Today @VessOnSecurity tweeted that they have seen an increase on the number of SMB attacks in their honeypot (See Figure 1). We checked our telemetry and indeed we saw an increase on the incoming traffic to our honeypots on port 445. We will describe in this blog post the observations from our telemetry.
In Aposemat IoT Laboratory we have physical IoT devices acting as honeypots. We capture the traffic of these devices in form of netflows and have historical data available to use for our machine learning researchers.
The following statistics are from one device only, which is part of our IoT infrastructure. It has a Linux SMB service on port 445 exposed to the internet.
You can read about the Aposemat Project here.
Typical Behavior of the Honeypot
Before showing the unusual activity of our IoT honeypot observed this week, we find wise to show what is the typical behavior of incoming attacks observed in this honeypot. In Figure 2 we show the amount of connections (bidirectional netflows) on from June 1st to October 1st. While there’s a clear spike on June 14, the average is roughly 3000 connections per day.
Figure 2 - Number of connections to our SMB Honeypot (1 device) from June 1st to October 1st. Source: Aposemat Project.
Similarly, we can see in Figure 3 that on the same time frame (June/01-October/01) there’s roughly an average of 1000 attacking IPs per day.
Figure 3 - Number of attacking IPs to our SMB Honeypot (1 device) from June 1st to October 1st. Source: Aposemat Project.
Sudden Spike on October 15th
On Tuesday October 15th a sudden change of behavior occurred as pointed out by @VessOnSecurity. The number of connections to the honeypot as shown in Figure 4, raised to more than 50000 per day (normal average was 3000 connections per day).
Figure 4: The number of connections spiked to more than 50000 on October 15th. Source: Aposemat Project.
This increase was significant, however if we look at Figure 5, we can observe that the number of unique IPs attacking the honeypot slightly raised but not considerably. This generates some questions on who is attacking: are these new attackers? old attackers with new techniques? how many IPs are causing this spike?
Figure 5 - The number of attacking IPs to the SMB Honeypot (1 device) during the days of the spike raised but not considerably. Source: Aposemat Project.
When mapping the number of connections per attacking IP in Figure 6 and Figure 7 two things called our attention. First that the attacking IPs generating the spike of flows are less than a dozen. Second, that the attacking IPs were not observed in the past week (Figure 6) or past month (Figure 7). And third that the attacking IPs since October 15th are not attacking all the time, they are switching. There are only 3 IPs that are attacking for two days in a row (October 15th and 16th): 78.188.215.216, 128.201.76.185, and 178.158.131.138.
Figure 6 - Number of connections per attacking IP in the last 7 days. Source: Aposemat Project.
Figure 7 - Number of connections per attacking IP in the last 30 days. Source: Aposemat Project.
Attacking IPs
The attacking IPs observed in the last three days are listed below along with the number of connections observed since October 15th:
78.188.215.216 (16038 connections since Oct 15th)91.221.132.131 (18717 connections since Oct 15th)103.195.0.44 (10751 connections since Oct 15th)114.5.97.142 (14034 connections since Oct 15th)128.201.76.185 (16264 connections since Oct 15th)131.153.26.210 (14772 connections since Oct 15th)134.249.116.193 (21959 connections since Oct 15th)178.158.131.138 (20556 connections since Oct 15th)178.35.149.211 (22641 connections since Oct 15th)185.98.26.34 (12611 connections since Oct 15th)
Looking at past telemetry, we only observed the IP 91.221.132.131 in July attacking the same device in July 10th, 2019.
Figure 8 - Geolocation map of the attacking IPs listed above. Source: Aposemat Project.
Update on October 18th, 2019, 09:31 AM
The total number of connections on October 17th was 107546.