A researcher from Kaspersky says their honeypot in Japan is seeing a large number of attacks attributed to China and South Korea. Does this correlate to other honeypots or is there a regional bias?
A few months ago we set up a new honeypot (http://www.mwcollect.org) in our Japanese research centre in Tokyo. The honeypot is mainly used to collect malicious Windows executables, which it does pretty well by emulating shellcode when it finds network exploits. A side effect of using the honeypot to listen on all ports is that we get statistics (as well as unexpected data) coming in on various network ports of the host, which has a global IP address. […] Take a minute to compare it to the previous graph! You can see that the number of MSSQL attack attempts is mirrored by attacks coming from China. And recently, South Korean hosts have joined this massive attempt to exploit the service.
Tempting to say that the Chinese and South Koreans are attacking the Japanese honeypot when in fact the source is probably elusive and mostly irrelevant.