Cisco ASA VPN trap on UDP 500/4500.

Threat Intelligence Report

CiscoASA → Attacker IPs – Australia – November 2025

---

Executive Summary

Welcome to the world of mischief at its finest. Our CiscoASA honeypot attracted an array of digital hooligans throughout November 2025, with attacks sporting the subtlety of a sledgehammer. With IPs from Australia stirring up trouble, we found the usual suspects hiding behind well-known cloud platforms and bulletproof hosts. It’s the cybersecurity equivalent of a carnival sideshow, with a surprising mix of malicious intent and benign scanning. Dive in for the gory details.

Key Stats

• Sensor: CiscoASA honeypot on T-Pot CE
• Timeframe: November 2025
• Volume: Hundreds of requests, most likely auto-piloted by scripts
• Top ASNs:
  • DigitalOcean (ASN 14061): Mirai-style botnet charmers
  • Amazon (ASN 14618): Somewhat innocent cloud misfits
  • Google Cloud Platform (ASN 396982): Masters of research scanning
  • Hurricane Electric (ASN 6939): Duck blinds for digital henchmen
  • F3 Netze e.V. (ASN 205100): Cloaked troublemakers from Germany

Campaign Narrative

Our honeypot had a busy November, thanks to IP addresses with confidence issues. DigitalOcean continues to be popular with botnet creators who think they're the next Moriarty. Meanwhile, Hurricane Electric and F3 Netze e.V. prove that giving a home to dodgy actors remains a viable—if scummy—business model. With cloud-based scanners doing their best impression of the innocent-yet-annoying cousin, discerning good from bad becomes a content moderation nightmare.

Infrastructure Details

The hosting playground featured a few hits:

• DigitalOcean: The usual who’s who for DDoS and botnet setups, resembling a dodgy warehouse where old malware scripts go to die.
• Amazon and Google: Often blamed for innocuous scanning due to bored researchers or poorly configured scripts, unless you believe in Christmas miracles.
• Hurricane Electric: A name that reliably crops up when discussing bulletproof hosting, where shady dealings meet cloudy skies.
• F3 Netze e.V.: Evasive and obscure, these guys play hide-and-seek with your firewall rules daily.

Malware and Behaviour

The room buzzed with typical Mirai-style botnet behavior. Default login page attacks and directory sniffing for /robots.txt could be chalked up to either crimeware scouts or script kiddie wannabes. Correlation with platforms like VirusTotal pointed to familiar exploitation frameworks, though nothing flashy enough to grace the worm-of-the-month club.

Detection and Mitigation

Prepare your defenses with:

• Geolocation and ASN Filtering: Keep the benign researchers in their own sandboxes. We like curious cloud engineers—but not when they're knocking at our virtual doors.
• Exploit Detection: Hunt for repeated requests to /robots.txt and known CVE endpoints. No one’s crawling your public folders unless they’re up to no good.
• Block Suspicious Hosts: Particularly ASN 6939 and 205100, unless you're keen on hosting the internet's riff-raff.

Closing Thoughts

As November skips towards a hectic holiday season, it’s prudent to remember: Every cloud host has a dodgy lining. Scanners will scan, botnets will try to brute force, and your defensive stack better be tighter than Santa's waistband post-cookie binge. Keep logging, keep blocking, and—most importantly—keep questioning that one random IP that always seems to be lurking. Stay feral, my friends.