The technical analysis reveals that the scanning campaigns originate from distributed subnet ranges, with notable activity from networks including 45.146.130.0/24, 179.60.146.0/24, and 185.93.89.0/24, each generating hundreds of thousands to millions of individual requests. The research, conducted by handler Jesse La Grew, reveals that this phenomenon is not isolated to individual honeypots but represents a systematic increase across multiple monitoring systems, suggesting a coordinated threat landscape evolution. The storage requirements for security teams have increased dramatically, with some organizations now requiring up to 140 GB of storage capacity just for web honeypot logs between weekly backup cycles, highlighting the operational impact of this escalated threat activity. Analysis of the traffic patterns reveals that attackers are systematically probing for vulnerable web applications, particularly targeting paths such as /__api__/v1/config/domains and /__api__/v1/logon, which are commonly associated with enterprise network management systems and authentication mechanisms. The cybersecurity landscape has witnessed an unprecedented surge in malicious scanning activity, with DShield honeypots recording over one million log entries in a single day for the first time in their operational history. The scanning activity demonstrates sophisticated targeting patterns, with threat actors focusing on specific API endpoints and configuration interfaces. The scanning patterns indicate a methodical approach to vulnerability discovery, with threat actors systematically enumerating common web application endpoints and API interfaces. Internet Storm Center analysts identified that the primary source of this massive log volume surge stems from web honeypot logs rather than traditional network scanning activities. The record-breaking activity has been sustained over several months, with multiple honeypots consistently generating logs exceeding 20 GB per day and some reaching nearly 58 GB in a single 24-hour period. This represents a substantial increase from the previous record of approximately 35 GB, indicating a coordinated and persistent campaign of internet-wide scanning activities targeting web-based vulnerabilities and services. This dramatic escalation represents a significant shift from typical honeypot activity patterns, where such high-volume events were previously considered exceptional rather than routine occurrences. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The attackers demonstrate persistence through repeated attempts across multiple IP addresses within these ranges, suggesting the use of botnets or compromised infrastructure for sustained reconnaissance operations.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 16 Jul 2025 07:20:17 +0000