Bot attacks against RDP, SSH examined

Tens of millions of connection attempts have been conducted to Rapid7's RDP and SSH honeypots from September 10, 2021 to September 9, 2022, with nearly all of the passwords in its honeypots observed in the rockyou2021.txt collection, which contains nearly 8.4 billion passwords, SecurityWeek reports. Rapid7 researchers discovered that only 14 of 497,848 passwords leveraged in attacking SSH honeypots were not present in rockyou2021, while only one password targeted at RDP honeypots was not a part of the collection, with that password, AuToLoG2019.09.25, being the 13th most used password. The findings also showed that '123456', 'nproc', 'test', 'qwerty', and 'password' were the leading passwords used in SSH attack attempts, while ' ' or the empty string, '123', 'password', '123qwe', and 'admin' were the most used passwords in attacks against RDP honeypots. "The concentration on lame and default passwords demonstrates that there are still enough in common use to make the attacks worthwhile for the attackers," said Rapid7 Director of Research Tod Beardsley.