Since the beginning of January, there was consistent targeting of our honeypots from a variety of IP addresses. The traffic - directed towards SSH port 22 - predominantly originated from China, Canada, India, the United States and Germany. Peaks of malicious traffic were observed on 6 and 10 January 2024.
Analysis of the activity suggests attempts to login with weak credentials.
Furthermore, a review of the top ten IP addresses suggests a partial correlation with the Mirai botnet whose variant - NoaBot - has been recently targeting SSH servers to install cryptominers.
Open sources also indicate some of these IP addresses are reported in connection with mass scanning activities.