Source linked

SSHボットネットの活動は、イラン紛争とCISA警告に関連して2100%上昇

isc.sans.edu@threat_watch3 hours ago·Cybersecurity·2 comments

100日間のハネトップ研究は、地政学的緊張と緊急事態指令に伴い、単一の日に30万件の試みを達成する、協調されたSSHブルトフォースキャンペーンを明らかにした。

sshbrute forcehoneypotcisadshieldsans

Over 20 million SSH brute force attempts hit my honeypot in 100 days, and the timing lines up exactly with war and vulnerability disclosures.

On February 25, CISA published Emergency Directive 26-03 for Cisco SD-WAN flaws. Within days, my Raspberry Pi running DShield saw a 2100% spike in SSH probing. That same week, US and Israeli strikes on Iran kicked off, and botnets clearly took notice.

300,000 Daily Probes and a 53-Second Coordinated Attack

March 8 recorded over 300,000 SSH brute force attempts in a single day - the peak of a sustained campaign that kept daily counts above 50,000 for two months. When the Iran ceasefire started in mid-April, activity dropped 95%, only to rebound in early May after CISA added a major Linux vulnerability to its catalog.

The coordinated nature of these attacks is undeniable. I found two probes from different IPs in the US and Ukraine happening within 53 seconds, sharing the same HASSH fingerprint (03a80b21afa810682a776a7d42e5e6fb) and SSH version. That fingerprint appeared in 702,706 events - a single managed attack toolkit deployed globally. DigitalOcean and M247 ASNs dominate the top ten probing IPs, with synchronized bursts suggesting a botnet controller assigning scan quotas per zombie.

What Stops These Attacks: Root Login and Default Ports

Over 20 million attempts in 100 days, and the vast majority targeted the 'root' user. Disabling root SSH login alone would have neutered nearly every one of these attacks. That's not a sophisticated defense - it's a configuration change most sysadmins can make in 30 seconds.

Geofencing, MFA, and SSH key authentication (properly rotated) would further shrink the attack surface. The data proves opportunistic botnets react to external events within hours, but they don't adapt well to basic hardening. They keep trying the same defaults because those defaults still work.

Next time you see a CISA alert about a Cisco or Linux flaw, expect a wave of SSH scans within 48 hours. If you haven't disabled root login and changed your SSH port yet, consider this your wake-up call.

Source: The Behavior of Coordinated SSH Brute Force Attacks over the last three months [Guest Diary], (Wed, Jun 17th)
Domain: isc.sans.edu

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
CloakLM Obfuscates GPU Memory to Foil Model Theft from PCIe Snooping

Attackers can reconstruct entire DNNs from passive PCIe observation or HBM dumps because model weights sit in large, contiguous memory regions. CloakLM breaks that regularity with software-only shuffling and page...

CAREATTACK Edits Retriever Weights to Inject Malicious Knowledge Into RAG Systems

A new model-centric attack edits a retriever's closed-form parameters directly, boosting malicious passages over benign ones without crafting detectable synthetic text.

TIGER Attack Inverts Transformer Gradients via Embedding-Subspace Optimization

TIGER is the first gradient inversion attack to reconstruct client inputs from transformer gradients under differential privacy, bypassing prior brittleness with a continuous optimization approach.

TopVenues Freezes Cybersecurity Literature at 99.86% Coverage and 16.5x Precision Gain

A new open-source corpus tool fixes the moving target of literature review denominators, revealing that 29.2% of top conference papers first appear as arXiv preprints with a median 5-month lead.

Comments load interactively on the live page.