In a previous diary [1], we looked to see how numbers were used within passwords submitted to honeypots. One of the items of interest was how dates, and more specifically years, were represented within the data and how that changed over time. It is often seen that years and seasons are used in passwords, especially when password change requirements include frequenty password changes. Some examples we might see today: Spring2026! Spring26 April2026 April@2026 AprilShowers26 Bloom2026 Easter2026! Passover2026 How is this data represented within passwords submitted to honeypots? Are bots updated to incorporate new year values at certain intervals? Date range of data: 4//21/2024 - 3/29/2026 Number of unique passwords: 496,562 Figure 1: Top 10 contiguous numbers used in passwords submitted to sample of DShield honeypots. When looking at contiguous numbers used within passwords, we see similar data from a couple of years ago. The top two contigious numbers seen within passwords submitted to honeypots were 123 and 1 . However, rather than many of the other high volume contiguous numbers representing a subset of 123456 , the passwords included other numbers such as 100000 , 19 , 69 , 200 . It turns out that this activity was related to a potential DDoS or stress testing of and endpoing using ICMP. 100000 was the desired number of packets sent to the destionation host and the other numbers represented each octet of the destination IP. Figure 2: Passwords submitted to honeypots that were supposed to be commands run once access was gained to the honeypot. The source IP %%ip:147.45.47.117%% was attempting these commands between 11/18/2024 and 11/24/2024. The activity was seen on honeypots distributed in GCP, Digital Ocean, Azure and a residential honeypot. This was not seen on samples from an AWS honeypot. Other activities from this source were seen between 11/14/2024 and 12/1/2024. Most of the sessions from this host are repeated attempts to download a script from %%ip:45.125.66.215%% and install it as a service. Figure 3: Repeated attempts to setup and install a service using a downloaded script from %%ip:45.125.66.215%%. Unfortunately, the file was not downloaded by any of the honeypots, so there was not a file to reference. Okay, back to passwords and number usage. Let's take a look at number frequency use in the passwords submitted to honeypots. Figure 4: Individual number frequency used within passwords submitted to honeypots. Similar to the previous review, generally the lower the number, the more frequently it's used in a password. The most common digits used are 0 , 1 , 2 and 3 . What about 4-digit numbers? Figure 5: Top 10 numbers used within passwords submitted to honeypots only containing 4 digits. This was also similar to the previous review. 1234 is still the most common and usually the most prevelant year seen is the prior year. We do see 2026 in this list, but since there's only a few months of data, it hasn't quite hit the vo
Security & IT News
LiveReal-time news from 13+ trusted sources — BleepingComputer, The Hacker News, Krebs on Security, Dark Reading & more.
A massive campaign impacting nearly 100 online stores using the Magento e-commerce platform hides credit card-stealing code in a pixel-sized Scalable Vector Graphics (SVG) image. [...]
The popular open source VPN maker is the second high-profile developer to say Microsoft locked his account without notifying him and is blocking their ability to send software updates to users.
A threat actor tracked as UNC6783 is compromising business process outsourcing (BPO) providers to gain access to high-value companies across multiple sectors. [...]
A new campaign delivering the Atomic Stealer malware to macOS users abuses the Script Editor in a variation of the ClickFix attack that tricked users into executing commands in Terminal. [...]
Security researchers exposed a spying campaign by a hack-for-hire group that used Android spyware and phishing to steal iCloud credentials and hack victims’ devices.
CISA has given U.S. government agencies four days to secure their systems against a critical-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that has been exploited in attacks since January. [...]
Cybersecurity researchers have flagged a new variant ofmalware called Chaosthat'scapable of hitting misconfigured cloud deployments, marking an expansion of the botnet's targeting infrastructure. "Chaos malware is increasingly targeting misconfigured cloud deployments, expanding beyond its traditional focus on routers and edge devices," Darktrace said in a new report.
Security researchers discovered a remote code execution (RCE) vulnerability in Apache ActiveMQ Classic that has gone undetected for 13 years and could be exploited to execute arbitrary commands. [...]
This is the seventh update to the TeamPCP supply chain campaign threat intelligence report, When the Security Scanner Became the Weapon (v3.0, March 25, 2026). Update 006 covered developments through April 3, including the CERT-EU European Commission breach disclosure, ShinyHunters' confirmation of credential sharing, Sportradar breach details, and Mandiant's quantification of 1,000+ compromised SaaS environments. This update consolidates five days of intelligence from April 3 through April 8, 2026. HIGH: Cisco Development Environment Breached via Trivy Supply Chain, 300+ Repositories Stolen BleepingComputer reported that threat actors leveraged credentials stolen through the Trivy supply chain compromise (%%cve:2026-33634%%) to breach Cisco's internal development environment. The attackers gained access to build systems and developer workstations through a malicious GitHub Action plugin. The breach scope is substantial: Over 300 private GitHub repositories containing Cisco source code were cloned, including code for AI-powered products and unreleased items Customer repositories belonging to banks, business process outsourcing firms, and US government agencies were among those exfiltrated AWS keys were stolen and used for unauthorized activities across Cisco's cloud accounts Multiple threat actors were reportedly involved in the Cisco CI/CD and AWS account breaches, with varying degrees of activity ShinyHunters subsequently expanded their claims beyond the development environment, alleging access to 3 million or more Salesforce records, additional GitHub repositories, and AWS S3 buckets. The claimed dataset allegedly includes records tied to personnel at FBI, DHS, DISA, IRS, and NASA, as well as the Australian Ministry of Defense and Indian government agencies. These expanded claims have not been independently verified. ShinyHunters set an extortion deadline of approximately April 3. As of April 8, no public data dump has materialized and Cisco has not issued a public statement specifically addressing the ShinyHunters extortion claim. The deadline passage without publication, combined with CipherForce's infrastructure outage documented below, represents the second data point suggesting potential friction in the campaign's monetization pipeline. The Cisco breach is significant because it is the highest-profile technology company confirmed as a direct victim of the Trivy supply chain compromise. The involvement of multiple threat actors in a single victim's environment is consistent with the credential-sharing pattern documented in Update 006 . The theft of customer source code repositories for banks and US government agencies creates secondary exposure obligations for downstream organizations. Recommended action: Organizations that are Cisco customers or partners, particularly those with source code or build artifacts hosted in Cisco's development infrastructure, should contact Cisco to determine whether their repos
Cybersecurity researchers have lifted the curtain on a stealthy botnet that's designed for distributed denial-of-service (DDoS) attacks. Called Masjesu, the botnet has been advertised via Telegram as a DDoS-for-hire service since it first surfaced in 2023. It's capable of targeting a wide range of IoT devices, such as routers and gateways, spanning multiple architectures. "Built for
Operation Masquerade: The FBI and DoJ disrupted a Russian GRU campaign that hijacked routers via DNS attacks to spy on users and steal credentials.
Google API key flaw exposes mobile apps to Gemini AI access, private files and billing risks
The LAPD said the breach affected “a digital storage system” belonging to the city’s Attorney's Office. The World Leaks extortion gang was reported to be behind the attack.
The maker of the popular open source file encryption software VeraCrypt said Microsoft locked his online account, which may prevent device owners from booting up their computers.
Ninja Forms File Upload RCE via unauthenticated arbitrary file upload; update to 3.3.27 immediately
One question that often comes up when I talk about honeypots: Are attackers able to figure out if they are connected to a honeypot? The answer is pretty simple: Yes! Most medium interaction honeypots, like the one we are using, are just simulating various systems. These simulations are incomplete. For example, we are using the Cowrie honeypot to emulate SSH and telnet servers. Once an attacker is connected, any package they are installing will appear to install. In the past, I have written about attackers attempting to install bogus packages. If the install appears to succeed, the attacker knows they are connected to a honeypot. Some attackers look for SSH artifacts, such as the number and types of ciphers supported by SSH. Today, I noticed one attacker, (IP address %%ip:45.135.194.48%%), using another common trick: Cowrie will often allow attackers to connect randomly . The effect is that various username and password combinations appear to work. In this case, the attacker used usernames and passwords that are highly unlikely to work. If they succeed, they know they are connected to a honeypot. Here are some of the usernames and passwords used: username password admin definitely_not_valid_creds honeypot indexer honeypotter imaginegettingindexed xXhoneypotXx P@ssw0rd1337! youjustgotindexed getindexedretard Will we do anything to block these types of requests? Maybe... I am not sure it is important enough to hide honeypots. One advantage we have is that many of our honeypots are connected to home networks with dynamic IPs. As a result, any IP address list an attacker will create is somewhat ephemeral. Secondly, we are mostly interested in internet-wide scans. We are not going to detect targeted attacks or zero days. -- Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu Twitter | (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft researchers have uncovered a fast-moving group, Storm-1175, launching high-speed Medusa ransomware attacks against healthcare and education sectors in the UK, US, and Australia by exploiting security flaws in as little as 24 hours.
A $30,000 AI GPU doesn't outperform consumer GPUs at password cracking. Specops explains why attackers don't need exotic hardware to break weak passwords. [...]
Save up to $500 on your TechCrunch Disrupt 2026 pass until April 10, 11:59 p.m. PT. Secure your spot at the center of the tech ecosystem. Register today.