July 13, 2026
What attackers really do when you leave a door open
We hear about cyberattacks all the time, Novo Nordisk is a recent big one, the recent Fortinet “Fortibleed” campaign which harvested…
By RRider
2 min read
We hear about cyberattacks all the time, Novo Nordisk is a recent big one, the recent Fortinet "Fortibleed" campaign which harvested credentials from approximately 75000 internet connected devices is also one which has made the rounds.
But beyond what you can read in reports or write ups, what really does happen when you leave the internet an open door?
Setup
Simple, but effective. A Cowrie honeypot, which, from the outside looking in, seemingly leaves an SSH service open, and then presents the user with a shell. Of course, it's a fake shell, and cowrie never lets them touch the real system. Logs come out as a JSONL, which I used to ingest into Elasticsearch vie Kibana file upload.
Keep in mind, I only left it open for 48 hours.
To visualize the data I used a custom dashboard.
What the data unveils
Well, first of all, how risky it is to leave an SSH service open on port 22 with no sort of fail2ban or anything, but that's the obvious bit.
We mainly see T1592 (Active Scanning), more specifically gathering victim host information, which Volt Typhoon is associated to. It lines up with our data, since many IPs were Chinese, Indonesian etc.
There's a lot of T1110 (Brute forcing) too, which we can see from the usernames and passwords tried.
The credential lists are pretty predictable, top usernames are evergreen classics such as root, admin, ubuntu, user with pi being an interesting entry. Passwords are more of the same, 123456, password, admin etc.
Credential stuffing is apparently still in vogue, which tells us that a significant amount of systems on the internet are still running default or easily guessable creds, otherwise these campaigns would've shut down since they're not profitable.
What do they do once they're in?
Some standard recon is the answer, checking what OS, hardware, network interfaces. /proc/cpuinfo/ is also checked, which leads us to the miner check:
ps -ef | grep '[Mm]iner'
ps | grep '[Mm]iner'ps -ef | grep '[Mm]iner'
ps | grep '[Mm]iner'They have a look see, to check if there's already a miner running so they can drop their own, from this we can gather cryptojacking has become so commonplace that they check if the machine's already running a miner, since it would be unprofitable to run their own on top of it.
Something more serious is that large ls command.
ls -la ~/.local/share/TelegramDesktop ...ls -la ~/.local/share/TelegramDesktop ...This is looking for Telegram Desktop session data, likely trying to steal credentials to obfuscate their own malware campaign, we've seen telegram bots be used as C2 servers time and again by many bad actors.
The locate command is likely looking for a hash from a binary or wallet file associated with a known malware campaign, probably a threat actor trying to manage their own footprint.
Most interesting of all is how prominent Go is, judging by the SSH version used. From the hassh values we can tell it was mainly all one attacker, but still interesting nonetheless.
Key takeaways
If there's one thing I'd take away from this experiment, it's that default credentials are still a big attack vector and shouldn't be underestimated.
Port 22 exposure is not a great idea, since it attracts automated mass scanning, like we saw here.
Telegram credentials are sought after, likely for ransomware C2, or just for pure resale value.
Conclusion
It's clear we can gather a wealth of information with just 48 hours of unattended time and a few euros for a VPS and it doesn't take much time to set up thanks to how well documented and easy to use the ELK stack is, along with Cowrie.