Hungary hit with massive 762-threat wave as scans target exposed databases

The jump from 296 to 762 detected threats in a single day isn't just statistical noise — it's a flashing red light. To put it bluntly, Hungary's digital infrastructure caught the attention of someone, or something, with considerable resources. The severity breakdown tells its own uncomfortable story: 445 critical-severity threats dominated the landscape, joined by 237 high-severity incidents. Medium-severity events accounted for just 80 detections, while low-severity threats registered a perfect zero. This wasn't opportunistic background noise. This was targeted, aggressive, and designed to find weaknesses.

The threat composition reinforces that assessment. Vulnerability-related detections — essentially probes looking for unpatched or misconfigured systems — made up 662 of the day's total. Malicious activity accounted for the remaining 100. In other words, attackers were far more interested in finding open doors than kicking them down.

Port 6379/tcp, associated with Redis in-memory databases, absorbed 224 hits — nearly a third of all detected activity. That's not random. Redis instances left exposed to the internet have become low-hanging fruit for ransomware groups and cryptominers, who can exploit them without authentication in many default configurations. Docker's API port (2375/tcp) followed with 110 attempts, another service notorious for being spun up with inadequate access controls. Elasticsearch on port 9200/tcp saw 88 probes. MongoDB on 27017/tcp added another 11. The pattern is unmistakable: automated tools sweeping the internet for databases that shouldn't be publicly accessible.

Legacy protocols weren't ignored either. Telnet on port 23 logged 100 attempts, a reminder that ancient services still haunt many networks. Windows Remote Desktop (3389/tcp) drew 80 probes, while SMB file-sharing (445/tcp) accounted for 49 — both perennial favorites for initial access brokers. Anyone still running these services without robust authentication and network segmentation is essentially publishing an invitation.

Attack traffic originated from predictable corners of the globe. The United States led with 15 detected source addresses, followed closely by China at 13. Germany contributed 9 sources, while Romania and Russia each accounted for 8. These numbers reflect established patterns — major cyber powers and Eastern European nodes consistently appear in Hungarian threat data. But Seychelles appearing with 5 source addresses raises eyebrows. The island nation has developed a reputation as a bulletproof hosting haven, where certain providers turn a blind eye to abuse complaints. When Seychelles IPs show up alongside those from Beijing and Moscow, it often indicates threat actors routing through jurisdictions that won't cooperate with international investigations.

Magyar Telekom absorbed 165 of the day's incidents, with DIGI close behind at 158. Together, the two providers represented more than 40% of all detected threats. Invitech recorded 81 events, while Vodafone Hungary saw 41. Several smaller autonomous systems — AS62214 with 32 hits and AS42964 with 29 — rounded out the list. The concentration in major ISPs isn't surprising; they control the largest address blocks and serve the most customers. But it does suggest that compromised home routers, misconfigured small business servers, and IoT devices within these networks may be contributing to the overall exposure.

Government networks fared remarkably well. Only four events touched government infrastructure, and none reached critical severity. Whether that reflects superior security hygiene or simply a lower profile in yesterday's campaign remains unclear. Either way, the contrast with commercial ISP exposure is striking.

Two active intelligence sources fed yesterday's detection data — a relatively lean number that suggests Hungary's threat visibility depends heavily on a small set of feeds. Expanding that ecosystem could provide earlier warning of campaigns like this one, which appears to have struck with little preamble. For organizations running Redis, Docker, Elasticsearch, or MongoDB instances, the message is urgent: verify that these services aren't exposed to the public internet, apply authentication where available, and segment sensitive databases from external access. The attackers have clearly added Hungarian IP ranges to their automated sweep lists. The question now is whether administrators have closed the doors before anyone walked through.