Numerous studies have explored SSH attacks, often focusing on specific botnet activities or providing short-term
analyses of particular honeynets. In this paper, we present an analysis of data collected from a large-scale honeynet
over a three-year period, shedding light on gradual shifts in attacker behavior. Our findings suggest a trend toward
more exploratory attacks, with indications that attackers are increasingly moving beyond the blind execution of scripts.
We observe changes in techniques as new bots appear with unique methods and established botnets modify their approaches over time. Furthermore, attackers have adopted a more scouting approach in recent months, showing increased adaptability in their tactics. Additionally, there is a clear preference for utilizing recently registered ASes as storage locations for malicious files. Our findings also suggest that attackers are increasingly aware of honeypot presence. Some attackers actively search for these traps, while others exploit honeypots for their own purposes, underscoring the need for a new generation of more advanced honeypots. Lastly, we conduct a detailed investigation into one of the most prevalent attacks, challenging existing assumptions about the attacker's identity. |