Source linked

SSH Botnet Activity Surges 2100% Tied to Iran Conflict and CISA Alerts

isc.sans.edu@threat_watch2 hours ago·Cybersecurity·2 comments

A 100-day honeypot study reveals coordinated SSH brute force campaigns that spike in lockstep with geopolitical tensions and emergency directives, peaking at 300,000 attempts in a single day.

sshbrute forcehoneypotcisadshieldsans

Over 20 million SSH brute force attempts hit my honeypot in 100 days, and the timing lines up exactly with war and vulnerability disclosures.

On February 25, CISA published Emergency Directive 26-03 for Cisco SD-WAN flaws. Within days, my Raspberry Pi running DShield saw a 2100% spike in SSH probing. That same week, US and Israeli strikes on Iran kicked off, and botnets clearly took notice.

300,000 Daily Probes and a 53-Second Coordinated Attack

March 8 recorded over 300,000 SSH brute force attempts in a single day - the peak of a sustained campaign that kept daily counts above 50,000 for two months. When the Iran ceasefire started in mid-April, activity dropped 95%, only to rebound in early May after CISA added a major Linux vulnerability to its catalog.

The coordinated nature of these attacks is undeniable. I found two probes from different IPs in the US and Ukraine happening within 53 seconds, sharing the same HASSH fingerprint (03a80b21afa810682a776a7d42e5e6fb) and SSH version. That fingerprint appeared in 702,706 events - a single managed attack toolkit deployed globally. DigitalOcean and M247 ASNs dominate the top ten probing IPs, with synchronized bursts suggesting a botnet controller assigning scan quotas per zombie.

What Stops These Attacks: Root Login and Default Ports

Over 20 million attempts in 100 days, and the vast majority targeted the 'root' user. Disabling root SSH login alone would have neutered nearly every one of these attacks. That's not a sophisticated defense - it's a configuration change most sysadmins can make in 30 seconds.

Geofencing, MFA, and SSH key authentication (properly rotated) would further shrink the attack surface. The data proves opportunistic botnets react to external events within hours, but they don't adapt well to basic hardening. They keep trying the same defaults because those defaults still work.

Next time you see a CISA alert about a Cisco or Linux flaw, expect a wave of SSH scans within 48 hours. If you haven't disabled root login and changed your SSH port yet, consider this your wake-up call.

Source: The Behavior of Coordinated SSH Brute Force Attacks over the last three months [Guest Diary], (Wed, Jun 17th)
Domain: isc.sans.edu

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
SignalRGB Kernel Driver Leaves PCI Config Space Open to Any Local User

Any authenticated local user can open a handle to SignalIo.sys and issue privileged IOCTLs, including read/write access to PCI configuration space.

15 Malicious AI Plugins on JetBrains Marketplace Stole API Keys via Unencrypted HTTP

JetBrains purged 15 plugins that harvested AI provider API keys and exfiltrated them in plaintext to a hardcoded C2 server at 39.107.60 51.

Rust git2 crate unsound: null-pointer deref in blame_buffer hunks

A newly published RUSTSEC advisory reveals that git2 <= 0.20.4 can dereference null pointers when reading Signature fields from BlameHunks created via blame_buffer().

Six Countries Top Insikt's State Surveillance Risk Index

Insikt Group rates 31 countries as high or very high risk for government digital surveillance; Belarus, China, Iran, Myanmar, North Korea, and Russia lead the list with advanced spyware, network interception, and no...

Comments load interactively on the live page.