New Trends in SSH Attack Patterns: A Fresh Look at Username Reports from Honeypots

By /

Listen to this Post

Cybersecurity researchers are always on the lookout for patterns and anomalies in attacker behavior. One of the most effective tools for understanding brute-force attempts and malicious access tactics is the SSH honeypot — a decoy system designed to lure attackers. The Cowrie honeypot, in particular, plays a critical role in collecting this data, especially when integrated with the DShield network. In this article, we explore a recent username report compiled by Dr. Johannes B. Ullrich, which analyzes SSH and Telnet usernames observed over the past month. From odd typos to mistaken command-line usage, this data provides fascinating insights into how attackers operate — and the errors they make along the way.

SSH Username Report Summary (Last 30 Days):

  1. Honeypot Foundation: The data was collected using Cowrie, a full-featured SSH and Telnet honeypot developed by Michel Oosterhof and integrated into the DShield honeypot system.
  2. Username Observation Window: The report focuses on usernames seen at least five times in the past 30 days, giving a snapshot of current brute-force attempts.

3. New Username Highlights:

  • ysoperator: Possibly a reused name; no helpful Google results to confirm origin.

– uery: Likely a misspelling of “query”.

  • tamatiek: Possibly a Japanese personal or character name.
  • shughes: Probably a typical first initial + last name format (e.g., “S. Hughes”).
  • dbmasteruser: Suggests targeted attempts at privileged database accounts.

4. Unexpected Entries:

  • /usr/share/wordlists/logins.txt: Instead of a username, the attacker appears to have pasted a filepath — possibly due to misconfigured brute-force tools.

5. Typo or Parsing Errors:

– atascientist: Likely intended as “datascientist”.

  • ackupadmin: Probably “backupadmin”, hinting at tool formatting bugs or input errors.
  • These may arise when scripts accidentally trim characters or misinterpret inputs.
  1. User Behavior Insight: Many brute-force attempts come from automated tools, which can produce incorrect usernames due to command line errors or poorly designed scripts.
  2. Data Access: A JSON file (`https://isc.sans.edu/sshallusernames.json`) is publicly available for deeper analysis.
  3. Password Report in Progress: The researcher is also compiling password data — a harder task due to its sheer variety and volume.
  4. Key Takeaway: No username is truly “safe.” Attackers are attempting a wide range of inputs, from generic admin names to typos and even file paths.
  5. Human Errors in Attacks: One of the most telling signs — even attackers fumble. Misused scripts and filenames in place of usernames reflect amateur attempts or hastily written attack tools.

What Undercode Say:

At Undercode, we believe this report highlights an important pattern often overlooked in cybersecurity — the fallibility of attackers. Here’s a deeper analysis from a technical and strategic perspective:

  1. Attack Vectors Are Evolving, but Not Perfect: While bots and brute-force tools are improving, this report shows that attackers often use generic or malformed usernames — revealing laziness, errors, or poorly configured scripts.
  2. Username Enumeration Still Effective: Seeing names like dbmasteruser or shughes indicates that attackers use common corporate formats to guess privileged accounts. This stresses the importance of avoiding predictable usernames in production environments.
  3. Scripted Attacks = Repetitive Patterns: Names appearing multiple times suggest that attackers are running large-scale, automated attacks with predefined username lists. Detecting and analyzing these repetitions can improve defense strategies.
  4. Human Oversight in Automation: The inclusion of a file path like /usr/share/wordlists/logins.txt signals a critical oversight — perhaps an attacker testing a script without fully understanding its functionality. These mistakes are goldmines for defenders, indicating tool origins and attacker skill levels.
  5. Potential for Fingerprinting Tools: By analyzing repeated typo patterns (like “uery” or “ackupadmin”), security teams can trace the specific tools or scripts being used in brute-force campaigns.
  6. SSH as a Common Target: SSH remains one of the top entry points for attackers. Tools like Cowrie give defenders critical telemetry to stay ahead.
  7. Low-Level Threats Are Still Useful Intelligence: Even poorly executed attacks help uncover global brute-force trends, botnet behavior, and actor capability.

8. Defensive Implications:

– Use multi-factor authentication (MFA) where possible.

– Avoid default or easily guessable usernames.

  • Monitor authentication logs for malformed or oddly structured usernames — a potential red flag.
  • Consider implementing delay-based response mechanisms to thwart fast brute-force attempts.
  1. Community and Collaboration Matter: The open sharing of data, such as the JSON username dump, empowers researchers and defenders worldwide.
  2. AI-Driven Defense Can Benefit from This Data: Training anomaly detection models on username input patterns (e.g., filenames as usernames) could enhance early warning systems.
  3. Honeypots Remain Valuable: Cowrie continues to be a powerful tool for understanding how attackers think and where they make mistakes.
  4. Maturity Level of Attackers Varies Greatly: The mix of sophisticated usernames (like dbmasteruser) and absurd ones (like the path) shows the wide range of attacker experience levels.
  5. Typo Detection Might Be a Clue: A recurring issue like missing first characters could point to a bug in specific brute-force frameworks.
  6. Real-Time Monitoring Suggested: Tracking newly seen usernames in near real-time may help identify zero-day campaigns or new botnets in their infancy.
  7. Language Clues for Attribution: Names like “tamatiek” may offer linguistic or cultural hints about the attack source, helping with threat attribution.
  8. User Enumeration Protections: Implementing settings that return generic login failure messages can reduce information leakage.
  9. Social Engineering Remains a Risk: Many of these usernames may also be harvested from breached company credentials, reused in brute-force attacks.
  10. Behavioral Logging Is Key: Record failed login attempts in detail — not just IPs, but usernames, timing, and request headers.
  11. Exploration for Further Research: Password dataset (in development) could reveal even more about attacker methods.
  12. Final Thought: This username list may seem basic, but it’s a digital fingerprint of attackers’ minds — revealing assumptions, tool limitations, and potential vulnerabilities in their processes.

Fact Checker Results:

  • Cowrie Honeypot Verified: Confirmed as a well-known and actively maintained SSH/Telnet honeypot.
  • Username Report Authentic: The JSON data link and format are publicly accessible from SANS/ISC sources.
  • Researcher Credibility: Johannes Ullrich is a recognized authority in the cybersecurity community and Dean of Research at SANS.edu.

Let me know if you’d like a visual data breakdown or timeline based on the JSON file.

References:

Reported By: https://isc.sans.edu/forums/diary/New
Extra Source Hub:
https://www.github.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: