This report identifies hosts that have been observed performing brute force attacks, using different networks of honeypots. This includes attacks brute forcing credentials to obtain access using various protocols, such as SSH, telnet, VNC, RDP, FTP etc.
Once access has been obtained, devices may be used for other attacks, which may involve installing malicious software that enables the device to function as part of a botnet. For example, the well-known Mirai botnets were used in this way to launch DDoS attacks.
Hacked devices may also be used to launch scans on other vulnerable Internet devices. In still other cases, using brute force to breach networking devices may enable a criminal to attempt financial theft. By inserting rogue DNS server entries into a home router’s network configuration, they can redirect user traffic to malicious webpages, making phishing attacks on the home network user.
When we detect brute force attacks, our system reports them to the owners of the network from which the attacks originate, or to the National CERTs responsible for that network.
You can learn more on the report in our Honeypot Brute Force Events Report tutorial.
You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.
This report type was originally created as part of the EU Horizon 2020 SISSDEN Project.