Cyber threat landscape study 2023: Outpost24’s honeypot findings from over 42 million attacks


The Outpost24 research team have released the results of attack data gathered from a network of honeypots deployed to gather actionable threat intelligence. In total, 42 million attacks were registered between January 1st and September 30th 2022, with 20 honeypots evenly distributed around the world.

A detailed research report, which is available to view here, uncovered the following key attack findings:

• Brute force attacks were the most repeated attack type with 73,860 total number of attacking IPs.
• Default credentials (username: root, password: root) were counted over 5.5 million times in brute force attempts.
• Port 445 and 22 were the most targeted ports, this corresponds to Windows and Linux remote administration services.

A honeypot is a decoy system (computer, network, or software) that imitates a real system to attract malicious users and collect information about how they operate. The collected information allows administrators to develop the right defences on production systems, like blocking known attack IPs, specific network traffic, and geolocations, as well as understanding how hackers operate within a network and prevent their strategies.

The Outpost24 research found that the most attack attempts registered against their honeypots came from IP addresses in Russia, United States and China. The research report also provides analysis of the captured data, including the credentials used in brute force attacks, targeted protocols, and explanations about the types of honeypots.

“Honeypots are an essential part of threat intelligence gathering and provide us with critical source of fresh, real- world threat data to better understand our adversaries”, said Guillermo García, Head of Offsec at Outpost24. “The most frequent attack vectors in our study confirm that whilst cybercriminals are constantly looking for new opportunities to exploit technical and human vulnerabilities, known and easily fixable weaknesses like default credentials and open ports are just as dangerous.

“It further highlights the need for organisations to constantly monitor external threats and attack surface risk.


Related posts

Scroll to Top