Mapping the Battlefield: Investigating Global Attack Trends on a CVE-2018-0101 Honeypot

Introduction:

In the realm of cybersecurity, staying vigilant against potential threats is of utmost importance. One effective strategy in this battle is the deployment of honeypots, decoy systems designed to attract and monitor malicious activities. In this article, we delve into our experience with a honeypot specifically designed to detect CVE-2018-0101, a DoS and remote code execution vulnerability affecting Cisco ASA components.

Setting the Stage:

Deploying a low-interaction honeypot from Cymmetria Research, we embarked on a journey to monitor and analyze the attempted attacks on this honeypot over a span of 15 days. The primary goal was to gain insights into the threat landscape and the potential actors targeting this vulnerability.

Data Overview:

Over the monitoring period, we observed a total of 1,023 attack attempts, with 50 unique source IP addresses targeting the honeypot. The geographical distribution of these IP addresses shed light on the global reach of the threat landscape:

• United States: 173 attempts
• Singapore: 39 attempts
• Russia: 15 attempts
• Hong Kong: 12 attempts
• Germany: 6 attempts
• India: 5 attempts
• Netherlands: 4 attempts
• Lithuania: 2 attempts
• Portugal: 2 attempts
• United Kingdom: 1 attempt

Top Attacking IPs:

Among the unique source IP addresses, some stood out due to the frequency of their attempts:

1. 164.92.120.195 – 75 attempts
2. 43.134.108.109 – 36 attempts
3. 83.97.73.87 – 13 attempts
4. 118.193.36.232 – 6 attempts
5. 159.89.15.37 – 6 attempts
6. 45.56.108.128 – 5 attempts

Analyzing the Patterns:

These attempted attacks exhibit varying levels of sophistication and persistence. While some IP addresses targeted the honeypot multiple times, others seemed to be more opportunistic in nature. The geographical distribution of the attackers is indicative of the global interest in exploiting the vulnerability, with both developed and emerging regions being represented.

Implications and Insights:

The data gathered from this honeypot deployment underscores the continuous and diverse threats that exist in the cybersecurity landscape. It also emphasizes the importance of staying vigilant, even against known vulnerabilities. This experience serves as a reminder that threat actors are constantly evolving their tactics and targeting various points of vulnerability.

Conclusion:

In our journey of monitoring and analyzing attack attempts on a honeypot designed to detect CVE-2018-0101, we’ve gained insights into the global nature of cybersecurity threats. The data collected over 15 days reveals not only the geographic distribution of attackers but also their varying levels of persistence. This experience reinforces the need for proactive cybersecurity measures and highlights the role that honeypots play in understanding and mitigating potential risks.

By sharing our findings, we hope to contribute to the broader cybersecurity community’s understanding of threat landscapes and encourage ongoing discussions on defense strategies against evolving cyber threats.

Disclaimer:

The data and insights presented in this article are based on the monitoring of a honeypot and should not be taken as a comprehensive representation of the entire threat landscape. Honeypot deployments are designed for research purposes and do not directly impact production environments.