 | 15.6% | Often used for cloud-based Command and Control (C2) or proxy infrastructure. |
| GB (Great Britain) | 80 | 8% | Potential proxy or residential infected hosts. |
Confirmed Highly Malicious Source IPs (IOCs)
The following top-volume IPs are crucial IOCs confirmed to be involved in continuous cybercrime and are likely participating in both SSH and web-based attacks:
| Source IP (IOC) | Volume | Country (ISO) | Threat Intelligence Summary |
| 45.135.232.177 | 119 | RU 🇷🇺 | Confirmed Highly Malicious. Hosted on Proton66 LLC. Reported over 295,000 times for SSH Brute-Force attacks globally. |
| 45.140.17.124 | 110 | RU 🇷🇺 | Confirmed Highly Malicious. Also hosted on Proton66 LLC. Reported over 174,000 times for SSH Brute-Force. Known malicious scanner network. |
| 91.215.85.45 | 105 | RU 🇷🇺 | Located in Russia, reported for abusive scanning and brute-force campaigns. |
🔓 Threat Vector Analysis & Associated Malware
1. SSH Brute-Force Avalanche ($\mathbf{54.8\%}$ of Traffic)
| Target Weakness | Description of Attack | Associated Malware / Campaigns |
| Weak Credentials | Attempts focus on default usernames (root, admin, user) and common passwords (support, admin, 123456) on Linux and IoT devices. | Mirai Botnet: Compromises Linux IoT devices for massive DDoS attacks. Mozi Botnet: P2P botnet for a huge share of IoT malicious traffic. |
| Default Accounts | Targeting device/OS-specific defaults like debian, ubuntu, and telecomadmin to find unpatched/unconfigured systems. | XMRig/Cryptominers: Gains initial access via SSH brute-force to deploy Monero mining software. RedTail Cryptominer Campaign: Notorious for initial access via exploitation and subsequent propagation/credential theft via SSH. |
2. Web-Based Reconnaissance (Targeted Attacks)
| Targeted URL/Pattern | Description of Attack | Vulnerability/IOC |
| .env, /docker/.env | High-priority attempts to steal environment configuration files. | Information Exposure: Success leaks application secrets, API keys, and database credentials, bypassing authentication. |
| $/owa/, /webui$ | Probing for Outlook Web Access (OWA) and generic web management interfaces. | Exploitation of Known Flaws: E.g., recent Microsoft Exchange vulnerabilities (CVE-2023-23397, CVE-2024-21410) or simple brute-force. Hallmark of state-sponsored (APT) or sophisticated organized crime groups. |
Cross-Referenced Critical Vulnerability
A honeypot log request referenced a known, critical threat: CVE-2024-4577 being exploited by the RedTail Cryptominer Campaign. This vulnerability is a Critical (CVSS 9.8) PHP Argument Injection flaw primarily affecting PHP on Windows running in CGI mode. RedTail uses this for initial access, then performs Monero mining and deploys a malicious SSH agent for lateral movement, highlighting the interconnection between web and SSH threats.
✅ Mitigation and Defense Recommendations
Organizations must prioritize hardening the attack surfaces identified:
Harden SSH Access (Neutralize $\mathbf{54.8\%}$ of Attacks)
- Enforce Key-Only Authentication: Disable password authentication entirely and enforce Public Key Authentication for all users.
- Access Control: Use a tool like Fail2ban to automatically block IPs after a few failed login attempts.
- Account Hygiene: Ensure no default usernames (
root,admin,user, etc.) are active or allow direct login. - Port Obfuscation: Change the default SSH port (22) to a non-standard high port.
Web Application Security
- Block Public Access to Sensitive Files: Configure web servers (e.g., Apache, Nginx) to explicitly deny access to sensitive files like
.env,.git, or.dockerignore. - Patch Critical Flaws: Immediately apply all security updates for services like OWA/Exchange and any public-facing web UIs. Ensure all PHP versions, particularly on Windows servers running CGI, are patched against CVE-2024-4577.
Monitor and Block IOCs
- Immediate Blacklisting: Actively block all traffic from the identified high-volume attacker IPs, especially those on the Proton66 range: 45.135.232.177, 45.140.17.124, 91.215.85.45, and their respective subnets.
- Network Monitoring: Monitor network logs for any connections to these IOCs, which would indicate a successful initial compromise.