What it is: Attackers use harvested password lists (from past data breaches) against your public SSH, RDP, or Exchange Autodiscover endpoints.
Why it’s Top 3: Password reuse is rampant. A single successful credential stuffing attack can grant an attacker a foothold before any malware is used.
Public NIP Signature: Look for excessive 401 Unauthorized or 403 Forbidden responses followed by a single 200 OK. The top source countries for these attacks vary but often include Russia, China, Brazil, and the US (via proxies). nip activity public top
Countermeasure: Enforce MFA on all public-facing logins. Also, configure your NIP to auto-blacklist any IP that fails 5 logins in 60 seconds.
Topping the charts by volume is Port Scanning. What it is: Attackers use harvested password lists
User Card
Time Range Slider
Relay Strategy
API Endpoint (example)
GET /api/v1/activity/top?nip=1&since=7d&limit=25 User Card