Hello and welcome to the Tuesday, July 15th, 2025 edition of the Sands and then at Storm Center's

Stormcast. My name is Johannes Orrich, and this episode brought you by the sands.edu certificate program

in cybersecurity leadership is recorded in Washington, D.C. Well, if you are running one of our honeypots and sending us

logs, which I hope many of you are doing, you may have noticed a delay in imports of these

logs over the weekend. This was in part caused by, well, an unintentional, self-reflected denial

of service. We were playing with a new version of the honeypot,

and well, myself and Jesse were running it and causing a lot of additional logs.

But this also triggered Jesse to look a little bit at the log volume of his honeypots.

He's running about half a dozen of them across time. And we have seen in the past

where honeypots are on a particular day or so all of a sudden get a big search in logs. This is

often caused by one particular IP address, essentially running a vulnerability scan against a particular

honeypot. Well, what Jesse saw was something a little bit different.

Over the last couple weeks, the log volume across all of his honeypots,

has increased substantially sort of by an order of magnitude.

Actually, when he plotted it sort of as number of logs, events over time,

the prior part of the graph pretty much looked like zero, like nothing was there.

What is also interesting here is that this attack appears to be caused by IP addresses

that only scan a very small number of URLs.

And these URLs are related to the Sonic Wall vulnerability.

Looks like there is some kind of botnet that infected these Sonic Wall systems

and is now very aggressively scanning for additional warnable systems.

I hope they sort of got what there is as far as vulnerable systems exists out there,

...