Polycom CX600 Default Credentials Observed in SSH Credential Spray
Overview Buried in a day’s worth of SSH credential spray data from my Cowrie honeypot was a finding that stopped me mid-analysis: the username/password combination 345gs5662d34:345gs5662d34 — attempted 30 times in a single observation window. That string is the factory default administrative credential for the Polycom CX600 IP desk phone. This post documents the credential finding, the broader mdrfckr persistence campaign it arrived alongside, and an important observation about what this spray tells us about the attackers’ awareness of their targets — which is essentially zero. ...