Skip to content

Trending tags

Threat Landscape Snapshot H2 2017

Melissa Michael

28.02.18 3 min. read

Last year we blogged about our global network of honeypot sensors, and how these sensors help us monitor the threat landscape to get a picture of what’s happening out there. We published honeypot data from the first half of 2017, and today we’re releasing our data from the second half of the year.

Honeypots are decoy servers we use to attract the attention of attackers by appearing to offer something they want, while in reality, we monitor the server so we can gather important information about the traffic that’s attracted to it.

Compared to data from H1 2017, our data from the second half of the year doesn’t look too different. Russia is still the top source of attack traffic. And Germany, the US and China are all still top sources as well, albeit with far less traffic than Russia.

But this time France came out surprisingly as the number 2 source – a result, according to our threat analysts, that probably stems from French IoT devices being hacked and trying to spread the infections further. A July campaign on port 1900 (SSDP/UPnP) indicates attacks exploiting vulnerabilities in French IoT/Plug ‘n Play devices.

It’s worth mentioning that the presence of a country on the list does not necessarily indicate the attackers themselves are located inside that country. To evade law enforcement, attacks are commonly bounced through multiple proxies. An attacker may route through VPNs, TOR, and compromised machines or infrastructure.

The United States was the top target of attacks, as usual, with Germany in second again. Germany’s results are related to a spike in SMB activity on port 445.


top source and destination countries for attack traffic h2 2017


Attacks via SSH indicate attempts to gain remote access, such as attempts to log in as root or admin. Looking at SSH traffic, we see Russia as the clear leader. The majority of all attacks from Russia this time were via SSH, with roughly half of these directed at the US – a fact that is reflected in the destination results as well.



When it comes to ports probed, the most commonly probed port was number 22, SSH. This was followed by 1900, indicating, as in France, IoT devices are still being targeted, and after that SMB port 445, indicating attackers are still getting use out of Eternal exploits leaked from the NSA.



Looking at our “Who’s After Who” list, the top adversary relationship is no surprise:



Honeypot data gives us a look at high-level patterns and trends. But what’s going on among real organizations? One thing we can say with certainty is that fileless attacks are on the rise.

The Ponemon Institute projects that 35% of attacks in 2018 will be fileless, a 6% increase from their projection for 2017. And they add that fileless attacks are ten times more likely to succeed than traditional file-based attacks.

A SANS study found that 32% of organizations report seeing fileless attacks involving methods like privilege escalation, admin credential theft, Powershell script attacks, and lateral movement. These are just what they see, but given the fact that fileless attacks are much more likely to succeed, what about what they don’t see?

If you’re interesting in gaining visibility into your own network, learn more about endpoint detection and response.

To view or share the full infographic, download it here.

Melissa Michael

28.02.18 3 min. read


Related posts


Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.