![](https://static.wixstatic.com/media/34c96e_5b6a558cb419488793c477f9c9e6d85e~mv2.jpg/v1/fill/w_147,h_147,al_c,q_80,usm_0.66_1.00_0.01,blur_2,enc_auto/34c96e_5b6a558cb419488793c477f9c9e6d85e~mv2.jpg)
Since the beginning of January, there was consistent targeting of our honeypots from a variety of IP addresses. The traffic - directed towards SSH port 22 - predominantly originated from China, Canada, India, the United States and Germany. Peaks of malicious traffic were observed on 6 and 10 January 2024.
![](https://static.wixstatic.com/media/34c96e_4ec424b52a684a02a663e4c3aeba5823~mv2.png/v1/fill/w_45,h_25,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/34c96e_4ec424b52a684a02a663e4c3aeba5823~mv2.png)
Analysis of the activity suggests attempts to login with weak credentials.
![](https://static.wixstatic.com/media/34c96e_371f66f7540b40a89b2bf0a20c00e183~mv2.png/v1/fill/w_46,h_23,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/34c96e_371f66f7540b40a89b2bf0a20c00e183~mv2.png)
Furthermore, a review of the top ten IP addresses suggests a partial correlation with the Mirai botnet whose variant - NoaBot - has been recently targeting SSH servers to install cryptominers.
![](https://static.wixstatic.com/media/34c96e_196e565fed4f4ebda41c9f75927b96e4~mv2.png/v1/fill/w_101,h_138,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/34c96e_196e565fed4f4ebda41c9f75927b96e4~mv2.png)
Open sources also indicate some of these IP addresses are reported in connection with mass scanning activities.