What do Ports Hear When Nobody's Listening? An Assessment of Automated Cybercrime [Guest Diary]
A SANS Internet Storm Center assessment based on honeypot observations describes campaigns from TerraBot, r00ts3c, and rondo (aka: RondoDox) that repeatedly scan and attempt exploitation of devices and web services. The activity targets multiple flaws including CVE-2016-20017 (legacy D-Link DSL gateway routers) and CVE-2018-10561 (Dasan GPON routers), plus CVE-2016-20016 on legacy MVPower CCTV DVRs/JAWS Webserver RCE; later phases also include CVE-2025-34037 (Linksys E-series routers), CVE-2021-44228 (Log4Shell WAF Evasion), CVE-2023-48022 (ShadowRay), CVE-2023-26801 (LB-LINK command injection), and CVE-2018-6000 (ASUS AsusWRT NVRAM manipulation). The takeaway is that high-volume automation and quickly evolving payload chains can turn “background noise” into persistent, cross-environment risk—even when individual exploit attempts contain errors.
\This is a Guest Diary by Nicole Phillips, an ISC intern as part of the [SANS.edu BACS program]
"I was just sitting here enjoying the company. Plants got a lot to say, if you take the time to listen."
— Eeyore, Winnie the Pooh
Introduction: Listening to the Static
Setting up and contributing to the DShield honeypot project [1] as an ISC intern is a meaningful part of the BACS program at SANS [2]. Over the last several months I've been thrilled to observe real-time SSH/Telnet activity, check every new file hash and TTY log and hunt for unique http requests. That said, reviewing raw honeypot logs can feel overwhelming. Every day, public facing servers are bombarded by millions of identical hits, mostly automated, creating a fog of noise that seems repetitive, yet disconnected and chaotic. After seeing the same sequence of activity day in and day out, it becomes easy to dismiss traffic as loud background static.…